Privacy Policy

1. Who we are

Contract-as-Code is operated by Contract-as-Code Inc. ("we", "our", "us"). Our service helps HR and payroll professionals validate employee datasets against collective agreement rules. We are not a law firm and do not provide legal advice.

Data controller: Contract-as-Code Inc.
Privacy contact:privacy@contract-as-code.com

2. Information we collect

Account information

When you create an account, we collect your name, email address, and organisation details. We use Firebase Authentication (Google LLC) for identity management.

Agreement documents

You upload PDF documents (collective agreements) to our service. These documents are processed by our AI pipeline to extract structured rules. We store these documents in Google Cloud Storage in Canada (GCP northamerica-northeast1 · Neon ca-central-1).

Employee payroll datasets

You may upload CSV files containing employee payroll data for validation. Before any processing, employee identifiers are hashed (SHA-256) — we never store or process raw employee names, SINs, or other direct identifiers. Hashed references are used only to correlate findings within a single validation run.

Usage and log data

We collect server logs, error reports, and usage analytics to operate and improve the service. Logs are retained for 90 days and do not contain employee personal information.

3. How we use your information

• To provide, operate, and improve the Contract-as-Code service
• To extract structured rules from the agreements you upload
• To run validation jobs against employee datasets you provide
• To generate compliance reports and findings
• To send transactional notifications (pipeline completion, invite emails)
• To process billing and subscriptions via Stripe
• To investigate security incidents and maintain platform integrity

We do not sell your data. We do not use your data to train AI models without your explicit consent.

4. Data residency and transfers

All data is stored and processed in Canada:

• Application infrastructure: GCP northamerica-northeast1
• Database: Neon ca-central-1
• File storage: Google Cloud Storage, same region as above

We use third-party services that may process limited data outside Canada:

• Firebase Authentication (Google LLC) — authentication tokens only; no payroll data
• Stripe (US) — billing information only; no contract or payroll data
• Sentry (US) — error reports; configured to exclude PII from payloads
• OpenAI (US) — clause text from agreements for rule extraction only. No employee data is ever sent to OpenAI.

5. Applicable privacy law

6. Your rights

You have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate or incomplete information
• Deletion — request deletion of your account and associated personal data
• Withdrawal of consent — where consent is the basis for processing
• Complaint — file a complaint with Office of the Privacy Commissioner of Canada

To exercise any of these rights, contact us at privacy@contract-as-code.com. We will respond within 30 days.

7. Data retention

8. Security

• All data in transit is encrypted via TLS 1.2+
• All data at rest is encrypted using AES-256
• Employee identifiers are hashed (SHA-256) before processing — raw SINs are never stored
• Access to production infrastructure requires MFA and is limited to authorised personnel
• We maintain audit logs of all data access and modifications
• We conduct annual security audits and penetration testing

9. Cookies and analytics

Our marketing site uses Plausible Analytics — a privacy-focused provider that does not use cookies and does not collect personal information.

The application uses session cookies strictly necessary for authentication. We do not use advertising or tracking cookies.

10. Contact

Privacy Officer, Contract-as-Code Inc.
privacy@contract-as-code.com