Privacy Policy

Last updated: February 2, 2026 | GDPR-Compliant | Your Rights Protected

GDPR Compliance: This privacy policy complies with the EU General Data Protection Regulation (GDPR). If you have questions about your rights or how we process your data, contact us at privacy@contextium.io.

Introduction

Welcome to Contextium. We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This privacy policy will inform you about how we handle your personal data when you use our documentation platform and tell you about your privacy rights under GDPR.

Data Controller

Contextium [Legal Entity Name] is the data controller responsible for your personal data. You can contact us at:

Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Contract Performance (6.1.b): To provide our services as outlined in our Terms of Service
  • Legitimate Interests (6.1.f): To improve our services, prevent fraud, and ensure security
  • Consent (6.1.a): For optional features like marketing communications (you can withdraw consent at any time)
  • Legal Obligation (6.1.c): To comply with legal requirements like tax and accounting laws

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Password (encrypted and never stored in plain text)
  • Profile information you choose to provide

Content Data

We store the content you create and upload:

  • Documents, files, and projects you create
  • Comments, suggestions, and collaboration data
  • Workspace and team settings
  • Feedback submissions (bug reports and feature requests)
  • Integration data (e.g., Slack workspace connections)

Usage Information

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Usage patterns and interactions with our service
  • Session activity and last active timestamps

Billing Information

For paid subscriptions, we collect:

  • Billing name and email address
  • Subscription plan and payment history
  • Payment information is processed and stored securely by Stripe - we do not store credit card numbers

How We Use Your Information

We use your information to:

  • Provide and maintain our service
  • Process your transactions and manage your subscription
  • Send you service updates and important notifications
  • Improve our platform and develop new features based on user feedback
  • Respond to bug reports and feature requests you submit
  • Detect and prevent fraud and abuse
  • Provide customer support
  • Enable team collaboration and workspace features

Feedback Data

When you submit feedback (bug reports or feature requests), we collect the information you provide along with technical details like your browser information and the page you were on. This helps us diagnose issues and improve the platform. Feedback submissions are one-way and are reviewed by our team to prioritize improvements.

Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using SSL/TLS (HTTPS)
  • Sensitive data at rest is encrypted using AES-256 encryption
  • Passwords are hashed using bcrypt with salt
  • Payment information is tokenized and encrypted via Stripe - we never store credit card details
  • JWT-based authentication with secure token refresh mechanisms
  • Role-based access control (RBAC) for workspace permissions
  • Regular security audits and updates
  • Secure cloud infrastructure with automatic backups
  • Database credentials and API keys are encrypted and never exposed

Data Sharing

We do not sell your personal data. We may share your information only in these limited circumstances:

  • Within Your Workspace: Content you create is shared with workspace members you invite. You control who has access to your workspaces.
  • Service Providers: Third-party services that help us operate (payment processing, email delivery, hosting)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize us to share your data

Important: When you invite team members to your workspace, they will have access to the content and data within that workspace according to their role permissions. You are responsible for managing workspace access and user permissions.

Third-Party Services

We use the following third-party services:

  • Stripe: Payment processing for subscriptions (see Stripe Privacy Policy)
  • Google OAuth: Optional authentication method (see Google Privacy Policy)
  • GitHub OAuth: Optional authentication method (see GitHub Privacy Policy)
  • Resend: Transactional email delivery for notifications and service updates (see Resend Privacy Policy)
  • Slack: Optional workspace integration for notifications (see Slack Privacy Policy)

When you use these third-party authentication or integration services, they may collect and process your data according to their own privacy policies. We only receive the minimum information necessary to create and maintain your account or provide the integration functionality.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data. These rights are subject to certain limitations and exemptions as provided by law.

Right of Access (Article 15)

You have the right to request a copy of your personal data and information about how we process it. We provide this free of charge and will respond within 30 days.

Right to Rectification (Article 16)

You can update or correct your personal information at any time through your account settings, or by contacting us.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your account and personal data. We will comply within 30 days, subject to any legal obligations to retain certain data (such as billing records for tax purposes).

Right to Data Portability (Article 20)

You can export your data in a structured, machine-readable format (JSON) from your account settings, or request a full export by contacting us.

Right to Restriction of Processing (Article 18)

You can request that we limit how we process your data in certain circumstances, such as while we verify the accuracy of data you have contested.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent (Article 7.3)

Where we process data based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint (Article 77)

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection authority (DPA). You can find your DPA contact details at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to Exercise Your Rights

To exercise any of these rights, contact us at: privacy@contextium.io

We will respond to your request within 30 days. If your request is complex or we receive multiple requests, we may extend this period by up to 60 additional days and will notify you of the extension.

We may need to verify your identity before processing certain requests to protect your personal data from unauthorized access.

Data Retention (GDPR Principle of Storage Limitation)

We retain your personal data only as long as necessary for the purposes outlined in this policy, in accordance with GDPR's principle of storage limitation.

Account Data

When you request account deletion:

  • 90-Day Grace Period: Your account is deactivated immediately, but data is retained for 90 days to allow reactivation if you change your mind
  • After 90 Days: All personal data and content is permanently deleted from our active systems
  • Backups: Data in encrypted backups may persist for up to an additional 90 days before being automatically purged
  • Immediate Deletion: You can request immediate deletion by contacting privacy@contextium.io, and we will complete it within 30 days

Other Data Types

  • Active Account Data: Retained while your account is active
  • Billing Records: Retained for 7 years to comply with tax and accounting laws
  • Log Data: Retained for 90 days for security and debugging purposes
  • Legal Hold: Data may be retained longer if required by law, legal proceedings, or to establish/defend legal claims

This retention schedule complies with GDPR requirements while balancing the need to prevent accidental data loss and meet legal obligations.

Cookies and Tracking

We use cookies and similar technologies to provide our service. Under GDPR, we only use strictly necessary cookies that are essential for the service to function.

Strictly Necessary Cookies

These cookies are essential for the service to function and cannot be disabled. We store them for up to 7 days and they are automatically renewed when you use the service:

  • accessToken: Authentication token to keep you logged in securely
  • refreshToken: Token used to refresh your session without requiring re-login
  • user: Basic account information (name, email, user ID) for session management

These cookies are set with the Secure and SameSite=Lax flags for security, and are scoped to the .contextium.io domain to enable cross-subdomain authentication.

Analytics

We use Cloudflare Web Analytics to understand how visitors use our website. This service is privacy-focused and:

  • Does not use cookies or local storage
  • Does not track users across websites
  • Does not collect personally identifiable information
  • Is fully GDPR-compliant without requiring consent
  • Uses the browser's Beacon API for privacy-preserving analytics

Learn more about Cloudflare Web Analytics privacy: https://www.cloudflare.com/web-analytics/

What We Don't Use

We do not use:

  • Third-party tracking cookies
  • Advertising cookies or pixels
  • Social media tracking widgets
  • Cross-site tracking or profiling
  • Any cookies that require consent under GDPR

International Data Transfers (GDPR Chapter V)

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR:

Safeguards for Data Transfers

  • Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate data protection
  • Standard Contractual Clauses (SCCs): EU-approved contract terms that require recipients to protect your data to EU standards
  • Service Provider Commitments: Third-party processors (like Stripe, Resend) have implemented appropriate safeguards

Specific Transfers

  • Cloud Infrastructure: [Specify your cloud provider and data centers - e.g., "AWS EU regions"]
  • Stripe (Payments): Processes payments globally with GDPR-compliant safeguards
  • Resend (Emails): Email service provider with appropriate data protection measures

You can request more information about the specific safeguards used for data transfers by contacting privacy@contextium.io.

Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics we perform are for service improvement and do not result in automated decisions about you.

If this changes in the future, we will update this policy and provide information about the logic involved, as well as the significance and envisaged consequences, as required by GDPR Article 13(2)(f).

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide information about the nature of the breach, likely consequences, and measures taken
  • Document all data breaches and our response, even if notification is not required

We maintain robust security measures and incident response procedures to minimize the likelihood and impact of data breaches.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or through our service. Continued use of Contextium after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or our data practices, please contact us: