Is Klause AI a substitute for a lawyer?

No. Klause AI is an informational tool that helps identify potential risks before consulting an attorney. It flags issues but does not provide legal advice. Always consult a qualified solicitor before signing binding agreements.

Which jurisdictions does Klause AI support?

Klause AI supports 9 jurisdictions: United States (Federal, California, New York, Texas), United Kingdom, European Union, Germany, UAE/Dubai, and a general international mode.

Is my contract data secure and private?

Yes. Contract text is never stored on Klause AI servers. It is sent to the AI for analysis and immediately discarded. Uploaded PDFs auto-delete within 24 hours. Klause AI is GDPR compliant.

Privacy Policy

Effective: June 27, 2026 · Version 1.2 · Data Controller: Klause AI

"Your contract text is never stored. We never train AI on your data. We never sell your information. This is the foundation of Klause AI."

1. Who We Are

Klause AI ("we", "us", "our") operates klauseai.com and the AI-powered legal document analysis platform accessible from it (the "Service").

For GDPR / UK GDPR purposes, Klause AI is the data controller.
For CCPA/CPRA purposes, Klause AI is the business.
For Brazil LGPD purposes, Klause AI is the controlador.

General enquiries: hello@klauseai.com
Privacy / GDPR: privacy@klauseai.com
Data Protection Officer: dpo@klauseai.com

2. What Data We Collect

2.1 Anonymous users (no account)

Contract text: Transmitted to our AI provider and immediately discarded. Never written to any database or log.
IP address (hashed): Used solely for rate limiting (3 free analyses/day). Auto-purged after 24 hours.
Anonymized analytics: Page URL, referrer, country-level geolocation only. No personal data. No cross-site tracking.

2.2 Registered account holders

Data	Purpose	Legal basis (GDPR)	Retention
Email address	Authentication, product emails	Contract Art. 6(1)(b)	Until account deletion
Password hash (encrypted)	Authentication	Contract Art. 6(1)(b)	Until account deletion
Subscription status	Feature gating (Free/Pro/Business)	Contract Art. 6(1)(b)	Until account deletion
Stripe customer ID	Payment linkage	Contract Art. 6(1)(b)	7 years (tax law)
Analysis history (Pro)	Dashboard — view past analyses	Legitimate interest Art. 6(1)(f)	Until deleted by user
Marketing consent flag	Product update emails	Consent Art. 6(1)(a)	Until withdrawn

2.3 What we do NOT collect

Payment card numbers (handled entirely by Stripe — we never see them)
Your contract text for storage, training, or any purpose beyond immediate analysis
Biometric data, health data, or GDPR special-category data
Location data beyond country-level
Data from children under 16 (see Section 11)

3. How Contract Analysis Works — Technical Disclosure

When you submit a document, the following data flow occurs:

Your document is transmitted via encrypted HTTPS (TLS 1.3) to Klause AI servers hosted on Vercel.
The text is forwarded via encrypted API to OpenRouter, which routes it to an underlying AI model (e.g. Meta Llama, NVIDIA, or OpenAI-compatible models).
The AI returns an analysis result to Klause AI's server.
The analysis is returned to your browser.
The document text is not retained by Klause AI after Step 4. It is not written to any database or storage system.

Important: On free-tier AI models, some underlying providers may use API inputs to improve their models — this is standard practice for free-tier AI. Pro tier uses commercial models under strict data-processing agreements that prohibit training on your data.

Uploaded files (Pro): PDF and DOCX files are stored temporarily on Vercel Blob storage (encrypted at rest) and automatically deleted within 24 hours.

4. Third-Party Services

Service	Purpose	Data shared
Vercel	Hosting, serverless functions, file storage	All web traffic; uploaded files (temporary)
Supabase	Database and authentication	Email, subscription status
Stripe	Payment processing	Email, payment amount, billing country. Card data never reaches us.
OpenRouter	AI model routing and inference	Document text (for analysis only — see Section 3)
Upstash Redis	Rate limiting	Hashed IP address; usage counter only
Resend	Transactional email	Email address only
Vercel Analytics	Anonymized page metrics	Page URL, country. No personal data. No cross-site tracking.

We do not sell your data. We do not share it for advertising. All processors are bound by Data Processing Agreements (DPAs) under GDPR Article 28 where required.

5. Legal Basis for Processing (GDPR / UK GDPR)

Contract (Art. 6(1)(b)): Processing email, subscription status, and payment records to provide the Service.
Legitimate interests (Art. 6(1)(f)): Rate limiting, fraud prevention, security logging, anonymized analytics. LIAs conducted and documented.
Consent (Art. 6(1)(a)): Marketing emails. Withdraw consent at any time via unsubscribe link or by emailing privacy@klauseai.com.
Legal obligation (Art. 6(1)(c)): Financial records retained 7 years as required by applicable tax law.

6. International Data Transfers

Personal data of EEA/UK residents may be transferred to the US when processed by Vercel, Supabase, Stripe, or OpenRouter. Transfers are safeguarded by:

Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c)
UK International Data Transfer Agreements (IDTAs) for UK GDPR
EU-US Data Privacy Framework adequacy decisions where applicable

For questions about data residency options for enterprise customers, contact privacy@klauseai.com.

7. Data Retention

Data type	Retention period	Reason
Contract / document text	Zero — never stored	Privacy by design
Uploaded files (Pro)	24 hours maximum	Vercel Blob auto-deletion
Hashed IP / usage counter	24 hours	Rate limiting only
Account data (email, status)	Until account deletion + 30 days	Operational necessity
Analysis history (Pro)	Until deleted by user or account closure	Service feature
Financial / payment records	7 years	Legal / tax obligation
Marketing consent records	Until withdrawn + 6 months	Compliance evidence
Support correspondence	3 years	Dispute resolution

8. Your Rights

To exercise any right, email privacy@klauseai.com. We respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA).

Right to access

Request a copy of all personal data we hold about you (Subject Access Request).

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data, subject to legal retention obligations.

Right to portability

Receive your data in a structured, machine-readable format (JSON/CSV).

Right to object

Object to processing based on legitimate interests or for direct marketing.

Right to restrict

Limit how we use your data while a dispute is resolved.

Withdraw consent

Withdraw marketing or analytics consent at any time without affecting prior lawful processing.

Right to complain

Lodge a complaint with your national supervisory authority (ICO, CNIL, BfDI, etc.).

9. Jurisdiction-Specific Disclosures

🇺🇸 California (CCPA / CPRA)

California residents have rights to: know what data is collected, delete personal information, opt-out of sale (we do not sell data), correct inaccurate information, and limit use of sensitive personal information. We do not discriminate for exercising CCPA rights. Submit requests to privacy@klauseai.com.

Categories collected: Identifiers (email); Internet activity (page views, usage count); Commercial information (subscription, payment records). No sensitive personal information per CPRA §1798.121.

🇬🇧 United Kingdom (UK GDPR + DPA 2018)

UK residents' rights are as described in Section 8. Complaints to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

🇧🇷 Brazil (LGPD — Law 13,709/2018)

Brazilian users have rights to: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about sharing, and review of automated decisions. Our LGPD officer: dpo@klauseai.com. Complaints to the ANPD.

🇦🇪 UAE (Federal Decree-Law No. 45 of 2021)

UAE users have the right to access, correct, and delete personal data. Requests to privacy@klauseai.com.

🇦🇺 Australia (Privacy Act 1988 — APPs)

We comply with Australian Privacy Principles 1, 3, 6, 11, and 12. Complaints to the OAIC at oaic.gov.au.

🇨🇦 Canada (PIPEDA)

We collect, use, and disclose personal information only with your knowledge and consent. Access and correction requests to privacy@klauseai.com. Complaints to the Office of the Privacy Commissioner of Canada.

🇩🇪 Germany (BDSG + DSGVO)

German users benefit from GDPR and BDSG protections. EU representative for GDPR: dpo@klauseai.com. Complaints to your state Datenschutzbehörde.

10. Cookies

We use only strictly necessary cookies (Supabase auth session, CSRF token) and one functional cookie (jurisdiction preference). Our anonymized analytics (Vercel Analytics) uses no personal data and requires no consent. We use no advertising cookies or cross-site tracking.

Full details: Cookie Policy

11. Children's Privacy

Klause AI is not directed to children. We do not knowingly collect data from anyone under 16 (EU), 13 (US/UK), or 18 (UAE). If you believe a child has provided data, contact privacy@klauseai.com immediately for prompt deletion.

12. Changes to This Policy

Material changes will be communicated by email to registered users at least 14 days before taking effect, and by a notice on klauseai.com for 30 days. Continued use after changes constitutes acceptance.

13. Contact

Data Controller: Klause AI
General: hello@klauseai.com
Privacy / GDPR requests: privacy@klauseai.com
Data Protection Officer: dpo@klauseai.com
Response time: 5 business days (target) · 30 days (statutory maximum)

Supervisory authorities: ICO (UK) · Your national DPA (EU) · FTC (US) · OAIC (Australia) · OPC (Canada) · ANPD (Brazil)