Who We Are
Midly Labs Inc. is a Georgia corporation operating the Midly CLM platform at app.midly.ai and the marketing website at midly.ai. Our registered address is 8735 Dunwoody Place, #6603, Atlanta, GA 30350.
For privacy inquiries: legal@midly.ai
Where Midly Labs processes personal data on behalf of organizational customers (e.g., as a data processor under GDPR), we will enter into a Data Processing Agreement (DPA) upon request.
Data We Collect
Information You Provide Directly
- Account registration: name, email address, organization name, job title
- Contract and document content: all contracts, templates, deal briefs, counterparty information, and other content you create or upload
- Payment information: billing address and payment details processed by Stripe (we do not store card numbers)
- Communications: support requests, feedback, and any correspondence with us
- Profile and preferences: account settings, notification preferences, workflow configurations
Information Collected Automatically
- Usage data: features accessed, actions taken, session duration, deal and document activity
- Device and technical data: IP address, browser type and version, device identifiers, operating system
- Authentication data: login events and session tokens managed by Clerk
- Log data: server logs, error reports, performance data
- Analytics data: page views and behavior data via Google Analytics 4, Microsoft Clarity, and PostHog
- Marketing signals: ad interaction data via Meta Pixel (marketing website only)
From Third Parties
- Google OAuth: name and email address if you sign in with Google
- Stripe: payment status, subscription tier, and billing history
How We Use Your Data
- Providing, operating, and maintaining the Midly CLM platform
- Processing payments and managing your subscription
- Authenticating your identity and securing your account
- Sending transactional emails (account notifications, contract alerts, signing requests)
- Providing customer support and responding to your inquiries
- Analyzing usage patterns to improve the platform and develop new features
- Monitoring for security threats, fraud, and terms violations
- Complying with applicable legal obligations
- Marketing communications (only with your consent, and you may opt out at any time)
We do not sell your personal information. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
No AI training on identifiable content. We do not use your identifiable contract content to train AI models. Anonymized, aggregated workflow metadata (such as contract structure patterns stripped of identifying information) may be used to improve Midly's AI capabilities. You may opt out at any time by contacting
legal@midly.ai.
Legal Bases for Processing (GDPR)
For users in the European Economic Area and United Kingdom, we process personal data on the following legal bases:
Providing the Service
Performance of a contract
Art. 6(1)(b) GDPR
Payment processing
Performance of a contract
Art. 6(1)(b) GDPR
Security & fraud prevention
Legitimate interests
Art. 6(1)(f) GDPR — protecting the platform and users
Platform analytics
Legitimate interests
Art. 6(1)(f) GDPR — improving the Service
Marketing communications
Consent
Art. 6(1)(a) GDPR — withdrawable at any time
Legal compliance
Legal obligation
Art. 6(1)(c) GDPR
Data Processors & Sub-Processors
We share your data with the following third-party processors solely to operate the Service. All processors are bound by data processing agreements and are prohibited from using your data for their own purposes.
Clerk
Authentication — email, name, session tokens, login history
Stripe
Payments — billing address, payment method, subscription data
Anthropic
AI processing — contract content sent to Claude API for AI-assisted drafting, clause analysis, and risk detection. Processed under Anthropic's zero data retention API policy.
Vercel
Hosting — all platform traffic and application data
Neon
Database — all account, deal, and document metadata
Wasabi Technologies
File storage — uploaded PDFs, DOCX files, and generated documents
Resend
Transactional email — email address, notification content
Postmark
Transactional email (secondary) — email address, message content
PostHog
Product analytics — feature usage, session replays, event data (app.midly.ai only)
Google Analytics 4
Website analytics — page views, session data, referral sources (marketing site)
Microsoft Clarity
Behavior analytics — heatmaps, session recordings (marketing site)
Meta (Facebook)
Marketing pixel — ad attribution and conversion tracking (marketing site)
We will notify you at least 30 days before adding a new sub-processor that materially affects the processing of your personal data. Enterprise customers may request advance notice in their DPA.
International Data Transfers
Midly Labs Inc. is based in the United States. If you are accessing the Service from the European Economic Area, United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
We rely on the following transfer mechanisms to protect your data during international transfers:
- Standard Contractual Clauses (SCCs): We use EU SCCs (2021/914) for transfers of EEA personal data to the US, incorporated into our Data Processing Agreements with processors.
- UK International Data Transfer Agreements (IDTAs): We use the UK IDTA addendum for transfers of UK personal data.
- Adequacy decisions: Where applicable, we rely on adequacy decisions issued by the European Commission or UK ICO.
To request a copy of our SCCs or DPA template, contact legal@midly.ai.
Data Retention
- Account data: Duration of your account, plus 90 days after account closure to allow for reactivation
- Contract content: Duration of your account; you may delete content at any time within the platform
- Payment records: 7 years from the date of the transaction, as required by US financial regulations
- Log data: 12 months
- Security logs: 24 months
- Encrypted backups: Purged within 30 days following account data deletion
- Anonymized workflow data: Retained indefinitely for product analytics and platform improvement (not linked to your identity)
Upon account closure, you may request an export of your data within 30 days. After that period, we will process your deletion request in accordance with the schedule above.
Your Rights
All Users
- Access a copy of the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Delete your account and personal data
- Export your contract content in a portable format
- Opt out of marketing communications at any time
EEA & UK Users (GDPR / UK GDPR)
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure / "right to be forgotten" (Art. 17 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to restrict processing (Art. 18 GDPR)
- Right to object to processing (Art. 21 GDPR), including for direct marketing
- Right to withdraw consent at any time without affecting prior processing
- Right to lodge a complaint with your supervisory authority: edpb.europa.eu (EEA) or ico.org.uk (UK)
California Residents (CCPA / CPRA)
- Right to know the categories and specific pieces of personal information collected
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt-out of sale or sharing (note: we do not sell personal information)
- Right to non-discrimination for exercising your rights
- See our full California Privacy Notice for details
To exercise any right, contact us at legal@midly.ai. We will respond within 30 days (EEA/UK) or 45 days (California) of receiving your verified request.
California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not sell personal information. For a full description of your California rights and how to exercise them, see our California Privacy Notice.
Cookies & Tracking Technologies
We use cookies and similar tracking technologies on our marketing website (midly.ai) and platform (app.midly.ai). These include strictly necessary cookies (required for authentication and platform function), analytics cookies (Google Analytics 4, Microsoft Clarity), product analytics (PostHog), and marketing cookies (Meta Pixel).
For a full description of the cookies we use, how to control them, and how to opt out, see our Cookie Policy.
Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at legal@midly.ai and we will delete it promptly.
Security
We implement industry-standard security measures to protect your personal data, including:
- TLS/HTTPS encryption for all data in transit
- Encryption at rest for database and file storage
- Role-based access controls limiting employee access to personal data
- Multi-factor authentication via Clerk for all accounts
- Regular security monitoring and vulnerability management
In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours, as required under GDPR, where technically feasible.
For our full security posture, see our Security page.
Changes to This Notice
We may update this Privacy Notice from time to time. We will notify registered users by email for material changes and update the "Last Updated" date at the top of this page. For non-material changes, the updated notice will be effective upon posting.
We encourage you to review this notice periodically.