Privacy Policy

This Privacy Policy ("Policy") describes how ContractForge ("we", "us", "our", or "the Platform") collects, uses, stores, shares, and protects the personal data of individuals ("you", "your", or "Data Principal") who access or use the ContractForge platform available at contractforge-ai-contract-and-a3425a.vercel.app. This Policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and all other applicable Indian laws and regulations governing the processing of personal data.

By accessing or using ContractForge, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform immediately.

1. Data Controller

ContractForge is the Data Fiduciary (as defined under Section 2(i) of the Digital Personal Data Protection Act, 2023) responsible for determining the purposes and means of processing your personal data.

All questions, requests, complaints, or communications relating to the processing of your personal data should be directed to the above contact address. We are committed to responding to all privacy-related communications in a timely and transparent manner in accordance with our obligations under applicable Indian law.

2. Personal Data Collected

ContractForge collects the following categories of personal data from you, either directly at the time of registration or use, or automatically through your interaction with the Platform. Each category is listed below along with the specific purpose for which it is collected.

2.1 Full Name

2.2 Email Address

2.3 Permanent Account Number (PAN)

2.4 Goods and Services Tax Identification Number (GSTIN)

2.5 Project Scope

2.6 Payment Information

2.7 Contract History

2.8 Internet Protocol (IP) Address

3. Legal Basis Under the DPDP Act, 2023

ContractForge processes your personal data on the following legal bases as recognised under the Digital Personal Data Protection Act, 2023:

3.1 Consent

Pursuant to Section 6 of the DPDP Act, 2023, we process your personal data on the basis of your free, specific, informed, unconditional, and unambiguous consent, which you provide at the time of account registration by affirmatively accepting this Privacy Policy and our Terms of Service. You have the right to withdraw your consent at any time by contacting us at [privacy@contractforge.in](mailto:privacy@contractforge.in). Withdrawal of consent will not affect the lawfulness of processing carried out prior to such withdrawal. However, withdrawal of consent for processing that is essential to the delivery of our services may result in the termination of your access to the Platform.

3.2 Legitimate Uses

Pursuant to Section 7 of the DPDP Act, 2023, we also process certain personal data on the basis of legitimate uses, including:

• Section 7(a): Processing necessary for the performance of a contract to which you are a party, specifically the delivery of ContractForge's subscription-based services as described in our Terms of Service.
• Section 7(b): Processing necessary for compliance with any law currently in force in India, including tax laws, anti-money laundering regulations, and cybersecurity obligations.
• Section 7(f): Processing necessary for the purposes of the legitimate interests pursued by ContractForge, including fraud prevention, platform security, and the improvement of our AI-assisted contract drafting capabilities, provided that such interests are not overridden by your fundamental rights and freedoms as a Data Principal.

4. Purpose of Processing

ContractForge processes your personal data exclusively for the following purposes:

4.1 Service Delivery

We process your name, email address, project scope, and contract history to provide you with the core functionality of the ContractForge Platform, including AI-assisted contract generation, document storage, template customisation, and document export. Without processing this data, we cannot deliver the services you have subscribed to.

4.2 Billing and Payment Processing

We process your name, email address, PAN, GSTIN, and payment information to manage your subscription, process payments, issue GST-compliant invoices, handle refunds, and maintain financial records as required under the CGST Act, 2017, the Income Tax Act, 1961, and other applicable Indian fiscal legislation.

4.3 Customer Support

We process your name, email address, contract history, and IP address to respond to your support queries, investigate complaints, diagnose technical issues, and provide assistance in relation to your use of the Platform. This processing is necessary to fulfil our contractual obligations to you and to maintain the quality of our services.

4.4 Legal Compliance

We process your personal data to the extent necessary to comply with applicable Indian laws and regulations, including but not limited to the IT Act, the DPDP Act, the CGST Act, the Income Tax Act, and any orders or directions issued by competent courts or regulatory authorities. We may also process and disclose your personal data in response to lawful requests from law enforcement agencies or government authorities.

4.5 Security and Fraud Prevention

We process your IP address and account activity data to monitor for suspicious activity, prevent unauthorised access, detect and investigate potential fraud or abuse, and maintain the security and integrity of the Platform in accordance with our obligations under Section 43A of the IT Act, 2000 and the SPDI Rules.

4.6 Platform Improvement

We may process anonymised and aggregated data derived from your use of the Platform, including project scope metadata and usage patterns, to improve the accuracy and quality of our AI-assisted contract drafting features. This processing does not involve the use of personally identifiable information and is conducted in a manner that does not allow re-identification of individual users.

5. Third-Party Data Processors

ContractForge engages the following third-party Data Processors (as defined under Section 2(k) of the DPDP Act, 2023) to assist in delivering the Platform's services. Each processor has been engaged under a written data processing agreement that obligates them to process your personal data only on our documented instructions, to implement appropriate technical and organisational security measures, and to comply with applicable data protection laws.

5.1 Supabase

5.2 Lemon Squeezy

5.3 Resend

5.4 Vercel

5.5 Render

5.6 Anthropic

6. Data Retention

ContractForge retains your personal data only for as long as is necessary to fulfil the purposes for which it was collected, as described in this Policy, and to comply with our legal, regulatory, and contractual obligations.

6.1 Active Account Data

While your ContractForge account remains active, we retain all personal data associated with your account, including your name, email address, PAN, GSTIN, project scope, payment information, contract history, and IP address logs, for the duration of your subscription and continued use of the Platform.

6.2 Post-Account Closure Retention

Following the closure or termination of your ContractForge account, whether initiated by you or by us, we will retain your personal data for a period of three (3) years from the date of account closure. This retention period is necessary to comply with our obligations under the Income Tax Act, 1961, the CGST Act, 2017, and other applicable Indian laws that require the maintenance of financial and business records for specified minimum periods, and to enable us to respond to any legal claims, disputes, or regulatory inquiries that may arise after account closure.

6.3 Secure Deletion

Upon the expiry of the three-year post-closure retention period, all personal data associated with your account will be securely and permanently deleted from all ContractForge systems and databases, including all backup systems, in a manner that renders the data irrecoverable. We will also instruct our third-party Data Processors to delete or anonymise your personal data in accordance with their respective data retention obligations under their agreements with us.

6.4 Anonymised Data

Notwithstanding the above, ContractForge may retain anonymised and aggregated data derived from your use of the Platform indefinitely, provided that such data cannot be used to identify you individually and does not constitute personal data as defined under the DPDP Act, 2023.

7. Data Subject Rights

As a Data Principal under the Digital Personal Data Protection Act, 2023, and as a data subject under the Information Technology Act, 2000 and the SPDI Rules, you have the following rights with respect to your personal data processed by ContractForge. To exercise any of these rights, please submit a written request to [privacy@contractforge.in](mailto:privacy@contractforge.in).

7.1 Right to Access

Pursuant to Section 11 of the DPDP Act, 2023, you have the right to obtain from us a summary of the personal data we hold about you, the processing activities being carried out with respect to your personal data, and the identities of all Data Processors and other entities to whom your personal data has been disclosed.

7.2 Right to Correction and Completion

Pursuant to Section 12 of the DPDP Act, 2023, you have the right to request that we correct any inaccurate or misleading personal data we hold about you, and to complete any incomplete personal data, without unreasonable delay. We will action verified correction requests within a reasonable timeframe and will notify relevant Data Processors of any corrections made.

7.3 Right to Erasure

Pursuant to Section 12(3) of the DPDP Act, 2023, you have the right to request the erasure of your personal data where the data is no longer necessary for the purpose for which it was collected, or where you have withdrawn your consent and there is no other legal basis for processing. Please note that we may be required to retain certain data for the minimum periods prescribed by applicable Indian law, including tax and financial record-keeping laws, notwithstanding an erasure request.

7.4 Right to Data Portability

You have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider where technically feasible. Portability requests will be fulfilled within a reasonable timeframe and at no charge to you.

7.5 Right to Withdraw Consent

You have the right to withdraw your consent to the processing of your personal data at any time by contacting us at [privacy@contractforge.in](mailto:privacy@contractforge.in). Withdrawal of consent will not affect the lawfulness of any processing carried out prior to the withdrawal. Where consent withdrawal affects our ability to deliver core services, we will notify you of the consequences before processing your withdrawal request.

7.6 Right to Nominate

Pursuant to Section 14 of the DPDP Act, 2023, you have the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, please contact us at [privacy@contractforge.in](mailto:privacy@contractforge.in).

7.7 Right to Grievance Redressal

You have the right to have your grievances relating to the processing of your personal data addressed by our Grievance Officer in accordance with the procedures described in Section 14 of this Policy.

8. No Sale of Personal Data

ContractForge does not sell, rent, lease, trade, or otherwise transfer your personal data to any third party for monetary or other valuable consideration. Your personal data is shared with third-party Data Processors solely to the extent necessary to deliver the services described in this Policy, and all such sharing is governed by written data processing agreements that prohibit the processors from using your data for their own commercial purposes.

We will never sell your name, email address, PAN, GSTIN, payment information, contract history, project scope, or IP address to advertisers, data brokers, marketing companies, or any other third party. This commitment applies regardless of whether you are a free trial user, a paid subscriber, or a former user of the Platform.

In the event that ContractForge undergoes a merger, acquisition, restructuring, or sale of all or substantially all of its assets, your personal data may be transferred to the acquiring entity as part of that transaction. In such an event, we will notify you via email to [privacy@contractforge.in](mailto:privacy@contractforge.in) prior to the transfer and will ensure that the acquiring entity is bound by privacy obligations no less protective than those set out in this Policy.

9. Security Measures

ContractForge implements comprehensive technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, destruction, or loss. These measures are implemented in accordance with Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

9.1 Encryption at Rest

All personal data stored in ContractForge's databases and storage systems, including data stored with our processor Supabase, is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit key length) encryption. This ensures that even in the event of unauthorised physical or logical access to storage media, your personal data cannot be read without the appropriate decryption keys.

9.2 Encryption in Transit

All personal data transmitted between your browser or device and the ContractForge Platform, and between ContractForge's internal systems and third-party processors, is encrypted in transit using TLS 1.3 (Transport Layer Security version 1.3). We do not support older, less secure versions of TLS or SSL for any data transmissions involving personal data.

9.3 Access Controls

Access to personal data within ContractForge's systems is restricted on a strict need-to-know basis. We implement role-based access controls ("RBAC") to ensure that only authorised personnel with a legitimate operational need can access personal data. All internal access to personal data is logged and audited. Administrative access to production databases and systems requires multi-factor authentication ("MFA").

9.4 Vulnerability Management

ContractForge conducts periodic security assessments and vulnerability scans of its Platform and infrastructure. We maintain a responsible disclosure programme and promptly remediate identified security vulnerabilities in accordance with industry best practices.

9.5 Incident Response

In the event of a personal data breach, ContractForge will take immediate steps to contain and remediate the breach, assess the risk to affected Data Principals, and notify affected users and relevant authorities in accordance with the requirements of the DPDP Act, 2023, and the IT Act, 2000. Notifications will be sent to affected users at their registered email addresses without undue delay.

9.6 Processor Security

We require all third-party Data Processors engaged by ContractForge to implement security measures that are at least equivalent to those described in this section, and to notify us promptly in the event of any security incident affecting personal data processed on our behalf.

10. Cookies and Tracking

ContractForge uses cookies and similar tracking technologies on the Platform to enhance your user experience, maintain session security, and analyse Platform usage. This section describes the types of cookies we use and your options for managing them.

10.1 Strictly Necessary Cookies

These cookies are essential for the operation of the Platform and cannot be disabled without affecting core functionality. They include session authentication cookies that keep you logged in during your visit, CSRF (Cross-Site Request Forgery) protection tokens, and load balancing cookies. These cookies do not collect personal data for marketing purposes and are set solely on the basis of our legitimate interest in maintaining Platform security and functionality.

10.2 Functional Cookies

These cookies remember your preferences and settings, such as your preferred language, display settings, and recently accessed contract templates, to provide you with a more personalised experience. These cookies are set on the basis of your consent.

10.3 Analytics Cookies

ContractForge may use anonymised, aggregated analytics cookies to understand how users interact with the Platform, which features are most frequently used, and where users encounter difficulties. These analytics are used solely to improve the Platform and do not involve the processing of personally identifiable information. These cookies are set on the basis of your consent.

10.4 No Third-Party Advertising Cookies

ContractForge does not use third-party advertising cookies, tracking pixels, or behavioural advertising technologies. We do not share your browsing data with advertising networks or data brokers.

10.5 Cookie Management and Opt-Out

You may manage your cookie preferences at any time through the cookie consent banner displayed when you first access the Platform, or through your browser's built-in cookie management settings. Most modern browsers allow you to block or delete cookies through their settings menus. Please note that disabling strictly necessary cookies may impair your ability to use certain features of the Platform, including account login. To opt out of analytics cookies specifically, you may also use browser-based opt-out tools such as the Google Analytics Opt-out Browser Add-on where applicable.

11. Cross-Border Transfers

ContractForge is an India-based platform and stores the majority of your personal data on servers located within India. However, certain third-party Data Processors engaged by ContractForge, including Supabase, Lemon Squeezy, Resend, Vercel, Render, and Anthropic, may process your personal data on servers located outside the territory of India.

11.1 Governing Framework

All cross-border transfers of personal data by ContractForge and its Data Processors are governed by the Digital Personal Data Protection Act, 2023, and in particular the provisions relating to the transfer of personal data outside India as notified by the Central Government from time to time under Section 16 of the DPDP Act, 2023. ContractForge will not transfer your personal data to any country that has been specifically restricted by the Central Government under the DPDP Act.

11.2 Contractual Safeguards

Prior to transferring your personal data to any processor located outside India, ContractForge enters into written data processing agreements with such processors that incorporate appropriate contractual safeguards, including obligations to process your data only on our instructions, to implement security measures equivalent to those required under Indian law, and to cooperate with us in facilitating the exercise of your data rights.

11.3 Processor Locations

As of the effective date of this Policy, the following processors may process your data outside India: Anthropic (United States), Lemon Squeezy (United States), Resend (United States), Vercel (United States and global CDN nodes), and Render (United States). Supabase offers data residency options and ContractForge configures its Supabase instance to store data in a region consistent with applicable legal requirements.

12. Children's Privacy

The ContractForge Platform is designed and intended exclusively for use by adults who are at least 18 years of age and who are entering into legally binding contracts in a professional or business capacity. The Platform is not directed at, and is not intended for use by, individuals under the age of 18 years.

ContractForge does not knowingly collect, process, or store personal data from individuals under the age of 18. If you are under 18 years of age, you must not register for an account or use the Platform.

If we become aware that we have inadvertently collected personal data from an individual under the age of 18, we will take immediate steps to delete such data from our systems without undue delay and to terminate the associated account. If you are a parent or guardian and believe that your child under the age of 18 has provided personal data to ContractForge, please contact us immediately at [privacy@contractforge.in](mailto:privacy@contractforge.in) and we will promptly investigate and remediate the matter.

13. Policy Updates

ContractForge reserves the right to update, amend, or modify this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or improvements to the Platform. We are committed to keeping you informed of any material changes to this Policy.

13.1 Notification of Material Changes

In the event of any material change to this Policy — including changes to the categories of personal data collected, the purposes of processing, the third-party processors engaged, or your rights as a Data Principal — ContractForge will notify you by sending an email to the email address registered with your ContractForge account at least 30 (thirty) days before the material changes take effect. The notification email will be sent from [privacy@contractforge.in](mailto:privacy@contractforge.in) and will clearly describe the nature of the changes and their implications for you.

13.2 Continued Use

Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you must discontinue use of the Platform and may request the deletion of your account and personal data by contacting us at [privacy@contractforge.in](mailto:privacy@contractforge.in) before the changes take effect.

13.3 Version History

The effective date and last updated date at the top of this Policy will be updated each time the Policy is revised. We recommend that you review this Policy periodically to stay informed of how we are protecting your personal data.

14. Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the grievance redressal provisions of the Digital Personal Data Protection Act, 2023, ContractForge has designated a Grievance Officer to address complaints and concerns relating to the processing of personal data on the Platform.

14.1 Contact Details of Grievance Officer

14.2 How to Submit a Grievance

If you have any complaint, concern, or grievance relating to the collection, storage, processing, use, disclosure, or deletion of your personal data by ContractForge, or if you believe that your rights as a Data Principal have been violated, you may submit a written grievance to the Grievance Officer at [privacy@contractforge.in](mailto:privacy@contractforge.in). Your grievance should include your full name, registered email address, a clear description of the nature of your complaint, and any supporting documentation you consider relevant.

14.3 Acknowledgement and Resolution Timeline

Upon receipt of your grievance, the Grievance Officer will:

• Acknowledge your grievance in writing within 48 (forty-eight) hours of receipt; and
• Resolve your grievance and communicate the outcome to you within 30 (thirty) days of the date of receipt of the grievance.

If the Grievance Officer requires additional information from you to investigate and resolve your grievance, the 30-day resolution period will be calculated from the date on which all required information has been received.

14.4 Escalation

If you are not satisfied with the resolution provided by the Grievance Officer, you may escalate your complaint to the Data Protection Board of India once constituted under Section 18 of the Digital Personal Data Protection Act, 2023, or to any other competent authority as provided under applicable Indian law.