Privacy Policy — Midly.ai

This Privacy Policy applies to Midly CLM (app.midly.ai) and all services operated by Midly Labs Inc. at midly.ai. For our other products, see midlylabs.com/privacy.

Who We Are

Midly Labs Inc., incorporated in Georgia, United States. Questions about this policy: privacy@midly.ai

Information We Collect

Information You Provide

Account registration: name, email, organization name
Contract and document content you create or upload
Payment information processed by Stripe (we do not store card numbers)
Communications and support requests

Information Collected Automatically

Usage data, session duration, features used
IP address, browser type, device identifiers
Log data and error reports
Authentication data managed by Clerk

From Third Parties

Google OAuth: name and email if you sign in with Google
Stripe: payment and subscription status

How We Use Your Information

To provide Midly CLM, process payments, manage your account, send transactional emails, improve the platform, monitor security, and comply with legal obligations.

We do not sell your personal information.

We do not use your identifiable contract content to train AI models. Anonymized, aggregated workflow data (such as contract structure patterns and clause usage statistics) may be used to improve Midly's AI features. You may opt out of this use at any time by contacting privacy@midly.ai.

Legal Bases for Processing (GDPR)

Providing the service — Performance of a contract
Payment processing — Performance of a contract
Security and fraud prevention — Legitimate interests
Analytics — Legitimate interests
Marketing (opt-in only) — Consent
Legal compliance — Legal obligation

Service Providers and Data Processors

Stripe

Payments

stripe.com/privacy

Clerk

Authentication

clerk.com/privacy

Neon

PostgreSQL database hosting

neon.tech/privacy

Resend

Transactional email

resend.com/privacy

Vercel

Hosting

vercel.com/legal/privacy-policy

Wasabi Technologies

Document and PDF storage

wasabi.com/legal/privacy-policy

Google

OAuth authentication

policies.google.com/privacy

We do not sell or rent your data. All providers are contractually bound to protect your data.

Your Contract Content

All contracts and documents you create in Midly CLM remain your property. We store them securely to provide the service. We do not access your contract content except to provide technical support when authorized by you.

Midly CLM is designed for organizational use. If you use Midly CLM on behalf of an organization, your organization is the data controller and Midly Labs acts as data processor. We will enter into a Data Processing Agreement (DPA) upon request at privacy@midly.ai.

Platform and Workflow Data

In addition to the contract content you create, Midly CLM automatically collects workflow and platform data as a byproduct of your use of the Service. This includes: contract creation timestamps, status transitions (draft → review → signed → voided), counterparty response times, clause-level edit and negotiation patterns, feature usage frequency, and deal cycle durations.

This data is collected in aggregate and used to improve the platform, generate anonymized benchmarks, and develop product features. It is not linked to your identity in any reports shared outside Midly Labs.

Enterprise Data Processing

Enterprise customers and organizations using Midly CLM may request a Data Processing Agreement (DPA) governing how Midly Labs processes personal data on their behalf. Enterprise DPAs may include provisions for:

Model training opt-out — organizations may request that their workspace data be excluded from any AI training or benchmarking use
Enhanced data deletion — custom retention schedules beyond the defaults described above
Sub-processor notifications — advance notice before adding new data processors

To request a DPA or exercise enterprise data rights, contact privacy@midly.ai.

Data Retention

Account data — duration of account plus 90 days after deletion
Contract content — duration of account; delete anytime
Payment records — 7 years per financial regulations
Log data — 12 months
Encrypted backups — up to 30 days after deletion
Anonymized workflow and platform data — retained indefinitely for product analytics and benchmarking

Security

TLS/HTTPS encryption in transit, encryption at rest, role-based access controls, Clerk authentication, and regular monitoring. We will notify you of any breach affecting your data within 72 hours under GDPR.

Your Rights

All Users

Access, correct, delete, or export your data

EEA / UK Users (GDPR)

Restrict or object to processing
Withdraw consent
Lodge a complaint with your data protection authority (edpb.europa.eu for EEA, ico.org.uk for UK)

California Users (CCPA)

Know what data is collected
Request deletion
We do not sell personal data

To exercise any right: privacy@midly.ai. We respond within 30 days.

Cookies

Essential session and authentication cookies are required for the platform to function. We do not use advertising or cross-site tracking cookies.

Children's Privacy

Midly CLM is not directed to anyone under 18.

International Transfers

Data from EEA and UK users is transferred to the US under Standard Contractual Clauses (SCCs).

Changes

We will notify registered users by email for material changes and update the Last Updated date at the top of this page.

Contact

privacy@midly.ai
Midly Labs Inc., Atlanta, Georgia