Privacy Policy
ContractShield protects your data with industry-leading security practices and transparent controls.
Effective date: March 1, 2024 • Last updated: March 16, 2026
1. Information we collect
Account information including name, email, phone number, and role.
Payment and billing data processed through Stripe (we do not store full credit card numbers).
Project data such as documents, photos, schedules, and communication logs shared through ContractShield.
Usage analytics that help us improve performance, diagnose issues, and plan capacity (collected via Mixpanel).
Integrations data from third-party services you connect (e.g., Google Calendar, QuickBooks, Procore, Slack).
AI interaction data—prompts and responses generated when you use AI-powered features (pricebook advisor, smart notifications, quote suggestions). This data is sent to OpenAI for processing and is not used to train their models.
Bot-detection signals collected by Cloudflare Turnstile during registration to prevent abuse.
2. How we use your data
Provide, maintain, and improve the ContractShield platform.
Facilitate collaboration between contractors, clients, and subcontractors.
Deliver insights, AI-powered recommendations, and predictive analytics.
Communicate about updates, support tickets, and security notifications.
3. Data sharing & disclosure
We do not sell your personal data.
Data is shared with trusted subprocessors who provide infrastructure, analytics, or customer support—listed below and in our Trust Center.
Our current subprocessors include: Supabase (database & storage), Vercel (hosting & edge delivery), Stripe (payments), OpenAI (AI features), Resend (transactional email), Mixpanel (analytics), Google (maps, calendar, authentication), and Cloudflare (bot protection).
We may disclose information if required by law or to protect the safety and rights of users.
Aggregated or anonymized data may be used for benchmarking and product development.
4. Security & compliance
SOC 2 Type I audit underway with controls monitored by our security team; Type II roadmap published in the Trust Center.
All data encrypted in transit (TLS 1.3) and at rest (AES-256). OAuth tokens are encrypted with dedicated application-level encryption keys.
Role-based access, multi-factor authentication, and SSO (SAML/SCIM) support.
Regional data hosting options to support residency requirements.
CSRF protection, rate limiting, and Cloudflare Turnstile CAPTCHA on registration to prevent automated abuse.
5. Your choices
Request access, correction, or deletion of your personal data by emailing legal@contractshield.io.
Manage marketing preferences via the unsubscribe link in emails.
Disable or revoke third-party integrations at any time from workspace settings.
Data residency & retention
Choose US or EU data centers. Customer data is retained for 90 days after contract termination unless otherwise requested.
- • Daily encrypted backups with 35-day retention
- • Optional customer-managed encryption keys
- • Disaster recovery objectives: RPO < 5 minutes, RTO < 30 minutes
Contact our privacy team
Reach out with privacy questions or data requests. We respond within two business days.
Email: legal@contractshield.io
Mail: ContractShield Privacy, 1200 Blake St, Suite 800, Denver, CO 80202
Regulatory commitments
ContractShield complies with GDPR, CCPA, and PCI DSS for payment processing. HIPAA Business Associate agreements are available upon request for qualifying customers.
Explore the full Trust Center
Transparency across security, privacy, and accessibility keeps your crews and clients confident from day one.
Security program
Dive into encryption standards, incident response playbooks, and our SOC 2 roadmap.
View detailsAccessibility standards
See how we ship WCAG-aligned experiences and partner with crews who rely on assistive tech.
View detailsGDPR commitments
Review data subject workflows, retention policies, and subprocessors covered in our DPA.
View detailsWe take your trust seriously
Review our full Trust Center for security whitepapers, compliance reports, and subprocessor lists.