Back to home

Privacy Policy

Last updated: March 24, 2026

1. Introduction

riskr ("we", "us", or "our") operates riskr.app, an AI-powered contract risk analysis platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services. We are committed to complying with applicable data protection laws, including the India Digital Personal Data Protection Act, 2023 (DPDP Act) and the EU General Data Protection Regulation (GDPR) for users located in the European Union.

By using riskr, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

When you register for riskr, we collect your name, email address, and any profile information you provide. Authentication is handled by Clerk, which may also collect device and session data.

2.2 Uploaded Contracts

When you upload a contract for analysis, the document content is temporarily processed to generate a risk report. We do not use your contract contents to train AI models. Uploaded contracts and their extracted text are permanently deleted within 24 hours of upload.

2.3 Usage Data

We collect information about how you interact with our platform, including pages visited, features used, analysis history (risk scores and flags — not the raw contract text after deletion), timestamps, and browser/device information.

2.4 Billing Data

If you subscribe to a paid plan, billing information (name, payment method details) is collected and processed by Razorpay. We do not store your full card or bank account details on our servers.

3. How We Use Your Data

  • Service delivery: To process contract uploads, generate risk analyses, and present results to you.
  • Account management: To manage your account, authenticate you, and enforce plan limits.
  • Billing: To process subscription payments, issue receipts, and manage plan upgrades or cancellations.
  • Communications: To send transactional emails (e.g., account verification, billing receipts). We will not send marketing emails without your explicit consent.
  • Analytics and improvement: To understand how users interact with riskr and improve our service. Analysis is performed on aggregated, anonymised data.
  • Legal compliance: To comply with applicable laws, respond to lawful requests from public authorities, and enforce our Terms of Service.

4. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the service you have signed up for.
  • Legitimate interests: Analytics and service improvement, fraud prevention, and security.
  • Consent: Where we rely on consent (e.g., marketing communications), you may withdraw it at any time.
  • Legal obligation: Compliance with applicable laws and regulations.

5. Data Retention

  • Uploaded contracts: Permanently deleted within 24 hours of upload.
  • Analysis results (risk score, flags, summary — not raw contract text): Retained for the duration of your active account to allow you to review past reports.
  • Account data: Retained while your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
  • Billing records: Retained for 8 years to comply with Indian financial and tax regulations.

6. Third-Party Services

We share data with the following trusted third-party service providers only to the extent necessary to operate the platform:

Clerk (Authentication)

Handles user registration, login, and session management. Processes account data including email and device information. Privacy policy: clerk.com/privacy

Supabase (Database & Storage)

Stores user account records, analysis results, and temporarily stores uploaded contract files. Data is hosted on servers in the region you are assigned. Privacy policy: supabase.com/privacy

Anthropic (AI Analysis)

Contract text is sent to Anthropic's Claude API for risk analysis. Anthropic does not train its models on API inputs by default. Privacy policy: anthropic.com/privacy

Razorpay (Payments)

Processes subscription payments. Handles payment instrument data directly. We receive only transaction confirmations and masked payment details. Privacy policy: razorpay.com/privacy

Resend (Transactional Email)

Sends transactional emails such as account verification and billing notifications. Processes your email address. Privacy policy: resend.com/privacy

We do not sell your personal data to any third party.

7. International Data Transfers

Some of our third-party providers may process your data outside India or the EU. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) for EU data or equivalent protections for data subject to the DPDP Act. By using riskr, you consent to such transfers to the extent permitted by applicable law.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Deletion (Right to be Forgotten): Request deletion of your personal data, subject to our legal retention obligations.
  • Data Portability: Request your data in a structured, machine-readable format.
  • Restriction of Processing: Request that we limit how we use your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at privacy@riskr.app. We will respond within 30 days. For DPDP Act requests, we will respond within the timeframes prescribed by applicable regulations.

9. Security

We implement industry-standard technical and organisational measures to protect your personal data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security. Please notify us immediately at privacy@riskr.app if you suspect any security incident involving your data.

10. Cookies

riskr uses essential cookies required for authentication and session management (provided by Clerk). We do not currently use third-party advertising or tracking cookies. If this changes, we will update this policy and seek your consent where required.

11. Children's Privacy

riskr is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at privacy@riskr.app and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on our platform. Continued use of riskr after such changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection contact at:

riskr

Email: privacy@riskr.app

Website: riskr.app

If you are located in the EU and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority. For India-based users, you may raise concerns with the Data Protection Board of India once it becomes operational.