Privacy Policy

This Policy explains how NDA SHIELD("we", "us") processes personal data when you use NDAshield. We are established in Poland and process data in line with the EU General Data Protection Regulation (GDPR) and applicable Polish law.

1. Data controller

NDA SHIELD
POLAND
Email: ndashield@outlook.com

We are a solo operator and do not meet the thresholds for a statutory Data Protection Officer under Article 37 GDPR. For all data protection inquiries, contact ndashield@outlook.com.

2. Categories of data

• Account data: email, name, Clerk user ID, sign-in metadata.
• Contract content:we do not store original uploaded PDF/DOCX binaries; we store extracted text and AI analysis results in your history. On the public landing page, extracted text may be held in your browser's session storage until you sign in or close the tab; it is cleared when you sign out.
• Billing data: Stripe customer ID, subscription status, invoices — card details are handled by Stripe, not stored on our servers.
• Technical data: IP address, browser type, and security logs where needed to operate and protect the Service.

3. Purposes and legal bases (GDPR Art. 6)

• Contract performance — providing accounts, analyses, credits, and billing.
• Legitimate interests — security, fraud prevention, product improvement (balanced against your rights).
• Legal obligation — tax, accounting, and regulatory records.
• Consent — where required (e.g. optional analytics cookies in the cookie banner).

4. AI processing

Document text is sent to configured AI providers (for example Google Gemini and, as failover, OpenAI) only to generate analysis output. We use provider API tiers intended for business applications. Align your account settings with each provider's data processing terms. We do not use your documents to train our own models.

5. Sub-processors

We rely on trusted providers that process data on our instructions:

• Clerk — authentication and account management.
• Stripe — payments and subscription billing.
• Cloudflare — hosting and delivery of the application.
• Database host (e.g. Supabase) — stored account, credit, and analysis records.
• Google / OpenAI — AI inference when you run an analysis.

Where processors are outside the EEA, we rely on appropriate safeguards (such as Standard Contractual Clauses) offered by those vendors.

6. Retention

• Original file uploads are not persisted. Extracted source text and analysis reports in history are kept until you delete your account or we remove them as part of account closure, unless longer retention is required by law.
• To delete your account, use the account portal in Clerk (linked from in-app Account settings). Your account is deactivated immediately and personal data is permanently erased after 30 days (the “retention window”), unless a longer retention is required by law.
• Billing records (invoices, payment confirmations) are retained for 5 years from the end of the tax year in which the transaction occurred, as required by Polish tax law (Ordynacja podatkowa, Art. 86 §1).
• Security audit logs (including IP addresses and request metadata) are retained for 90 days. Logs older than 90 days are permanently deleted unless required for an active investigation.
• Purchased credits expire 12 months after the purchase date unless used earlier. Free monthly credits reset each billing cycle and do not carry over.

7. Your rights

Under GDPR you may request access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawful processing. You may lodge a complaint with the Polish supervisory authority (UODO): uodo.gov.pl, or your local EU authority.

To exercise rights, email ndashield@outlook.com. We respond within one month unless complexity requires an extension permitted by law.

8. Cookies

Strictly necessary cookies (Clerk session, consent storage) are required to sign in and remember your choices. Optional analytics cookies are off by default until you accept them in the cookie banner or Account settings. You can change preferences anytime via Cookie settings in the footer.

9. Security

We use encryption in transit (HTTPS), access controls, and industry-standard practices. No method of transmission over the Internet is 100% secure; report suspected incidents to ndashield@outlook.com.

10. Children

The Service is not directed at children under 16. We do not knowingly collect their data.

11. California residents (CCPA/CPRA notice)

If you are a California resident, you may have rights to know, delete, and correct personal information, and to opt out of certain sharing. We do not sell personal information as defined by California law. Contact ndashield@outlook.com to submit a request.

12. Changes

We may update this Policy with a new "Last updated" date. Material changes will be communicated where required. See also Terms of Service.