Privacy Policy

Effective Date: March 28, 2026  |  Last Updated: June 7, 2026

This Privacy Policy describes how Contracts Manager (referred to as "the App", "we", "us", or "our"), developed by TProM Team, collects, uses, stores, and protects your information. The App is available as a web application and on Android (with iOS planned).

We are committed to transparency and to complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This policy is based on the actual behavior of the App as implemented in its source code.

Key Points at a Glance

1. Data We Collect

1.1 Personal Data (via Google Sign-In)

If you choose to sign in with Google, we receive the following from your Google account through Firebase Authentication:

DataSourcePurpose
Email addressGoogle AccountUser identification and account management
Display nameGoogle AccountPersonalization within the App
Profile photo URLGoogle AccountAvatar display in the App
Unique user ID (UID)Firebase AuthenticationInternal account identifier
Account creation dateFirebase AuthenticationAccount metadata
Last sign-in dateFirebase AuthenticationAccount metadata
Player nickname (optional)Provided by you in-appShared EarnPoints leaderboard display; stored in Firebase Firestore only if you choose a nickname

Guest Mode: You may use the App without signing in. In guest mode, no personal data is collected. All data remains on your device only.

1.2 Contract Data (User-Provided Content)

You create and manage contract records that may include:

Important: We do not control or review the content you enter into contracts. Your contracts may contain personal or sensitive data (e.g., names, addresses, financial details). The App processes this content to provide its core functionality but does not classify, profile, or make automated decisions based on it.

1.3 App Preferences

The App stores your settings locally, including: language, theme, font size, currency preference, and notification preferences.

1.4 Technical Data

DataWhenPurpose
Browser/OS informationDuring cloud syncIncluded in sync metadata to help you identify which device last synced
Google OAuth access tokenAfter sign-inAuthorize access to your Google Drive app folder

1.5 Data We Do NOT Collect

2. Data Sources

2.1 Directly from You

2.2 From Third Parties

Third PartyData ReceivedWhen
Google (via Firebase Authentication)Email, display name, profile photo URLWhen you sign in with Google
Groq APIStructured extraction result (JSON) based on text you sentWhen you use AI contract analysis

3. How We Store Your Data

3.1 Local Storage (Your Device)

All core App data is stored locally on your device using browser localStorage (web) and native device storage (Android via Capacitor). This includes:

3.2 Cloud Storage (Your Google Drive)

When you sign in and connect Google Drive, the App automatically stores synced data in the hidden application-specific folder (appDataFolder) within your own Google Drive account. This folder is:

The following files are stored in your Google Drive app folder:

FileContentEncrypted
contracts.jsonYour contract records (document file contents are excluded — only filenames are synced)Yes (AES-256-GCM)
settings.jsonYour app preferencesYes (AES-256-GCM)
sync-metadata.jsonSync version, timestamp, contract count, device infoNo
Important: Attached document files (PDFs, images) are never uploaded to the cloud. Only document filenames and extensions are included in the synced contract data. Full document content remains on your device only.

3.3 Firebase Authentication & Firestore

Your authentication identity record (email, name, profile photo URL, UID, account timestamps) is stored in our Firebase Authentication project (contracts-manager-e82c5). Firebase is operated by Google and processes this data on our behalf. As the Firebase project administrator, we have access to your email address, display name, and account metadata through the Firebase Console. This data is used solely for account management and support purposes. No contract data is stored in Firebase.

The App also uses Google Cloud Firestore (within the same Firebase project) to store EarnPoints leaderboard data. This data is only created if you voluntarily participate in the EarnPoints system and set a player nickname. Specifically:

This Firestore data is accessible by us as Firebase project administrators. It is used solely to power the shared leaderboard feature and is never used for advertising or profiling. You can delete your Firestore profile data by deleting your account via Settings.

3.4 Our Own Servers

We use Firebase Cloud Functions and Cloud Firestore as a secured backend for AI operations and AI points. The backend verifies Firebase Authentication, can verify Firebase App Check, enforces request-size and rate limits, deducts points transactionally, masks common identifiers where possible, and validates structured AI responses. We do not store the original uploaded file or full extracted document text in this backend. We store the final extraction result, point balance, point-usage history, request status, and limited security metadata needed to prevent abuse and support retries. Your saved contracts remain on your device or in your own Google Drive account.

3.5 Google Cloud Platform Monitoring

Our use of Google APIs (Firebase Authentication, Google Drive) is managed through Google Cloud Platform. Google Cloud automatically records API usage metrics (such as request counts, error rates, and quota usage) in the Google Cloud Console. This is infrastructure-level monitoring provided by Google and does not contain your personal contract data. However, it may include aggregated usage statistics such as the number of API calls made by the App.

4. How We Use Your Data

PurposeData UsedLegal Basis (GDPR)
Provide core App functionality (manage contracts) Contract data, settings Contract performance (Art. 6(1)(b))
Authenticate your identity Google account data via Firebase Consent (Art. 6(1)(a)) — you initiate sign-in
Cloud sync across devices Encrypted contract data, settings Consent (Art. 6(1)(a)) — you opt in to sync
AI-powered contract analysis Masked extracted text from uploaded documents (up to 24,000 characters) Consent (Art. 6(1)(a)) — you initiate each analysis
Send contract reminders Contract title, amount, end date Contract performance (Art. 6(1)(b))
Load application fonts Your IP address (standard HTTP request to Google Fonts CDN) Legitimate interest (Art. 6(1)(f))

5. Legal Bases for Processing

5.1 European Economic Area (EEA), United Kingdom (UK), and Switzerland

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. We may rely on the following legal bases:

If you are located in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority or the UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

5.2 Canada

If you are located in Canada, we may process your information if you have given us specific permission (express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including:

6. Data Processing & Flow

6.1 Authentication Flow

  1. You click "Sign in with Google".
  2. Google's OAuth consent screen is shown (managed by Google).
  3. Upon approval, Firebase Authentication receives your Google credentials and creates/updates your identity record.
  4. The App receives your profile (email, name, photo URL, UID) and stores it locally on your device.
  5. A Google OAuth token is stored locally to enable Google Drive access.

6.2 Contract Management Flow

  1. You create or edit a contract via the App's form.
  2. Contract data (including any attached documents) is saved to your device's local storage.
  3. After login and conflict resolution, local changes trigger an automatic sync after a short delay.
  4. During sync, contract data is encrypted (AES-256-GCM) and uploaded to your Google Drive app folder. Document binary content is excluded from the upload.

6.3 AI Analysis Flow

  1. You upload a PDF or image and choose to analyze it.
  2. Text is extracted from the document entirely on your device (using PDF.js or Tesseract.js OCR).
  3. The App sends up to 24,000 characters of extracted text to a Firebase callable function. The function verifies authentication, App Check when enforced, available AI points, request limits, and rate limits.
  4. The backend masks common identifiers where possible, including IBANs, email addresses, phone numbers, customer numbers, personal IDs, addresses, and signature lines.
  5. The masked text is sent to Groq. Groq returns a strict JSON result with extracted fields and confidence scores.
  6. The backend validates dates, amounts, currencies, categories, field lengths, and the response schema before returning the result.
  7. The result is shown in a review screen. Nothing is saved as a contract until you confirm or edit the fields.

7. AI Processing

The App offers an optional AI-powered feature to analyze contract documents and extract key information.

PropertyDetail
AI Service ProviderGroq, Inc. (San Francisco, USA)
AI ModelA Groq-hosted structured-output model selected by our backend configuration
Data SentUp to 24,000 characters of extracted text after common identifiers are masked where possible
When Data Is SentOnly when you initiate an analysis — never automatically
Authentication and Abuse ProtectionEvery paid AI request requires Firebase Authentication and a server-authoritative point balance. The backend also applies per-user, per-device, and per-IP rate limits. Firebase App Check can be enforced after deployment monitoring.
Response ValidationAll AI-extracted fields are checked against a strict JSON schema and validated for type, allowed values, dates, amounts, confidence, and maximum length before being used in the App
Data Stored by GroqGroq states that inference customer data is not retained by default, but inputs and outputs may be temporarily retained for system reliability or abuse investigations for up to 30 days unless Zero Data Retention is enabled. We recommend reviewing Groq's current data documentation for the most current information on their data retention practices.
What May Be Included in TextCompany names, contract terms, dates, amounts, and other unmasked information needed for extraction. Automated masking reduces exposure but cannot guarantee removal of every identifier.
User NoticeA privacy notice is displayed in the App before analysis is performed
Note: Text extraction from documents (PDF parsing and OCR) is performed entirely on your device. Only masked extracted text (not the original file) is sent to Groq, and only when you explicitly initiate the analysis.

7a. AI-Generated Cancellation Emails

The App includes a contract cancellation assistance feature that uses a Groq-hosted AI model to generate draft cancellation email text based on your contract details (provider name, contract number).

7b. EarnPoints System & Shared Leaderboard

The App features a points-based system called EarnPoints that allows users to earn AI scan credits and compete on a shared leaderboard.

8. Third-Party Services

The App integrates with the following third-party services:

ServiceProviderPurposeData Shared
Firebase Authentication Google LLC User authentication (Google Sign-In) Email, display name, profile photo URL, Google OAuth credentials
Google Drive API Google LLC Cloud sync after Google Drive connection Encrypted contract data (excluding document files), encrypted settings, sync metadata — stored in your own Google Drive
Google OAuth 2.0 Google LLC Authorization for Google Drive access Standard OAuth credential exchange
Groq API Groq, Inc. AI contract text analysis (optional, user-initiated) Up to 24,000 characters of extracted text after common identifiers are masked where possible. Groq's current retention terms apply.
Firebase Cloud Functions & Firestore Google LLC Authenticated AI processing, point ledger, rate limiting, request status, and final extraction result Firebase identity, masked extracted text during processing, final extraction result, point usage, and limited abuse-prevention metadata
Google Cloud Firestore Google LLC EarnPoints shared leaderboard (optional, if you set a nickname) Player nickname, point score, anonymity preference, Firebase UID (as document key)
Netlify Netlify, Inc. Hosts the web application Your IP address and standard HTTP request metadata (handled by Netlify infrastructure)
Google Fonts CDN Google LLC Loading application fonts Your IP address (standard HTTP request)
jsDelivr / unpkg CDN jsDelivr / unpkg Downloading OCR language model (on first use of document scanning) Your IP address (standard HTTP request)

Google OAuth Scopes

When you sign in and authorize Google Drive access, the App requests the following OAuth scope:

Standard Firebase Authentication scopes (email, profile, openid) are included implicitly.

Google API Services User Data Policy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Social Login (Google Sign-In)

The App offers you the ability to register and log in using your Google account. Where you choose to do this, we receive certain profile information from Google, specifically: your name, email address, and profile picture. We do not receive your friends list, contacts, or any other social information.

We will use the information we receive only for the purposes described in this Privacy Policy. We do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review Google's Privacy Policy to understand how they collect, use, and share your personal information.

Third-Party Websites

The App may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of any third-party websites. We encourage you to review the privacy policies of any third-party services you access through the App.

Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. If such a transfer occurs, the acquiring party will be bound by the terms of this Privacy Policy.

9. Cookies & Tracking

9.1 Cookies

The App uses one functional cookie:

Cookie NamePurposeDurationType
sidebar_state Remembers whether the sidebar is open or closed (stores true or false) 7 days Strictly necessary / Functional (first-party)

The App does not use any tracking, advertising, or third-party cookies.

9.2 Analytics & Tracking

The App does not use any analytics or tracking services. Specifically:

9.3 Crash Reporting

The App does not use external crash reporting services (no Sentry, Crashlytics, or similar). Application errors are logged locally on your device for debugging purposes only and are never transmitted to any external server. Sensitive data (such as contract text content and AI responses) is not included in any local diagnostic logs.

9.4 Do-Not-Track Signals

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. Since the App does not use any analytics, tracking, advertising, or profiling technologies, DNT signals have no practical effect on how the App operates — we do not track you regardless of whether DNT is enabled.

10. Data Security

10.1 Encryption

10.2 Data Transmission

10.3 Access Control

11. Data Retention

12. Your Rights (EEA, UK, Switzerland — GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection laws:

RightHow to Exercise
Right of Access (Art. 15) All your data is stored locally on your device and visible within the App. You can also view your cloud data by syncing.
Right to Rectification (Art. 16) You can edit any contract or setting directly within the App.
Right to Erasure (Art. 17) You can delete individual contracts within the App. You can delete all cloud data via Settings → "Delete All Cloud Data". You can delete your account via Settings → "Delete Account" (removes your Firebase identity record). You can clear all local data by clearing the App's browser/app storage.
Right to Data Portability (Art. 20) You can export all your contracts as an encrypted backup file (.cmbackup ZIP) or as PDF documents via the App's export features.
Right to Restrict Processing (Art. 18) You can use the App in guest mode without signing in. You can stop cloud sync by signing out or disconnecting Google Drive. AI analysis is always optional.
Right to Withdraw Consent (Art. 7(3)) You can sign out at any time. You can disconnect Google Drive sync at any time. You can choose not to use AI analysis.
Right to Object (Art. 21) Contact us using the details below.

13. US State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, or other US states with privacy laws, you may have additional rights regarding your personal information.

13.1 Categories of Personal Information We Collect

CategoryExamplesCollected?
A. IdentifiersEmail address, display name, unique user ID, IP addressYes
B. Personal information (California Customer Records)Name, email addressYes
C. Protected classificationsRace, gender, age, etc.No
D. Commercial informationPurchase history, payment informationNo
E. Biometric informationFingerprints, voiceprintsNo
F. Internet or network activityBrowsing history, search historyNo
G. Geolocation dataDevice locationNo
H. Audio, electronic, sensory dataImages, audio recordingsNo
I. Professional or employment informationJob title, work historyNo
J. Education informationStudent recordsNo
K. Inferences from collected dataProfiles or predictions about preferencesNo
L. Sensitive personal informationHealth, race, religion, sexual orientation, etc.No

We retain collected personal information (Categories A and B) for as long as you have an account with us.

13.2 Your Rights Under US State Privacy Laws

Depending on your state of residence, you may have the right to:

Note: We do not sell your personal information. We do not use your personal information for targeted advertising. We do not engage in profiling that produces legal or similarly significant effects.

13.3 How to Exercise Your Rights

To exercise these rights, you can contact us at info@contracts-manager.eu or by submitting a data subject access request. We will verify your identity before processing your request by matching information you provide against the information we hold.

13.4 California "Shine The Light" Law

California Civil Code Section 1798.83 ("Shine The Light") permits California residents to request information about personal information disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

13.5 Appeals

If we decline to take action regarding your request, you may appeal our decision by emailing us at info@contracts-manager.eu. We will inform you in writing of any action taken or not taken in response to the appeal. If your appeal is denied, you may submit a complaint to your state attorney general.

14. Data Deletion

14.1 Available Deletion Actions

ActionWhat Is DeletedPermanent?
Delete individual contract Contract record, associated reminders, and status tracking from local storage Yes (locally). Reflected in cloud on next sync.
Delete All Cloud Data All files in your Google Drive app folder (contracts, settings, sync metadata) Yes. Local data is not affected.
Delete Account Your Firebase Authentication identity record and local authentication tokens Yes. Your local contracts and Google Drive data should be deleted separately.
Sign Out Authentication session and OAuth tokens from local storage Your data remains on device and in cloud.
Disconnect Google Drive Local sync state only Cloud data remains in your Google Drive until you delete it.
Clear App Data (browser/OS) All local storage, session storage, cookies, and cached data Yes for local data. Cloud data is not affected.

14.2 Cloud Sync & Deletion

15. Notifications

16. Children's Privacy

The App is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the App, please contact us and we will take steps to delete that information.

17. Android Permissions

The Android version of the App requests the following permissions:

PermissionPurpose
InternetRequired for authentication, cloud sync, and AI analysis
Storage (Read/Write)Import and export contract files and backups
Post NotificationsDeliver local contract reminder notifications (Android 13+)
VibrateHaptic feedback for notifications
Schedule Exact AlarmSchedule precise contract reminder notifications
Receive Boot CompletedRe-schedule reminder notifications after device restart

The App does not request access to your location, camera, microphone, contacts, or phone.

18. International Data Transfers

Your data may be processed outside your country of residence through the following services:

These services may process data in the United States or other countries. We rely on these providers' compliance with applicable data protection regulations, including appropriate safeguards for international data transfers as required by the GDPR.

19. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date at the top of this page. If we make material changes, we may notify you by prominently posting a notice within the App. We encourage you to review this policy periodically for any changes. Continued use of the App after changes are posted constitutes acceptance of the updated policy.

20. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed in violation of the GDPR.

21. How Can You Review, Update, or Delete Your Data?

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information.

To review, update, or delete your personal information, you can: