Security & Privacy

Your contracts stay yours.

You're trusting us with sensitive legal documents. So we built this product around a single principle: the less we hold, the less there is to lose. Your contract text is never written to our database or disk — there isn't even a table designed to store it.

TLS 1.3 + HSTS Zero document storage Argon2id passwords No human review
The lifecycle of your document

Follow your contract, step by step

Here is the entire journey your file takes — and where it stops.

1 · Read in your browser

Your PDF, Word or Excel file is opened and its text extracted on your own device. The original file never leaves your computer.

2 · Encrypted in transit

Only the extracted text is sent — over a TLS-encrypted connection with HSTS enforced — for the comparison to run.

3 · Analysed in memory

The text is held in server memory only for the few seconds the analysis takes — then discarded. Never written to disk or a database.

4 · Gone

We keep only the findings — titles, severity and plain-English explanations — never the verbatim text from your contract.

Under the hood

The engineering behind the promise

Not marketing words — these are the actual controls running in production right now.

Encrypted end to end in transit

Every connection uses modern TLS, and we send Strict-Transport-Security with preload so browsers refuse to ever load this site over plain HTTP. Your data is encrypted from the moment the page loads.

Data minimisation by design

There is deliberately no documents or files table in our schema. The privacy invariant is enforced in the data model itself — we can't leak what was never stored.

Argon2id password hashing

Passwords are hashed with Argon2id, the memory-hard algorithm that won the Password Hashing Competition. We never store, log, or have any way to see your plaintext password.

Hardened against common attacks

CSRF tokens on every state-changing request, parameterised SQL queries throughout (no injection surface), and X-Frame-Options, X-Content-Type-Options and a strict Referrer-Policy on every response.

Rate-limited & access-scoped

Login and comparison endpoints are rate-limited against brute force. Every comparison record is strictly scoped to the account that created it — there is no shared or global access path.

We never touch your card

All payments are processed directly by Stripe, a PCI-DSS Level 1 provider. Your card details go straight to Stripe and never pass through, or rest on, our servers.

Our promises to you

In plain English

  • We never store your contract files or their text.
  • We never train any algorithm on your documents — ours or anyone else's.
  • No human on our team reads, reviews, or can access your contract content.
  • We never sell or share your data with third parties for marketing.
  • You can delete your account and history at any time.

Questions about how we handle your data?

Read the full legal detail in our Privacy Policy, or reach out — we're happy to walk you through it.

Read the Privacy Policy Compare your contracts