The record, kept fairly
Privacy
Last updated: [OMAR: set publication date]
Pactlet turns an informal agreement into a neutral, shared record that follows up until it's done. This page explains what personal data we hold, why, who processes it, and your rights. It is written plainly and is not legal advice.
Two kinds of people, two postures
- Senders hold an account. You sign in (by email link or Google) and choose to create records. We hold the data you give us.
- Counterparties never sign up. Your name, email, and the deal details reach us through the sender who recorded an agreement with you. Because you didn't hand us this data yourself, our first email to you explains why you're receiving it and how to reach the sender.
What we collect
| Data | From whom | Why |
|---|---|---|
| Email and name | Senders (at sign-in) | To run your account and send you records |
| Recipient name and email; the order/agreement text, dates, amounts, and any files | Entered by the sender about the counterparty | To build and follow up the shared record |
| Replies and uploads you send back | Both sides | Kept verbatim as the record of what was agreed |
| A one-way hash of your IP address; daily request counts | Anyone using the site | Rate-limiting and abuse prevention only |
We use privacy-friendly, cookieless analytics (page views, no cross-site tracking). We do not run advertising trackers and we do not sell personal data.
Why we're allowed to (lawful bases)
- Senders — to provide the service you asked for (contract).
- Counterparties — our legitimate interest in keeping a neutral, accurate record of an agreement you are party to. You can object; see your rights below.
Who processes it (sub-processors)
We use a small set of providers, only to run the service:
- Supabase — our database and file storage, hosted in the EU.
- Postmark — sending our emails and receiving your replies.
- Google (Gemini) — structures sender-entered text and uploaded documents into a draft record. Counterparty replies are never sent to any AI provider.
- Google Sign-In — only if a sender chooses to sign in with Google.
- Vercel — hosting and server logs.
Cookies
We set only strictly-necessary cookies: your sign-in session and a security (CSRF) token. There are no advertising or tracking cookies, so no consent banner is required.
How long we keep it
A record is meant to last — that's the point of Pactlet. We keep the record and its history for as long as the account or record is active. Login links and short-lived security data expire automatically. If you want a record or account removed, contact us (below) and we'll handle your request; where a record must stay for both sides' reference, we'll tell you.
Your rights
Under the GDPR you can ask to access, correct, delete, or export your data, or object to our using it. Senders can export any record as JSON from their dashboard. For anything else — including a counterparty asking what we hold or to be removed — email omar@pactlet.com and we'll respond. You may also complain to your local data-protection authority.
Where it's processed
Personal data is processed in the European Union.
Changes & contact
We'll update this page when our processing changes and move the date at the top. Questions: omar@pactlet.com.
← Back to home