Privacy Policy

Effective date: March 13, 2026  ·  Last updated: March 13, 2026

1. Who We Are

IdaMil LLC ("IdaMil," "we," "us," or "our") is an AI-assisted contract analysis platform designed for attorneys and law firms. This Privacy Policy describes how we collect, use, store, and disclose personal information when you use our website (idamil.com) and web application (together, the "Service").

IdaMil LLC is the data controller for your account and personal information. For contract documents you upload, IdaMil LLC acts as a data processor on your behalf.

2. What We Collect

Account information

When you register, we collect your name, email address, and hashed password (we never store your password in plain text). If you upgrade, we also collect your billing information through our payment processor (Stripe — see Section 5). We do not store full credit card numbers.

Usage data

We log which tools you use (Review, Draft, Redline, etc.), timestamps, and counts to enforce plan limits and generate your usage dashboard. We do not log the content of your AI queries or results in our audit log — only the action type, associated contract name (if saved), and timestamp.

Contract library metadata

When you explicitly save a contract to your library, we store the contract name, type, status, matter assignment, expiry date (if entered), and the full contract text. This data is associated with your account and stored in our secure database. You control this data — you can rename, delete, or export it at any time.

Technical data

Standard server logs including IP address, browser type, and request timestamps. These are used for security monitoring, rate limiting, and debugging. Logs are retained for 30 days.

Communications

If you contact support, we retain that correspondence. We send transactional emails (account verification, password reset, billing receipts) and, with your implicit consent at signup, product and trial lifecycle emails. You can opt out of non-transactional emails at any time.

3. How We Use Your Data

• To provide the Service: Run AI analysis on your documents, maintain your contract library, enforce plan limits, and authenticate your account.
• To process payments: Pass billing information to Stripe to handle subscriptions and receipts.
• To send transactional communications: Account verification, password resets, billing receipts, trial lifecycle reminders, and important service notices.
• To improve reliability: Error monitoring via Sentry (anonymized stack traces only — no document content reaches Sentry).
• To enforce our Terms of Service: Detect abuse, enforce rate limits, and investigate security incidents.
• Legal compliance: To respond to lawful requests from courts or government authorities.

We do not use your data for advertising, profiling, or behavioral targeting. We do not sell your data. We do not share your data with data brokers.

4. Your Documents — Special Rules

Uploaded documents (not saved)

When you upload a file or paste text into a tool (Review, Redline, Extract, etc.) and do not save it to your library, the document text is:

1. Transmitted over TLS to our server
2. Passed to Anthropic's Claude API for analysis (see Section 5)
3. Discarded from our server memory after the response is returned

We do not write unsaved document text to disk, log it, or retain it in any database. The analysis result is returned to your browser and displayed — it is not stored server-side unless you explicitly export or save it.

Documents saved to your library

When you save a contract to your library, the full text is stored in your account database, encrypted at rest with AES-256. You own this data. You can delete individual contracts at any time from the library, or request full account deletion (see Section 8).

AI model and your documents

Contractus uses Anthropic's Claude API to process documents. Anthropic's enterprise API terms explicitly prohibit using customer-submitted data to train their AI models. Your documents do not train Claude or any other AI model. For more information, see Anthropic's Privacy Policy.

Attorney-client privilege considerations

Contractus is designed as an attorney work-product tool. We do not assert any interest in documents you submit. We strongly recommend that attorneys review their state bar's guidance on cloud-based legal tools and AI before use, and ensure their engagement letters address the use of AI-assisted tools where appropriate. See our Ethics Resources page for state bar guidance links.

5. Data Sharing and Sub-Processors

We share data with the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements:

Sub-Processor	Purpose	Data Shared
Anthropic	AI analysis (Claude API)	Document text sent for analysis only; not retained by Anthropic
Stripe	Payment processing	Billing info, email, subscription status
Resend	Transactional email delivery	Name, email address, email content
Sentry	Error monitoring	Anonymized stack traces; no document content
Dropbox Sign	E-signature (when you initiate signing)	Document, signer email, your name; governed by Dropbox Sign's privacy policy
Cloud storage providers (Google Drive, Dropbox, OneDrive, Box, Clio)	Document import (when you connect and use these)	OAuth tokens stored per your account; document content retrieved on demand only

We do not share your data with any other third parties except as required by law.

6. Data Retention

• Account data: Retained while your account is active and for 90 days after deletion, then permanently deleted.
• Contract library: Retained until you delete individual contracts or request account deletion.
• Unsaved document uploads: Not retained — discarded immediately after analysis.
• Audit logs (action type, timestamp): Retained for 2 years for security and billing dispute purposes.
• Server logs (IP, request data): 30 days.
• Billing records: 7 years as required by financial regulations.
• Support correspondence: 3 years.

7. Security

We implement security measures proportionate to the sensitivity of attorney work-product data:

• Encryption in transit: All connections use TLS 1.3.
• Encryption at rest: Database encrypted with AES-256.
• Authentication: Passwords hashed with bcrypt (cost factor 12). JSON Web Tokens with configurable expiry.
• Rate limiting: All endpoints are rate-limited to prevent brute-force attacks.
• Security headers: Helmet.js enforces Content Security Policy, HSTS, X-Frame-Options, and other protections.
• Audit logging: All AI analyses and library actions are logged with user ID and timestamp.

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly through our contact form.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and all associated data. You can initiate this from Account → Delete Account within the app, or by contacting us. Account deletion is processed within 30 days. Billing records required by law are retained for 7 years as noted above.
• Data portability: Export your contract library as a ZIP archive from Account → Export My Data.
• Objection: Object to certain processing activities.
• Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us through our contact form. We will respond within 30 days.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• The right to know what personal information we collect, use, and disclose.
• The right to delete your personal information (subject to certain exceptions).
• The right to opt out of the sale or sharing of personal information. We do not sell or share personal information.
• The right to non-discrimination for exercising your CCPA rights.
• The right to correct inaccurate personal information.
• The right to limit use of sensitive personal information. We do not use sensitive personal information beyond what is necessary to provide the Service.

To submit a CCPA request, contact us with "CCPA Request" in the message.

10. Virginia Residents (VCDPA)

As a Virginia-incorporated company, we comply with the Virginia Consumer Data Protection Act (VCDPA). Virginia residents have the following rights:

• The right to confirm whether we are processing your personal data and to access that data.
• The right to correct inaccuracies in your personal data.
• The right to delete your personal data.
• The right to obtain a copy of your personal data in a portable and readily usable format.
• The right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling. We do not engage in any of these activities.

To exercise your VCDPA rights, contact us. We will respond within 45 days. If we decline your request, you may appeal by contacting us with "VCDPA Appeal" in your message. If you are unsatisfied with our response to your appeal, you may contact the Virginia Attorney General at oag.state.va.us.

11. Cookies and Tracking

Contractus uses no third-party tracking cookies and no advertising trackers. We use browser localStorage for the following strictly functional purposes:

• Your authentication token (to keep you logged in)
• Your jurisdiction preference (to pre-fill the jurisdiction selector)
• UI preferences (e.g., whether you have dismissed the AI notice banner)

These are essential to the operation of the Service. You can clear them at any time by clearing your browser's local storage. There are no analytics scripts, no pixel trackers, and no third-party cookies on our platform.

12. Children

Contractus is a professional legal tool intended for licensed attorneys and law firm personnel. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us and we will promptly delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with a change, you may cancel your subscription before the effective date.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please reach out through our contact form. For billing inquiries, email customer.service@idamil.com.