Privacy Policy
Last updated: December 18, 2025
1. Who We Are
ContractSpec is a brand of CHAMAN VENTURES, a simplified joint-stock company (SASU) registered in France.
Data Controller:
- CHAMAN VENTURES, SASU
- RCS Paris • SIREN 989 498 902
- 229 rue Saint-Honoré, 75001 Paris, France
- Contact: privacy@contractspec.io
We are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the information contained in this privacy policy.
2. What This Policy Covers
This privacy policy explains:
- What personal data we collect through the ContractSpec website and services
- Why we collect and process your data
- How we store and protect your data
- Who we may share your data with
- Your rights under the General Data Protection Regulation (GDPR)
This policy applies to visitors of our website, users who sign up for our waitlist or contact us, and customers who use our services.
3. Data We Collect
We collect different types of data depending on how you interact with ContractSpec:
| Category | Data Collected | When Collected |
|---|---|---|
| Website Analytics | Page views, click events, device type, browser, approximate location (country level), session duration, referral source | When browsing our website (with consent in EU/EEA) |
| Contact / Waitlist | Name, email address, message content | When you submit a form or join our waitlist |
| Account Data | Not yet applicable — We do not currently offer user accounts. This section will be updated when accounts are introduced. | — |
| Billing Data | Not yet applicable — We do not currently process payments. This section will be updated when billing is introduced. | — |
4. Why We Process Data (Purposes & Legal Bases)
Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
| Purpose | Legal Basis | Details |
|---|---|---|
| Website operation & security | Legitimate interest | Ensuring our website functions correctly, preventing abuse, and maintaining security |
| Analytics & improvement | Consent | Understanding how users interact with our site to improve our services (gated behind consent in EU/EEA) |
| Responding to enquiries | Legitimate interest / Contract | Responding to your questions, processing waitlist requests, or pre-contractual discussions |
| Service delivery | Contract | If/when you become a customer, processing your data is necessary to fulfil our contractual obligations |
| Legal compliance | Legal obligation | Complying with applicable laws, regulations, or legal processes |
5. Cookies & Tracking
We use PostHog for product analytics to understand how visitors use our website. PostHog may use cookies or similar technologies to collect this information.
Consent in the EU/EEA
If you are located in the European Union or European Economic Area, we gate analytics tracking behind your explicit consent. Analytics cookies will not be set until you opt-in through our cookie consent mechanism.
Withdrawing Consent / Opting Out
You can withdraw consent or opt out at any time:
- Cookie settings: Use the cookie preferences link in our website footer to manage your consent
- Browser settings: Configure your browser to reject cookies or alert you when cookies are being set
- PostHog opt-out: PostHog respects "Do Not Track" browser signals where applicable
Note: Rejecting analytics cookies will not affect your ability to use our website.
6. Sub-processors & Recipients
We share data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| PostHog | Product analytics | EU (PostHog Cloud EU) or US |
| Vercel | Website hosting & CDN | Global (including EU regions) |
| Scaleway | Cloud infrastructure | France / EU |
| Email provider (TBD) | Transactional & marketing emails | To be confirmed |
| Error tracking (TBD) | Application error monitoring | To be confirmed |
| Payment processor (TBD) | Billing & subscription management | To be confirmed |
We carefully select our sub-processors and require them to maintain appropriate security measures and only process data according to our instructions.
7. International Data Transfers
As a France-based company, we aim to keep your data within the European Union wherever possible.
However, some of our service providers may process data outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where the recipient country has been deemed to provide adequate protection
- Binding Corporate Rules where applicable
You may request more information about these safeguards by contacting us at privacy@contractspec.io.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Analytics data | 24 months from collection |
| Waitlist / contact form data | Until you request deletion or 24 months after last interaction |
| Account data (when applicable) | Duration of account plus 12 months after closure |
| Billing records (when applicable) | 10 years (French legal requirement) |
We may retain certain data longer if required by law or to establish, exercise, or defend legal claims.
9. Your Rights Under GDPR
As a data subject in the EU, you have the following rights:
- Right to access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — Request deletion of your personal data in certain circumstances
- Right to restriction — Request that we limit how we use your data
- Right to data portability — Receive your data in a structured, machine-readable format
- Right to object — Object to processing based on legitimate interests or direct marketing
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, please contact us at privacy@contractspec.io. We will respond within one month as required by GDPR.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest where appropriate
- Access controls and authentication
- Regular security reviews and updates
- Careful vetting of sub-processors
While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to continuous improvement.
11. Contact & Complaints
If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:
Email: privacy@contractspec.io
Address: CHAMAN VENTURES, 229 rue Saint-Honoré, 75001 Paris, France
Supervisory Authority
If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In France, the relevant authority is:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: www.cnil.fr
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of any material changes by updating the "Last updated" date at the top of this page.
We encourage you to review this policy periodically to stay informed about how we protect your data.
For questions about this privacy policy, please contact us at privacy@contractspec.io