Privacy Policy (GDPR)

Account data: name, email, hashed password, optional avatar, OAuth provider identifier (e.g. Google).

Company data: name, tax number, address, legal representative, scanned signature if you upload one.

User-generated content: contracts, proposals, templates, client data, files uploaded for AI analysis.

Usage data: technical logs, IP, user-agent, audit events (view/edit/sign).

Signer data: name, email, IP, timestamp and signature image, collected for the evidentiary value of electronic signatures.

Providing the Service and account administration — performance of contract (Art. 6(1)(b) GDPR).

AI generation and review of documents — performance of contract.

Electronic signatures and audit trail — performance of contract and legal obligation (evidence).

Security, abuse prevention, logs — legitimate interest (Art. 6(1)(f) GDPR).

Product and marketing communications — consent (Art. 6(1)(a) GDPR), revocable at any time.

Accounting and tax obligations — legal obligation (Art. 6(1)(c) GDPR).

We use vendors that process data on our behalf under GDPR-compliant agreements:

• Supabase / Lovable Cloud — database hosting, authentication, file storage.

• Lovable AI Gateway (Google Gemini, OpenAI, Anthropic) — prompt processing for AI features; submitted content is not used to train models.

• Transactional email providers for notifications and signing links.

We do not sell your data to third parties and do not use it for advertising profiling.

Some processors may handle data outside the European Economic Area. In such cases we rely on the European Commission's Standard Contractual Clauses or other GDPR-compliant transfer mechanisms.

Account data — for the duration of the account plus 30 days for export.

Documents and signature audit trail — at least 10 years from signing, in line with electronic document legislation.

Invoicing data — 10 years per accounting law.

Technical logs — up to 12 months.

Under GDPR you have the right to: access, rectification, erasure, restriction, portability, objection, withdrawal of consent and not to be subject to a solely automated decision with legal effects.

To exercise your rights, write to [contact@TBD] or to our Data Protection Officer: [DPO: TBD].

You may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — www.dataprotection.ro.

We apply technical and organizational measures: encryption in transit (TLS) and at rest, strong authentication, role-based access control, database-level Row Level Security, immutable audit logs for documents.

The AI Review feature produces scores and suggestions, but does not take decisions with legal effects without human intervention. Any change to a contract requires manual confirmation.

Updates to this policy will be published on this page with a new revision date. Material changes are notified by email.

MCD United Grup SRL · [Sediu social: TBD, România] · [contact@TBD] · DPO: [DPO: TBD]