Privacy Policy

This Privacy Policy explains how Avality OÜ ("we", "us", "our"), operating the Lepingukontroll service, processes personal data when you use the service. "Personal data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.

We act as the data controller for the personal data described in this policy, except where indicated otherwise. We aim to be specific about what we collect, why, who we share it with, and how long we keep it. Where this policy uses defined terms, those terms have the meanings given in our Terms of Service.

The data controller is:

• Avality OÜ (operating under the brand 'Lepingukontroll')
• Registry code: 17484918
• Registered address: Äkke tn 1, 13517 Tallinn, Estonia
• Service address: Valukoja 6a, 11415 Tallinn, Estonia
• Email: info@avality.ee

We are not required to appoint a Data Protection Officer, as we do not engage in large-scale systematic monitoring of data subjects and we do not process special categories of data on a large scale. For all data-protection inquiries, please use info@avality.ee.

We collect and process the following categories of personal data.

Providing your email address and uploading the document are contractual prerequisites — without them we cannot deliver the analysis. Creating an account is optional for running a single analysis; it is required to save analyses and view history.

We process personal data on the following lawful bases:

Contract performance — We process your account data, service-usage data, contract content, and payment data because doing so is necessary to provide the service you have requested under our Terms of Service. Without this data we cannot deliver the analysis.

Legal obligation — We retain payment-related records to comply with Estonian accounting and tax law, which require keeping documentation of business transactions for 7 years.

Legitimate interests — We process technical and security data (server logs, abuse-prevention information) on the basis of our legitimate interests in keeping the service secure, available, and free from abuse, and in defending against potential legal claims. We balance this against your rights and freedoms; the data is minimised, retained only short-term, and not used for commercial profiling.

Consent — Where the law requires it (most notably for non-essential cookies and similar storage), we process data only after you have given consent through the cookie banner. You can change or withdraw consent at any time via the "Cookie settings" link in the footer.

We use the data described above only for the following purposes:

• Providing the service: producing the analysis, persisting it for your account, allowing you to view and manage your saved analyses, and sending service-related emails (login magic links, payment confirmations, deletion-confirmation emails).
• Customer support: responding to your inquiries, processing data-subject requests (access, deletion, etc.), and resolving complaints.
• Compliance with legal obligations: maintaining accounting records, responding to lawful requests from public authorities, and complying with regulator inquiries.
• Security and abuse prevention: detecting and responding to suspicious activity, abuse of the service, and security incidents.
• Service operation and debugging: diagnosing technical issues, monitoring service health, and improving reliability.

Estonian employment contracts and similar documents you upload typically contain personal data of multiple individuals — the employee, the employer's representatives signing the contract, and sometimes third parties referenced in specific clauses (for example, beneficiaries, witnesses, or supervisors). When you upload such a document, we receive personal data not only about you but potentially about those other individuals.

We process this data on the basis of contract performance — performing the contract you entered into with us — and, with respect to data of third parties referenced in the document, on the basis of our legitimate interests in providing the analysis service. Our legitimate-interest assessment concludes that this processing is proportionate and that affected individuals could reasonably expect their data to be analysed if it appears in a contract that one of the parties to the contract decides to have reviewed.

If a document contains special-category personal data (for example, health data, religious affiliation, trade-union membership), our lawful condition for processing is your explicit consent, given by your act of uploading the document for analysis. We treat the entire document as a single unit and strongly recommend redacting any sensitive non-essential information before upload.

Document content (the actual contract text) is purged automatically 7 days after analysis is complete, regardless of whether the analysis is saved to your account. The analysis output (summary, risk flags, observations) is retained for as long as you retain the analysis.

Notifying each third party referenced in an uploaded contract is in our reasonable assessment a disproportionate effort, since we do not hold their contact details. Such individuals can exercise their data-protection rights by sending a request to info@avality.ee.

We share personal data with the following processors, each of whom acts under a data-processing agreement (or equivalent contractual safeguards), processes data only on our instructions, and is bound by confidentiality obligations. We do not sell personal data and do not share it with third parties for their independent marketing or profiling purposes.

Some processing involves transfers of personal data outside the European Economic Area, notably to Anthropic infrastructure operated by Anthropic, PBC (United States) and to Supabase infrastructure operated by Supabase Inc. (United States), even though both are configured to host project data in the EU and have EU-based contracting entities for our service.

All transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. Anthropic's Commercial Terms automatically incorporate Module 2 (controller-to-processor) and Module 3 (processor-to-sub-processor) of the SCCs. Supabase applies its Data Processing Agreement with SCCs for any cross-border transfers. Maksekeskus is established in Estonia and processes data within the EEA, so no separate SCC mechanism is required.

We have assessed that, taken together with technical and organisational measures (encryption in transit and at rest, access controls, short retention, no use of data for training), these safeguards provide an essentially equivalent level of protection to the GDPR. You can request a copy of the relevant transfer mechanisms by emailing info@avality.ee.

We retain personal data only for as long as necessary for the purposes for which it was collected, and in line with applicable law. Specific retention periods are:

Under applicable data protection law you have the following rights with respect to personal data we hold about you. We will respond to a substantiated request within one month, free of charge, except where the request is manifestly unfounded or excessive.

To exercise any of the rights above, send a request to info@avality.ee.

Please tell us which right you wish to exercise and provide enough information for us to identify your records (typically the email address associated with your account). We may ask for additional verification if we have a reasonable doubt about the identity of the requester. We will respond within one month; in complex cases this may extend to three months, and we will inform you of the extension.

We process requests manually and free of charge. Requests that are manifestly unfounded or excessive (in particular, repetitive requests for the same data) may be charged a reasonable fee or refused, with reasons given.

Some of your rights have practical limitations specific to our service. We describe them here so you are not surprised.

Erasure with respect to Maksekeskus and Anthropic. When you ask us to delete your data, we will erase it from our own systems immediately. Data held by Maksekeskus (payment records) cannot be deleted on demand because Maksekeskus is independently subject to anti-money-laundering and accounting law, and we as merchant cannot instruct deletion of regulated payment data. To exercise erasure against Maksekeskus, you must contact Maksekeskus directly. Data held by Anthropic on its backend will be deleted on Anthropic's own schedule (up to 30 days normal, longer for flagged content); we cannot accelerate that schedule.

Erasure of accounting records. Payment records subject to the 7-year accounting retention obligation cannot be deleted on demand before the retention period ends; this is a legal obligation under the Estonian Accounting Act.

The contract analysis we produce is generated by an AI model and is informational. It is delivered to you for your own consideration; we do not use the analysis output to make any decision about you. The analysis therefore does not constitute automated decision-making in the legal sense, which applies only to decisions producing legal effects or similarly significantly affecting the data subject.

Meaningful information about the logic involved: your uploaded document is sent to a large language model named Claude, operated by Anthropic, which generates a structured response — summary, clause-by-clause breakdown, risk flags, and references — based on its training and the document's content. The model does not make a decision about you and does not change your legal or contractual position; the output is for your own independent use.

We do not engage in profiling for marketing purposes.

The service is intended for adults; we do not expect minors to use it. We do not verify users' ages. If you become aware that a minor has used the service, or that personal data of a child has been uploaded as part of a contract, please contact us so we can promptly delete the data.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include encryption in transit (HTTPS/TLS), encryption at rest for stored data, access controls and least-privilege administration, separation of live and non-live environments, regular updates of dependencies, and monitoring of access to sensitive resources.

No security measure is perfect. If you become aware of a vulnerability or a suspected breach affecting our service, please report it to info@avality.ee.

We have a written breach response plan covering detection, assessment, containment, notification, and post-incident review. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate (AKI) within 72 hours of becoming aware of the breach, in accordance with applicable data protection law.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, with information about the nature of the breach, likely consequences, measures taken or proposed, and contact information for further inquiries.

We may update this Privacy Policy from time to time to reflect changes in our processing, in our processors, or in applicable law. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Where we make material changes that significantly affect your rights, we will notify you by email (if you have an account) and/or by a prominent notice on the website.

Questions, requests, and complaints about this Privacy Policy or about our processing of your personal data can be sent to info@avality.ee.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Tatari 39, 10134 Tallinn; +372 627 4135). More information at aki.ee.

Detailed information about cookies and similar storage is provided in our Cookie Policy.