Privacy Policy
Version effective as of 2026-04-14.
With this Privacy Policy we, Lionel Wermelinger and Fynn Auerbach, doing business as CleverContracts (hereinafter “CleverContracts,” “we” or “us”), describe how we collect and further process personal data. This Privacy Policy is not necessarily a comprehensive description of our data processing. It is possible that other documents such as our Terms of Service, Client Participation Terms, or similar documents are applicable to specific circumstances.
The term “personal data” in this Privacy Policy shall mean any information that identifies, or could reasonably be used to identify, any person. If you provide us with personal data of other persons (such as work colleagues or clients), please make sure the respective persons are aware of this Privacy Policy and only provide us with their data if you are allowed to do so and such personal data is correct.
This Privacy Policy is aligned with the Swiss revised Data Protection Act (“revDPA”) and, on a precautionary basis, with the EU General Data Protection Regulation (“GDPR”). However, the application of these laws depends on each individual case.
The “controller” of data processing as described in this Privacy Policy (i.e. the responsible persons) is:
Lionel Wermelinger and Fynn Auerbach
doing business as CleverContracts
Sengelbachweg 19
5000 Aarau, Canton Aargau, Switzerland
You can notify us of any data protection related concerns using the following contact details: privacy@clevercontracts.ch.
EU representative (Art. 27 GDPR)
We will appoint an EU representative before actively offering our Service to users in the EU/EEA. This section will be updated with the representative's contact details once the appointment is made.
Controller and processor roles
CleverContracts acts as the controller for data processed to provide and operate the platform, manage user accounts, process payments, and fulfill legal obligations.
When a freelancer stores and manages engagement content (scope, terms, messages, files, client contact data) on the platform, CleverContracts acts as a processor on behalf of the freelancer for that engagement content. In such cases, the freelancer is the controller for their engagement data, and we process it solely according to their instructions as part of providing the service.
Invited clients participate engagement-by-engagement. Requests about engagement content are typically handled by the freelancer as the primary controller, with processor assistance from CleverContracts as needed.
We primarily process personal data that we obtain from our users (freelancers) and other individuals in the context of our business relationships with them, or that we collect from users when operating our website and application. Insofar as it is permitted, we may obtain certain personal data from third parties, including information from Google OAuth (email address, display name), information from Stripe (customer ID, subscription status, payment metadata), and data in connection with your use of our website (e.g., IP address, device information, cookies).
2.1 Categories of personal data
Technical data
When you use our website or application, we collect the IP address of your device and other technical data to ensure the functionality and security of the service. This includes session cookies (14 days for freelancers, 30 days for the client portal), CSRF tokens, and step-up authentication tokens. Technical data as such does not permit us to draw conclusions about your identity. However, it may be linked with other categories of data in relation to user accounts. We generally keep technical data in accordance with the applicable cookie duration or the default retention period of the respective service provider.
Registration and account data
When you create an account, we collect your email address, display name, brand name, email verification status, and legal acceptance records (acceptance of our terms and privacy policy). We also process two-factor authentication credentials (TOTP encrypted secret, passkey public keys), notification preferences, and AI feature settings. We generally keep registration and account data for the duration of the account.
Communication data
When you communicate through our platform, we process engagement messages (text messages and structured proposals) and email delivery records (metadata only, no email body content). We generally keep message body content for 18 months from creation, after which it is redacted and replaced with a placeholder.
Master and profile data
We process freelancer profile data (display name, brand name) and client contact records (email address, display name, company name, salutation). We also process private client notes created by freelancers. We generally keep profile data for the duration of the account. Client notes are retained for 18 months, after which the body is redacted.
Contract and engagement data
We process engagement metadata, scope and terms text (versioned), change items with approval receipts (typed name, decision, timestamp), time entries, and file attachments (maximum 20 MB per file). We generally keep this data for the duration of the workspace. File attachments are deleted 6 months after upload, with a metadata placeholder retained.
Billing and financial data
We process Stripe Customer ID, subscription metadata, and payment method information (last 4 digits and card brand only — full card details are stored exclusively by Stripe). We generally keep billing data for the duration of the account. Accounting records are retained for 10 years in accordance with Swiss law (OR Art. 958f).
Behavioral and preference data
We process engagement triage states (rule-based classification such as “needs your attention” or “waiting on client,” based on objective event data, not behavioral profiling). We may collect AI diagnostic events (model used, latency, token count — no content) for users who have opted in. We do not use profiling to make predictions about you or to target advertising. We generally keep AI diagnostic events for 30 days.
Other data
We process OTP codes (automatically expiring after 10 minutes), rate-limit counters (ephemeral, lasting minutes to hours), content moderation holds, message reports, portal invite tokens, and portal sessions. This data is generally ephemeral and retained only for its functional purpose.
2.2 Sensitive personal data
Our service is not designed to collect sensitive or special categories of personal data (such as health data, biometric data, or data revealing racial or ethnic origin). However, free-text fields within engagements (messages, scope descriptions, notes) may incidentally contain sensitive data if entered by you or your clients. We recommend that you avoid entering sensitive personal data in free-text fields unless it is necessary for the engagement.
If you use passkey-based two-factor authentication (WebAuthn), biometric verification (such as fingerprint or facial recognition) occurs entirely on your device. No biometric data is transmitted to or stored on our servers.
We primarily use collected data in order to conclude and process contracts with our users and business partners, in particular in connection with providing the CleverContracts platform for engagement management, scope and terms management, messaging, time tracking, and client portal access, as well as in order to comply with our legal obligations. You may be affected by our data processing in your capacity as an employee or representative of such a user or business partner.
In addition, in line with applicable law and where appropriate, we may process your personal data for the following purposes, which are in our legitimate interest:
- Providing and developing our products, services, websites, and other platforms on which we are active
- Communication with third parties and processing of their requests (e.g., support inquiries, data subject requests)
- Marketing, in particular our waitlist and product update communications, provided that you have not objected to the use of your data for this purpose (if you receive such communications, you may object at any time)
- Market research and product usage analysis
- Asserting legal claims and defense in legal disputes and official proceedings
- Prevention and investigation of misconduct (e.g., rate limiting, content moderation, safety holds on reported content)
- Ensuring our operation, including our IT, our websites, and applications
- Acquisition and sale of business divisions, companies or parts of companies and other corporate transactions and the transfer of personal data related thereto, as well as measures for business management and compliance with legal and regulatory obligations
If you have given us your consent to process your personal data for certain purposes (for example when enabling AI features or registering for our waitlist), we will process your personal data within the scope of and based on this consent, unless we have another legal basis. Consent given can be withdrawn at any time, but this does not affect data processed prior to withdrawal.
3.1 AI-assisted features
Our platform offers optional AI-assisted features (such as engagement summarization, change draft extraction, and reply drafting). These features must be explicitly enabled by the user (opt-in) and are off by default.
When you use an AI feature, relevant engagement content (scope text, messages, change items) is sent to one of our AI service providers (xAI / Grok or Google / Vertex AI Gemini) for processing. The content sent is truncated (maximum 4,000 characters per message, maximum 50 messages per request) and is processed ephemerally. For xAI, we set the store: false parameter; data is deleted within 30 days per xAI's enterprise terms. For Google Vertex AI, customer data is not used for model training per Google Cloud's standard terms.
AI outputs (summaries, drafts) are never automatically applied. They are presented to you as suggestions that require your explicit review and approval before any action is taken. Learn more in our AI Policy.
If you separately consent to AI diagnostic data collection, we collect metadata about AI feature usage (model used, response latency, token count). No engagement content is stored in diagnostic records.
3.2 Legal bases (GDPR)
Where the EU General Data Protection Regulation (GDPR) applies, our processing is based on the following legal grounds under Art. 6(1) GDPR:
| Purpose | Legal basis |
|---|---|
| Service provision and contract performance | Art. 6(1)(b) — performance of a contract |
| Billing and subscription management | Art. 6(1)(b) — performance of a contract |
| Authentication and platform security | Art. 6(1)(f) — legitimate interest |
| AI-assisted features | Art. 6(1)(a) — consent (opt-in) |
| Marketing and waitlist communications | Art. 6(1)(a) — consent (double-opt-in) |
| AI diagnostic data collection | Art. 6(1)(a) — consent (explicit checkbox) |
| Accounting record retention | Art. 6(1)(c) — legal obligation (Swiss OR Art. 958f) |
| Fraud prevention and content moderation | Art. 6(1)(f) — legitimate interest |
| Data subject access requests | Art. 6(1)(c) — legal obligation |
Under the Swiss revised Data Protection Act (revDPA), processing of personal data is generally lawful unless it violates the personality rights of the data subject. The purposes listed in this section constitute legitimate interests that justify the processing.
We typically use “cookies” and similar techniques on our website and application, which allow for an identification of your browser or device. A cookie is a small text file that is sent to your computer and automatically saved by the web browser when you visit our website. If you revisit our website, we may recognize you, even if we do not know your identity. Besides cookies that are only used during a session and deleted after your visit (“session cookies”), we may use cookies to save user configurations and other information for a certain time period (“permanent cookies”). You may configure your browser settings to reject cookies, only save them for one session, or delete them prematurely. Most browsers are preset to accept cookies. We use permanent cookies for the purpose of maintaining your authenticated session and preferences, and in order to understand how you use our services and content. If you block cookies, it is possible that certain functions are no longer available to you.
Cookie inventory
| Cookie / Technology | Purpose | Category | Duration |
|---|---|---|---|
| cc_session | Freelancer authentication | Strictly necessary | 14 days |
| cc_portal_session | Client portal authentication | Strictly necessary | 30 days |
| cc_csrf | CSRF protection | Strictly necessary | Per issuance |
| cc_step_up | 2FA step-up proof | Strictly necessary | 10 minutes |
| cc_cookie_consent | Stores your cookie preferences | Strictly necessary | 1 year |
| Vercel Analytics | Anonymous page view analytics | Performance (consent) | Session |
| Vercel Speed Insights | Web Vitals performance monitoring | Performance (consent) | Session |
Before we deploy performance and analytics cookies, a cookie consent banner is displayed that allows you to accept or reject optional cookies. Analytics tools (Vercel Analytics and Vercel Speed Insights) are activated only with your consent. You can change your preferences at any time via the “Cookie Settings” link in the footer. For full details, see our Cookie Policy.
We do not use any marketing or advertising cookies, device fingerprinting, heatmaps, session recording tools, or tracking pixels.
In the context of our business activities and in line with the purposes of the data processing set out in Section 3, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned:
- Our service providers, including processors such as cloud infrastructure providers, payment processors, AI service providers, email delivery services, and analytics providers
- Our users' clients, who interact with engagements via the Client Portal
- Domestic and foreign authorities or courts
- Acquirers or parties interested in the acquisition of business divisions and other corporate transactions
- Other parties in possible or pending legal proceedings
You must anticipate your data to be transmitted to Switzerland, the European Economic Area (EEA), and the United States of America, where our service providers are located.
If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission's standard contractual clauses, which can be accessed here), unless the recipient is subject to a legally accepted set of rules to ensure data protection or unless we can rely on an exception.
5.1 Service providers and processors
| Processor | Service | Data shared | Country | Safeguard |
|---|---|---|---|---|
| Google / Firebase | Authentication, database, file storage | Account data, engagement data, files | USA | EU-US DPF + SCCs |
| Stripe | Payments, subscriptions | Email, customer ID, payment metadata | USA | EU-US DPF + SCCs |
| xAI (Grok) | AI summarize / extract / draft | Engagement content (truncated, ephemeral) | USA | SCCs; consent via opt-in |
| Google / Vertex AI | AI (alternative provider) | Same as xAI | USA | EU-US DPF + SCCs |
| Vercel | Hosting, edge functions | HTTP request data, rate-limit counters | USA / Global | SCCs |
| Upstash | Redis for rate limiting | UIDs, invite IDs, counters (ephemeral) | USA / EU | SCCs |
| Resend | Email delivery (landing) | Recipient email, metadata | USA | SCCs |
We process and retain your personal data as long as required for the performance of our contractual obligation and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. As soon as your personal data are no longer required for the above-mentioned purposes, they will be deleted or anonymized, to the extent possible.
| Data category | Retention period | Mechanism |
|---|---|---|
| Freelancer account data | Duration of account | Account deletion flow |
| Engagement messages (body) | 18 months from creation | Body redacted, placeholder retained |
| Client notes (body) | 18 months from creation | Body redacted, placeholder retained |
| File attachments | 6 months from upload | File deleted, metadata placeholder retained |
| AI diagnostic events | 30 days | TTL-based expiry |
| OTP codes | 10 minutes | Auto-expiry |
| Session cookies | 14 days (freelancer) / 30 days (portal) | Cookie expiry |
| Rate-limit counters | Minutes to hours | Redis TTL |
| Billing and accounting data | 10 years | Swiss OR Art. 958f; preserved separately from account deletion |
See the data retention summary for the plain-language defaults.
We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse, such as internal policies, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, and pseudonymization.
In the context of our business relationship you must provide us with any personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations (as a rule, there is no statutory requirement to provide us with data). Without this information, we will usually not be able to enter into or carry out a contract with you. In addition, the website cannot be used unless certain information is disclosed to enable data traffic (e.g. IP address).
For certain features, such as our AI-assisted tools, you may optionally provide additional data (engagement content) by opting in. You are not required to use these features to use the core service.
We may partially process your personal data automatically with the aim of classifying the status of your engagements (e.g., requiring your attention, waiting on the other party). This classification is based on objective event data (such as pending decisions or activity timestamps) and does not evaluate personal aspects, preferences, or behavior. We do not use profiling to make predictions about you, assess your creditworthiness, or target advertising. Our AI-assisted features process content on demand to generate summaries or drafts, but they do not create profiles about you or predict your behavior.
9.1 Children's data
Our service is directed at business professionals and is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us using the details in Section 1, and we will take steps to delete such data.
In accordance with and as far as provided by applicable law (as is the case where the GDPR is applicable), you have the right to access, rectification and erasure of your personal data, the right to restriction of processing or to object to our data processing, in particular for direct marketing purposes, as well as the right to receive certain personal data for transfer to another controller (data portability). Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain data, have an overriding interest, or need the data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance.
In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way). In order to assert these rights, please contact us at the address provided in Section 1 above.
In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority. The competent data protection authority of Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch).
If you are located in the EEA, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities at edpb.europa.eu.
As a registered user, you can delete your account and all associated data through the account settings. This requires two-factor authentication confirmation.
We may amend this Privacy Policy at any time without prior notice. The current version published on our website shall apply. If the Privacy Policy is part of an agreement with you, we will notify you by e-mail or other appropriate means in case of an amendment.
Based on DSAT.ch.