Privacy Policy

Last updated: February 18, 2026

SageFoundry LLC, doing business as PactBadger ("we," "us," or "our"), operates the PactBadger contract tracking platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. By using PactBadger, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Email address — used as your login identifier and for transactional notifications
  • Password — stored securely using one-way bcrypt hashing; we never store or have access to your plaintext password
  • First and last name (optional) — used to personalize your experience

1.2 Organization Information

When you create or join an organization, we collect:

  • Organization name
  • Subscription plan and usage data (e.g., number of contracts, AI extraction counts)

1.3 Contract and Document Data

When you upload contracts, we collect and process:

  • Uploaded files — PDF, DOCX, and TXT documents (up to 25 MB each)
  • Extracted text — text content extracted from your uploaded documents for AI analysis
  • Contract metadata — titles, vendor names, dates, values, contract types, and other structured fields you enter or that our AI extracts
  • Key clauses — specific contract provisions identified by AI analysis

Your uploaded contracts may contain sensitive business information, personally identifiable information (PII), or other confidential data. We treat all uploaded contract content as confidential and process it solely to provide the Service.

1.4 Technical and Session Data

When you use the Service, we automatically collect:

  • IP address — recorded when you sign in, stored with your session record
  • User agent (browser and device information) — recorded with your session
  • Session identifiers — via a secure, HTTP-only cookie used to authenticate your requests

1.5 Billing Information

Payment processing is handled entirely by Stripe. We do not collect, store, or have access to your credit card numbers or full payment details. Stripe provides us with limited information such as your subscription status, billing period, and payment method type. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

1.6 Audit Logs

We maintain audit logs of key actions performed within your organization (e.g., contract creation, updates, deletions, team changes, and alert activity). These logs include the user who performed the action, the action type, and a timestamp. Audit log retention depends on your subscription plan.

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service — including contract storage, tracking, alerts, and team collaboration
  • Perform AI-powered contract analysis — extracting structured data, key clauses, and dates from your uploaded documents
  • Send transactional notifications — password resets, contract expiration alerts, and team invitations
  • Process billing — managing your subscription and enforcing plan limits
  • Ensure security — detecting unauthorized access, rate limiting, and maintaining audit trails
  • Improve the Service — monitoring errors and performance issues to enhance reliability

3. AI Processing and Third-Party Data Sharing

3.1 Anthropic (Claude AI)

When you request an AI extraction, the full text content of your uploaded contract documents is sent to Anthropic's Claude API for analysis. Anthropic processes this data to extract structured contract information and returns the results to us.

Important: This means your contract text — which may contain sensitive business or personal information — is transmitted to and processed by Anthropic. We recommend reviewing Anthropic's Privacy Policy to understand how they handle data received through their API. Per Anthropic's API terms, data sent through the API is not used to train their models.

3.2 Stripe

We use Stripe to process payments and manage subscriptions. When you subscribe to a paid plan, you are redirected to Stripe's hosted checkout page. We receive webhook notifications from Stripe about subscription status changes. See Stripe's Privacy Policy.

3.3 Postmark

We use Postmark to deliver transactional emails (password resets, alert notifications, and team invitations). Postmark processes recipient email addresses and email content on our behalf. See Postmark's Privacy Policy.

3.4 Amazon Web Services (AWS)

Uploaded contract documents are stored on Amazon S3 in production. AWS processes and stores your files on our behalf as a data processor. See AWS's Privacy Policy.

3.5 Sentry

We use Sentry for error monitoring and performance tracking. When an error occurs, limited context — including your user ID and email address — may be sent to Sentry to help us diagnose issues. We do not enable full PII transmission to Sentry. See Sentry's Privacy Policy.

4. Cookies

We use a single, essential cookie to maintain your authenticated session. This cookie:

  • Is HTTP-only and secure (encrypted in transit)
  • Uses the SameSite=Lax attribute
  • Expires after 30 days of inactivity
  • Cannot be accessed by client-side JavaScript

We use Google Analytics 4 to collect anonymous, aggregated usage data such as page views and feature usage events. Google Analytics operates in cookieless mode in our implementation — no persistent tracking or analytics cookies are stored on your device. We do not use advertising cookies or retargeting pixels.

5. Data Security

We implement the following measures to protect your data:

  • Encryption in transit — all connections use HTTPS/TLS
  • Password hashing — passwords are stored using bcrypt with automatic salting
  • Multi-tenancy isolation — each organization's data is logically isolated; users can only access data belonging to their organization
  • Rate limiting — sign-up and login attempts are rate-limited to prevent abuse
  • Parameter filtering — sensitive fields (passwords, tokens, keys) are excluded from application logs
  • Secure sessions — sessions are stored server-side with automatic expiration
  • Content Security Policy — enforced to prevent cross-site scripting attacks

6. Data Retention

We retain your data as follows:

  • Account data — retained for as long as your account is active
  • Contract data and documents — retained for as long as your account is active, unless you delete individual contracts
  • Audit logs — retained based on your subscription plan (7 days for Free, 30 days for Starter, unlimited for Pro)
  • Draft contracts — incomplete drafts are automatically cleaned up periodically
  • Session data — expired sessions (older than 30 days) are automatically purged

7. Your Rights

You have the right to:

  • Access your data — you can view and export your contracts and associated data through the Service
  • Update your data — you can edit your profile information, organization details, and contracts at any time
  • Delete your data — you can delete individual contracts and their associated documents; to delete your account entirely, please contact us
  • Data portability — you can export your contract data using the bulk export feature

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you may have additional rights including the right to lodge a complaint with your local data protection authority.

8. Children's Privacy

PactBadger is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us so we can promptly delete it.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States, where our service providers (Anthropic, Stripe, AWS, Postmark, Sentry) operate data centers. We ensure that appropriate safeguards are in place for any international transfer of your personal data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@pactbadger.com