ClauseBase is operated by ClauseBase BV, with registered office at Alfons Stesselstraat 9, 3012 Wilsele, Belgium and registered with the Crossroads Bank for Enterprises under company number 0723.768.270 (hereafter: “ClauseBase” or “we”).
This Privacy Statement explains how ClauseBase, as the data controller, uses any personal information about you when we do, or are preparing to do, business with each other.
1. Which categories of personal data do we collect?
When you create your profile to use Clause9 or ClauseBuddy, you are required to give information that allows us to identify you as a legitimate user. This includes your name, username, email address, password and any information you fill out on our website (e.g. when booking a training session).
Furthermore, we also retain information about your organisation and groups of which you are a member (if your administrator designated you to a specific group).
We also process information specific to your account, such as your account rights (e.g.: as a regular user or an administrator), your ‘favourites’ (i.e.: the files and folders you include in your shortlist), your language and legal domain preferences, your personal styling (e.g.: font, layout, page settings, etc…) and an optional API key, which allows a third party server to send requests to ClauseBase’s server on the basis of your account.
For each clause/template/answer-set set you create, we also track the “owner” of the clause/template/answer-set and the access rights.
When you subscribe to our newsletter, you enter your email address so that we can contact you and provide you with updates. We only store your email address and your first and last name, if you choose to provide it.
For data security reasons, we keep logs of virtually all the actions you take in Clause9/ClauseBuddy that cause your browser or Word plugin to perform actions on a server. Examples include: saving a clause, moving a clause to another folder, deleting a clause, exporting a document, changing your preferences, performing a search, logging in or out, changing your password, submitting an AI prompt, uploading a document in Clause Hunt, etc.
Through advanced log analytics, those logs allow us to:
- detect hacking attempts (e.g., repeated login attempts)
- detect problems at our servers
- provide you with support when things are not working
Parts of the logs we keep are also used to provide each customer with data analytics on how ClauseBuddy and Clause9 are used (e.g., how many documents were exported, who are the most active users, how many clauses were updated, which clauses are most popular, and so on). In the screenshot below, you can see an example of the statistics that we make available based on the logs we keep. Those statistics can be accessed by every customer’s administrator through the administrator interface of ClauseBuddy.
For customers who have special contractual arrangements with us, some log events may also be used for invoicing purposes (e.g., to determine the invoicing amount, based on the number of exported documents or stored clauses/templates).
Use of Large Language Models (LLMs)
ClauseBuddy and Clause9 integrate with LLMs such as ChatGPT and GPT4, in the following areas:
- Drafting an outline of new documents
- Drafting a new clause according to your instructions
- Redrafting a new clause according to your instructions
- Summarising and explaining text submitted by you
- Suggesting keywords and titles for clauses
- Suggesting attributes for a clause
We make use of Microsoft’s version of those LLMs, which does not reuse your data to train the AI.
We do not store the prompt you submit to an LLM (e.g., to specify how to redraft a certain clause); we merely pass on your prompt to Microsoft, and get back the results. Do note that Microsoft stores your prompt for a limited amount of time, to exceptionally track down server errors and/or prevent illegal content. Read more about it at Microsoft’s technical website.
Personal data within the files you create
Each clause, template or answer-set that you store, may itself include personal data. For example:
- when you create a template, it may contain a clause that refers to one or more signatures ar your organisation (e.g., in the signature or contacts block)
- when you store an answer-set to a Q&A for an employment agreement, you will likely store various personal data elements about the employee (e.g., name, address, salary, function title, commencement date, etc.)
For our applications (e.g.: https://app.clausebase.com, https://fr.clausebase.com, https://nl.clausebase.com, etc.), ClauseBase uses a cookie (called “token”) to store the fact that a certain user ID was effectively authorised to login. These cookies are encrypted and automatically expire after 30 days.
Some cookies also store trivial data, e.g. language preferences and the position of scroll bars.
2. Why do we process your personal data?
ClauseBase primarily processes your personal data to allow you to make use our software for the intended purposes — e.g., to allow you to login securely, upload clauses / templates, export DOCS files, etc. Formally speaking, the primary purpose for “processing” such elements of personal data (in the sense of the GDPR) is therefore to execute our contract with you.
We process log files to:
- protect our servers (and your data!) against malware and hacking attempts, through log analytics
- provide you with support, e.g. to investigate
- provide each customer’s administrators with usage statistics, e.g. about most active users or most popular clauses (see above)
We also process log files to get analytics on which features are (not) popular among our users, where users struggle with our software, etc. in order to to allow us to improve our software. In these circumstances, the legal basis for our processing activities is our legitimate interest to provide the best possible service to our users.
With respect to personal data stored within clauses/templates/answer-sets: we never sell or otherwise make available such personal data to third parties, such as data brokers or other customers.
3. How long do we store your personal data?
ClauseBase will not store your information longer than is necessary for the purpose of providing the services of the ClauseBase Platform. This means that your personal data will be deleted upon termination of the agreement through which you are granted access to the Platform.
Log files are deleted after 180 days, to allow for “post-mortem” incident research.
However, it is important to note that we may need to retain certain identification information and information on use of the platform in the interest of any potential claims. In any case, we will not retain your personal data for longer than 10 years after the termination of the abovementioned agreement.
4. What are your rights in relation to your personal data?
If you want to invoke your rights, please file your request to us via an e-mail to firstname.lastname@example.org.
Access right: You have the right to access your personal information processed by us.
Right of rectification and the right to erasure: At all times, you have the possibility to rectify or erase your personal data, provided that the applicable legal requirements are met. In the event of errors, we will, upon notification, immediately correct our information about you. Personal data will be erased when the legal requirements are met. Excluded from erasure are only the data we still require to enforce our rights and claims, as well as the data we must store for a longer period of time due to a statutory obligation.
Restriction of the processing: If the applicable legal provisions are met, you can require us to restrict the processing of your personal data. This means that your personal data will only be stored and not actively used anymore, unless you give consent for further use. Excluded from restriction are the personal data needed for the exercise or defence of legal claims.
Objection to the processing of data: Furthermore, you have the right to at all times object to the processing of your personal data by us. We will cease to process your personal data, unless we can demonstrate compelling legitimate grounds for further processing (according to the applicable legal provisions) that outweigh your objection rights. You can also choose at any time to stop receiving marketing communication from us like our newsletter. To do so, simply unsubscribe by clicking the designated button at the bottom of every marketing email.
Right to lodge a complaint with the supervisory authorities: You have the right to lodge a complaint with the supervisory authority. Therefore, you can contact the data protection authority that is competent for your place of residence. For Belgium, this is:
Gegevensbeschermingautoriteit / Data Protection Authority / L’Autorité de Protection des Données
Drukpersstraat 35, 1000 Brussel
Tel.: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
5. Who will receive your personal data?
ClauseBase’s server is hosted by one of Europe’s premium hosting facilities, physically located in a datacentre in the European Union. This datacentre hosts the information set out above, but the server can only be accessed by ClauseBase administrators, through an encrypted VPN connection secured with a strong password. The hosting party in question also does not transfer personal data outside of the European Economic Area.
ClauseBase may from time to time work with third parties to deliver an optimal service to you and your organisation. ClauseBase shall never sell information to these third parties or disclose your personal data in an unauthorised manner. Where you provide your personal data to such a third party, this Privacy Statement shall not apply and we instead refer to the privacy statement of the third party in question.
ClauseBase avoids involving subcontractors as much as possible: to enhance our level of data protection offered to you, we try to host as much as we can ourselves, and only resort to third party hosting when self-hosting is unavailable. When necessary, we carefully select subcontractors and, according to ISO 27001, audit all critical ones.
6. Changes to this Privacy Statement
ClauseBase reserves the right to amend this Privacy Statement from time to time. We will place any updates thereof on https://help.clausebase.com. This Privacy Statement was last modified and revised on 5 December 2020.
7. Which security measures do we apply?
See www.clausebase.com/security for an up-to-date overview.
8. Handling and Responding to Law Enforcement Disclosure Requests
ClauseBase recognises the importance of maintaining the integrity and security of user data stored in our systems. Accordingly, we have established stringent procedures for handling data disclosure requests from law enforcement authorities to ensure compliance with legal obligations, while also protecting our users’ rights.
On receiving a disclosure request from law enforcement, our data protection officer is notified immediately. The DPO can be reached at email@example.com, and his contact details can be shared with law enforcement to facilitate communication. Our policy is to respond to any such request within two business days.
Before proceeding with any data disclosure, we meticulously verify the legitimacy of the request. This process is undertaken by our legal team, which has extensive expertise in data protection. In case of unlawful or dubious requests, we reserve the right to deny the request.
In line with our commitment to transparency, unless legally prohibited, we provide notification to users whose data is subject to a disclosure request. This notification includes details of the request, subject to any legal restrictions or prohibitions on such communication.
All received and processed law enforcement disclosure requests are documented in our Information Security Management System (ISMS) as per ISO 27001 standards. These records are maintained for a duration of ten years, which aligns with the statutory claim period under Belgian law.
This approach aims to ensure a balance between complying with our legal obligations and protecting the privacy rights of our users, whilst also maintaining the confidentiality, integrity, and availability of our information assets. We remain committed to the principles of data minimisation and proportionality when responding to any such requests.
9. Contact information
For any further data protection related inquiries, please contact us at firstname.lastname@example.org.
5 December 2020: changed the email address to email@example.com and clarified that (a) IP addresses are merely temporarily stored; and (b) we register the fact that users were using our services at a certain moment in time.
13 July 2022: clarification that no cookies are used on the public-facing websites.
11 June 2023:
- Updated the text to reflect the new naming scheme (company name “ClauseBase”, versus the product names “Clause9” and “ClauseBuddy”)
- Addition of logging data
- Removed the reference to www.clausebuddy.com, as this domain name actively redirects to www.clausebase.com
- Include more information about the new feature to expose data statistics to customer administrators
- Clarify the use of LLMs
- Improve and extend the list of purposes for data processing
- Add a reference to the security measures
- Clarify that we minimise the use of subcontractors, and instead resort to self-hosting where possible.
- Addition of section dealing with law enforcement requests.