Privacy Policy

NDA Reviewer AI

Last updated: May 21, 2026 · Effective Date: May 21, 2026

1. Introduction

NDA Reviewer AI ("we," "us," "our") operates ndaguard.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We take privacy seriously. The documents you upload often contain sensitive business information. We have designed our data practices to minimize exposure and give you control over your data.

Please read this policy carefully. By using the Service, you consent to the practices described here.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Email address, full name, and password (stored as a hashed value — we never store plaintext passwords).
  • Profile Information: Any additional information you add to your profile (e.g., display name, avatar).
  • Uploaded Documents: NDA text and PDF files you upload for review. These are stored temporarily to provide the Service.
  • Payment Information: We do not store your payment card details. Payment is handled by our third-party payment processor (Lemon Squeezy / Stripe). We receive confirmation of payment and subscription status only.
  • Communications: Messages you send to our support team.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent, upload frequency, and similar interaction data.
  • Device & Technical Data: Browser type, operating system, IP address, device identifiers, and referring URLs.
  • Cookies and Tracking: See Section 7 (Cookies).
  • Error Logs: Crash reports and error data collected via Sentry for debugging.

2.3 Information from Third Parties

  • OAuth Providers: If you sign in with Google, we receive your name and email address from Google. We do not receive your Google password.

3. How We Use Your Information

We use your information to:

PurposeLegal Basis (GDPR)
Provide and operate the ServiceContract performance
Process your NDA uploads through AI analysisContract performance
Handle payments and billingContract performance
Send transactional emails (account confirmation, review ready, payment receipts)Contract performance
Improve and train our AI systems (see Section 3.1)Legitimate interest
Monitor for abuse and enforce Terms of ServiceLegitimate interest
Send product updates and marketing emails (with your consent)Consent
Comply with legal obligationsLegal obligation
Analyze aggregate usage patternsLegitimate interest

3.1 AI Model Improvement

We may use anonymized and aggregated insights from document processing to improve our AI models. We do not share the raw text of your uploaded NDAs with third parties for training purposes, and we do not use your documents to train AI models owned by third parties beyond what is necessary to process your specific request via the Anthropic API.

If you prefer to opt out of your data being used for internal model improvement, contact us at support@ndaguard.ai.

4. Data Retention

Data TypeRetention Period
Account informationUntil account deletion
Uploaded NDA files (original PDFs)90 days from upload date
Extracted NDA text90 days from upload date
AI-generated review results12 months from generation (accessible in your dashboard history)
Redlined PDF outputs90 days from generation
Payment records7 years (legal/tax compliance)
Usage and analytics logs24 months
Error/crash logs90 days

You may request deletion of your uploaded documents at any time via Settings > Account > Delete My Data, or by emailing support@ndaguard.ai. We will process deletion requests within 30 days.

When you delete your account, we delete all associated personal data within 30 days, except where we are legally required to retain it (e.g., payment records for tax purposes).

5. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party vendors who process it on our behalf:

ServicePurposeData Shared
AnthropicAI processing of NDA textNDA text content
SupabaseDatabase & file storageAccount data, documents
Lemon Squeezy / StripePayment processingEmail, payment details
ResendTransactional emailEmail address, email content
PostHogProduct analyticsUsage events, IP address
SentryError trackingError data, partial request data

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes beyond what is necessary to provide services to us.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of NDA Reviewer AI, our users, or others.

5.3 Business Transfers

If NDA Reviewer AI is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Your Rights

6.1 All Users

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data (subject to legal retention requirements).
  • Export: Download your data in a portable format via Settings, or by contacting us.
  • Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in any email.

6.2 GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you also have the right to:

  • Restrict processing: Request that we limit how we use your data.
  • Object to processing: Object to our processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.
  • Lodge a complaint: File a complaint with your local data protection authority.

Our legal bases for processing are: contract performance (providing the Service), legitimate interests (improving the Service, preventing abuse), consent (marketing), and legal obligation (tax records).

6.3 CCPA Rights (California Residents)

California residents have the right to know what personal information we collect, how it is used, and to whom it is disclosed; the right to delete personal information; the right to opt out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising these rights.

To exercise any rights, contact us at privacy@ndaguard.ai. We will respond within 30 days (or 45 days where permitted by law).

7. Cookies and Tracking

7.1 What We Use

  • Strictly Necessary Cookies: Session management, authentication tokens. These cannot be disabled.
  • Analytics Cookies: PostHog tracks usage behavior to help us improve the product. These are pseudonymous.
  • Preference Cookies: Remember your settings (e.g., theme, language).

We do not use advertising or third-party tracking cookies.

7.2 Your Choices

You can control non-essential cookies via the cookie banner shown on your first visit. You can also disable cookies in your browser settings, though this may affect Service functionality.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • HTTPS/TLS encryption in transit for all data
  • Encryption at rest for stored documents and personal data
  • Access controls: only authorized personnel can access production data
  • Supabase Row-Level Security (RLS) ensuring users can only access their own data
  • Regular security reviews
  • Signed URLs for file access (documents are never publicly accessible)

No method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

9. International Data Transfers

Your data may be stored and processed in the United States and other countries where our service providers operate. If you are in the EEA or UK, these transfers are made pursuant to appropriate safeguards such as Standard Contractual Clauses.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, contact us immediately at support@ndaguard.ai.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notice at least 14 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance.

12. Contact

For privacy-related questions, data requests, or complaints:

NDA Reviewer AI — Privacy
Email: privacy@ndaguard.ai
Response time: Within 30 days


This Privacy Policy was last updated on May 21, 2026.