Effective Date: January 13, 2026
CONTRAC'D respects your privacy. This Privacy Policy describes how Legaali Technologies, Inc., doing business as Contrac'd ("Legaali," "we," "us," or "our") collects, uses, and shares information in connection with your use of our vendor management platform and services (collectively, the "Services").
When you access or use our Services, you acknowledge that you have read this Privacy Policy and understand its contents. Please read this Policy carefully, as it applies when you use our Services or Products, visit our website, or use the Contracd mobile app.
By accessing or using our Services, you agree to this Privacy Policy. If you do not agree, do not access or use our Services.
This Privacy Policy applies to the personal information we collect and process, when you:
Account Information. When you create an account or use our Services, we collect your name, email address, phone number, company name, job title, department, and role within your organization. We also collect payment information, which is processed through third-party payment processors. Your login credentials, including passwords, are encrypted and not accessible by us.
Customer Data. You may upload vendor contracts, agreements, and related documents to the Services. We collect vendor names, contact information, contract terms, pricing, renewal dates, notice periods, and other contract metadata. We also collect financial information related to vendor spend in aggregated form, not individual transactions.
Communications. We collect information you provide when you contact us for support, provide feedback, respond to surveys, submit testimonials, or communicate through our chat features.
Usage Information. When you access or use our Services, we automatically collect certain information about your device and usage patterns. This includes your IP address, browser type, operating system, device identifiers and characteristics, pages visited, features used, time spent on the platform, clickstream data, navigation patterns, and search queries within the platform.
Cookies and Similar Technologies. We use cookies, web beacons, and similar tracking technologies to collect information about your use of our Services. This includes session cookies that expire when you close your browser, persistent cookies that remain on your device, and analytics cookies that measure usage and performance.
Integration Data. When you connect integrations to the Services, we may receive data from accounting systems such as NetSuite or QuickBooks, contract storage systems such as Dropbox, Google Drive, or SharePoint, and authentication information from single sign-on (SSO) providers.
Public Sources. We may collect publicly available company information for verification purposes and business contact information from legitimate sources.
We use your information to provide, operate, and maintain the Services, to process your transactions and manage your account, to analyze vendor contracts and provide insights, and to generate reports, alerts, and recommendations. We use your information to respond to your requests and provide customer support, to send administrative information including updates and security alerts, to improve and optimize our Services through analytics, and to develop new features and functionality.
We use your information to detect, prevent, and address technical issues, to monitor and analyze usage trends, to protect against fraud, abuse, and security threats, to enforce our Terms of Service and other policies, and to comply with legal obligations.
With your consent, we may send you marketing communications about our Services, provide information about features, updates, and events, and conduct surveys and request feedback. You can opt out of marketing communications at any time.
We do not sell, rent, or trade your personal information or Customer Data to third parties for their marketing purposes.
We share information with third-party service providers who perform services on our behalf, including:
All service providers are contractually required to use your information only for specified purposes, implement appropriate security measures, and comply with applicable data protection laws.
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
We may disclose your information if required by law or if we believe such action is necessary to comply with legal process such as a subpoena, court order, or government request; to enforce our Terms of Service or other agreements; to protect the rights, property, or safety of Contracd, our users, or the public; or to detect, prevent, or address fraud, security, or technical issues.
We may share information for any other purpose with your explicit consent.
We implement industry-standard security measures to protect your information. Our technical measures include encryption at rest using AES-256 and in transit using TLS 1.2 or higher, secure data centers with physical security controls, network security including firewalls and intrusion detection, regular security audits and vulnerability assessments, and secure software development practices.
Our organizational measures include access controls and authentication requirements, employee security training and background checks, incident response and breach notification procedures, and regular security policy reviews and updates.
We are currently pursuing SOC 2 Type II certification with expected completion in Q3 2026. Until certification is complete, we maintain controls consistent with SOC 2 standards.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
We retain your information for as long as necessary to provide the Services to you, comply with legal obligations, and resolve disputes and enforce agreements.
You may request deletion of your data at any time. We will delete your data within 30 days unless retention is required by law, data is necessary for ongoing legitimate business purposes, or data is involved in ongoing litigation or investigations.
For Customer Data you upload to the platform, you are the data controller and we are the data processor. For account and usage information, we are the data controller.
Our Services are hosted in the United States. If you access our Services from outside the US, your information will be transferred to, stored, and processed in the United States. For European Union users, we comply with GDPR requirements, use Standard Contractual Clauses (SCCs) for data transfers, and implement appropriate safeguards for international transfers.
Enterprise customers can execute a Data Processing Agreement that includes Standard Contractual Clauses for EU data transfers, detailed security and confidentiality obligations, subprocessor management and notification procedures, data subject rights and assistance obligations, and audit and inspection rights. To request a DPA, contact legal@contracd.com.
You have the right to access your personal information, request a copy of your data in a portable format, and review what data we have about you. To exercise these rights, contact privacy@contracd.com.
You can update your account information directly in the platform, request correction of inaccurate information, or contact support@contracd.com for assistance.
You can request deletion of your information by deleting your account through the platform or by contacting privacy@contracd.com. We will process deletion requests within 30 days. Some information may be retained as required by law or for legitimate business purposes.
You can opt out of marketing emails by clicking "unsubscribe" in any marketing email, manage cookies as described below, and opt out of analytics tracking. You cannot opt out of transactional emails such as account notifications and security alerts or other service-related communications.
Our Services do not currently respond to Do Not Track (DNT) signals.
Our Services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@contracd.com, and we will delete such information.
If you are in the European Union, you have additional rights under GDPR. Our legal basis for processing includes contract performance to provide Services, legitimate interests to improve Services and prevent fraud, consent for marketing communications, and legal obligations to comply with laws.
Your additional rights include the right to object to processing, the right to restrict processing, the right to data portability, the right to withdraw consent, and the right to lodge a complaint with a supervisory authority.
If you are a California resident, you have rights under the California Consumer Privacy Act. The categories of information we collect include identifiers such as name, email, and IP address; commercial information such as purchase history; internet activity including usage data; and professional information such as job title and company.
Your rights include the right to know what information we collect, the right to delete your information, the right to opt out of sale (we do not sell your information), and the right to non-discrimination for exercising your rights. To exercise your rights, email privacy@contracd.com.
We comply with applicable data protection laws in other jurisdictions. Contact privacy@contracd.com for jurisdiction-specific information.
You can control cookies through your browser settings to disable or delete cookies, through the cookie consent banner on your first visit, or through account settings to disable non-essential cookies. Disabling cookies may limit platform functionality.
We use Google Analytics. You can opt out by visiting tools.google.com/dlpage/gaoptout.
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Effective Date." For material changes, we will notify you by email to your registered email address, provide notice through the platform, and update the "Effective Date" at the top of this policy. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.
For questions or concerns about this Privacy Policy, contact us:
We will respond to privacy requests within 30 days, or 45 days for complex requests with notice of extension.