Privacy Policy
Contents
1. About This Policy
This Privacy Policy explains how Pneuma LLC ("Pneuma," "we," "us," or "our") collects, uses, stores, and shares information when you use the ContractMatch web application and related services (the "Service"), available at contractmatch.app.
This policy applies to all users of the Service, including individuals using the Service on behalf of a business. It does not apply to any third-party websites or services linked from the Service.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
| Category | What we collect | When |
|---|---|---|
| Account | Email address; optional display name | When you create an account or are invited by an Admin |
| Company profile | Company name, description, website URL; filter settings including security clearance level, set-aside eligibility, service states, and NAICS codes | When you set up or update your workspace |
| Capabilities & exclusions | Named skills/services with descriptions and match thresholds; topics to exclude from matching | When you configure your matching profile |
| Uploaded documents | Text content or files you upload for AI-assisted capability generation | When you use the document upload feature |
| Comments | Free-text comments you post on contract notices (up to 5,000 characters) | When you comment in a shared workspace |
| Triage actions | Which list a notice is assigned to (Review, Saved, Trash) and manual sort positions | As you triage contract notices |
| Feedback | Feedback category, description, and client-side diagnostic logs you submit via the in-app feedback form | When you submit feedback |
2.2 Information Collected Automatically
| Category | What we collect | How |
|---|---|---|
| Authentication session | A secure session token maintained via an HTTP-only cookie after you log in via email OTP | Cloudflare Access |
| Usage events | Anonymous, session-scoped events such as pages visited, features used, and errors encountered — with no persistent identifier linking events across sessions | PostHog (memory-only mode — see Section 5) |
| Team activity log | A record of team actions within a workspace (e.g., who moved or commented on a notice), retained for 90 days | Logged by the Service on user action |
2.3 Information We Do Not Collect
- Payment card data — handled entirely by Stripe; we never see or store card numbers, CVVs, or bank details
- Browsing history outside the Service
- Data from other applications or services on your device
- Precise geolocation
- Sensitive personal information such as government ID numbers, health data, or biometrics
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service — authenticating you, running AI matching against your capabilities, displaying contract notices, and enabling team collaboration features
- Billing and subscriptions — managing your subscription status, communicating with Stripe, and sending subscription-related emails (receipts, renewal notices, failed payment alerts)
- Service communications — sending transactional emails related to your account, such as login OTPs, workspace invitations, and important policy updates
- Product improvement — analyzing aggregated, session-scoped usage events to understand how the Service is used and to prioritize improvements
- Customer support — reviewing feedback submissions and, where necessary, accessing account information to investigate and resolve issues
- Security and abuse prevention — monitoring for unauthorized access, policy violations, and technical issues
- Legal compliance — retaining records as required by applicable law and responding to lawful legal process
We do not use your data to train general-purpose AI or machine learning models. We do not use your data for advertising or sell it to data brokers.
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:
4.1 Infrastructure & Service Providers
We share data with the third-party providers listed below solely to operate the Service. Each provider processes data only as directed by us and for no other purpose.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing & subscription management | Email address, subscription plan and status |
| Cloudflare Access | Email OTP authentication | Email address (to issue and verify login codes) |
| Cloudflare Workers / D1 / R2 | Application hosting, database, and file storage | All application data (our infrastructure runs on Cloudflare) |
| PostHog | Product analytics | Anonymous, session-scoped usage events (no persistent identifiers, no email address — see Section 5) |
| GitHub | Feedback ticket management | Email address, feedback text, and client-side diagnostic logs (only when you submit feedback) |
4.2 Within Your Workspace
If you are part of a team workspace, your display name, comments, triage actions, and activity log entries are visible to other members of that workspace. Workspace Admins can see the email addresses of all workspace members.
4.3 Legal Requirements
We may disclose your information if required to do so by law, court order, or valid legal process (such as a subpoena), or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Pneuma, our users, or the public.
4.4 Business Transfers
If Pneuma is involved in a merger, acquisition, asset sale, or other business transfer, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.
5. Cookies & Tracking Technologies
5.1 Authentication Cookie
Cloudflare Access sets a secure, HTTP-only cookie to maintain your login session. This cookie is strictly necessary for the Service to function; without it, you cannot stay logged in. It does not track your activity and is cleared when your session expires or you log out.
5.2 Analytics (PostHog — No Persistent Tracking)
We use PostHog for product analytics, configured in memory-only mode. This means:
- PostHog does not set any cookies on your device;
- PostHog does not use localStorage or any other persistent browser storage;
- No stable identifier is created to track you across sessions or page loads;
- Analytics data is limited to the current page session and is not linked to your email address or account;
- Each time you open a new session, any prior analytics context is gone.
Analytics events are routed through our own domain before being forwarded to PostHog, so PostHog does not receive your IP address or any direct network identifiers from your browser.
5.3 No Third-Party Advertising Cookies
We do not use advertising networks, retargeting pixels, social media tracking pixels, or any other third-party tracking technologies. No advertiser receives data about your use of ContractMatch.
6. Data Retention
| Data category | Retention period |
|---|---|
| Account information (email, display name) | Until account deletion |
| Company profile, capabilities, exclusions | Until deleted by you or account closure |
| Uploaded documents (extracted text) | Until deleted by you or account closure |
| Uploaded document files (original files) | Deleted automatically after AI processing is complete |
| Comments and triage actions | Until deleted by you or account closure |
| Team activity log | Automatically purged on a rolling 90-day basis |
| Feedback submissions | Retained in our private GitHub issue tracker; contact us to request deletion |
| Analytics events (PostHog) | Session-scoped only; not retained after session ends on our systems. PostHog's own retention applies to aggregated event data. |
| Backup copies | Up to 90 days after active deletion, then overwritten |
When you delete your account or a company workspace, we delete your associated data from our active systems. Residual copies may remain in encrypted backups for up to 90 days. We cannot recover deleted data after deletion is confirmed.
7. Data Security
We implement reasonable technical and organizational safeguards to protect your information, including:
- All data transmitted between your browser and the Service is encrypted via TLS;
- Application data is stored on Cloudflare's infrastructure, which maintains its own security certifications and controls;
- Authentication is handled via email OTP — no passwords are stored by us;
- Access to production systems is restricted to authorized Pneuma personnel.
No security system is impenetrable. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures. If you become aware of a security issue, please contact us at support@contractmatch.app.
8. Children's Privacy
The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at support@contractmatch.app and we will delete it promptly.
9. Your Privacy Rights (All Users)
Regardless of where you are located, you have the following rights with respect to your personal information:
- Access — you may request a summary of the personal information we hold about you.
- Correction — you may update most of your account and company information directly within the Service. For changes you cannot make yourself (such as email address updates), contact us.
- Deletion — you may delete your account and associated data through account settings, or request deletion by contacting us. See Section 6 for retention details.
- Portability — you may request an export of your User Data in a commonly used format.
- Restriction — you may request that we restrict processing of your data in certain circumstances while a dispute is resolved.
To exercise any of these rights, contact us at support@contractmatch.app. We will respond within 30 days. We may need to verify your identity before processing requests.
10. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.
10.1 Categories of Personal Information Collected
In the past 12 months, we have collected the following categories of personal information as defined by the CCPA:
| CCPA category | Examples we collect | Sold or shared? |
|---|---|---|
| Identifiers | Email address, display name | No |
| Commercial information | Subscription plan, billing status | No |
| Internet / network activity | Session-scoped usage events (anonymous) | No |
| Professional or employment information | Company name, capabilities, NAICS codes you provide | No |
| Inferences | AI-generated match scores based on your capabilities (used only to deliver Service features) | No |
10.2 We Do Not Sell or Share Your Personal Information
Pneuma does not sell your personal information and does not share your personal information with third parties for cross-context behavioral advertising purposes, as those terms are defined under the CCPA/CPRA. You do not need to submit an opt-out request because we do not engage in these activities.
10.3 Your California Rights
As a California resident, you have the right to:
- Know — request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which it is used.
- Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
- Correct — request correction of inaccurate personal information we maintain about you.
- Opt out of sale/sharing — as noted above, we do not sell or share personal information, so no opt-out is required.
- Limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA.
- Non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.
10.4 How to Submit a California Rights Request
To submit a verifiable consumer request, contact us at support@contractmatch.app with the subject line "California Privacy Request." We will respond within 45 days of receipt. We may need to verify your identity (for example, by confirming the email address associated with your account) before processing your request. You may designate an authorized agent to submit a request on your behalf, in which case we may require written proof of authorization.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will post the revised policy at contractmatch.app/privacy and update the effective date at the top of this page.
For material changes — those that meaningfully affect how we collect, use, or share your personal information — we will notify you by email or through a prominent in-app notice before the changes take effect. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Pneuma LLC — ContractMatch Privacy
Email: support@contractmatch.app
Website: contractmatch.app
We will respond to all privacy inquiries within 30 days (or 45 days for California rights requests).