EUCLM

Privacy Policy

Last updated: 21 May 2026

This Privacy Policy describes how [[ FILL: razón social ]](“EUCLM”, “we”, or “the Controller”) processes the personal data of users, administrators, signatories, and visitors to the website euclm.com and the associated SaaS application, in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD), and other applicable data protection legislation.

1. Data controller

  • Identity: [[ FILL: razón social ]], Limited Company.
  • Address: [[ FILL: domicilio ]].
  • Tax identification number (NIF/CIF): [[ FILL: CIF ]].
  • Email: privacy@euclm.com

2. Data Protection Officer (DPO)

EUCLM is not required to appoint a Data Protection Officer under Article 37 of the GDPR given the current configuration of its processing activities. Nevertheless, you may direct any data protection enquiry to privacy@euclm.com, which will be handled with due diligence.

3. Purposes of processing and legal basis

We process personal data only where a valid legal basis exists under Article 6 of the GDPR:

PurposeData involvedLegal basis (Art. 6 GDPR)
Account registration and provision of the contracted CLM serviceIdentification, credentials, organisation dataArt. 6(1)(b): performance of a contract
Management of contracts, templates, eIDAS signatures, and approval workflowsContractual content, metadata, activity recordsArt. 6(1)(b): performance of a contract
Payment processing and invoicingBilling data, transaction identifiersArt. 6(1)(b): contract; Art. 6(1)(c): legal obligation (tax)
Transactional emails (verification, invitations, alerts)Email address, nameArt. 6(1)(b): performance of a contract
Security, fraud prevention, and access auditingAudit logs, IP address, session identifiersArt. 6(1)(f): legitimate interest in service security
Handling commercial and support enquiriesContact details, message contentArt. 6(1)(b): pre-contractual measures; Art. 6(1)(f): legitimate interest
Compliance with legal obligations (accounting retention, responses to authorities)Data required by applicable regulationsArt. 6(1)(c): legal obligation

4. Categories of personal data processed

  • Identification and contact data: first name, surname, email address, job title, organisation.
  • Authentication data: password (stored using secure hashing; never in plain text), session tokens.
  • Contractual data: contract texts, annexes, PDFs, signature metadata, version history, and comments.
  • Usage and audit data: records of actions performed on documents and processes (who, what, when).
  • Billing data: legal name, tax identification number, billing address; full card details are processed directly by Mollie and are not stored on EUCLM servers.
  • Technical data: IP address, request identifiers, browser information in error logs (Sentry, EU region).

EUCLM does not deliberately request special categories of data under Article 9 of the GDPR (ethnic origin, political opinions, health, etc.). If you include such data in contractual documents, EUCLM will act as a processor in respect of that content, in accordance with the service agreement and Article 28 of the GDPR.

5. Recipients and sub-processors

EUCLM does not sell or transfer personal data to third parties for commercial purposes. We engage sub-processors that process data on our behalf and under documented instructions by means of Data Processing Agreements (DPAs). The current list of sub-processors is available at https://api.euclm.com/api/v1/gdpr/sub-processors.

Key sub-processors include: Railway (hosting, database, and object storage in the EU region), Mistral AI (contract text processing via LLM in the EU), Resend (transactional email on EU servers), Mollie (payments), Signaturit (advanced electronic signature in Spain), and Sentry (error monitoring in the EU region). You may request a copy of the applicable DPAs by writing to privacy@euclm.com.

6. International transfers

EUCLM does not carry out international transfers of personal data outside the European Economic Area (EEA) in the ordinary course of providing the service. File and document storage is performed in Railway Bucket (EU region), and application compute runs on Railway (EU-West region). Production data of European customers remains geographically within the European Union.

Some providers may have corporate groups headquartered in third countries; however, the processing contracted by EUCLM is configured in European data centres. If an international transfer not covered by an adequacy decision becomes necessary in the future, EUCLM will implement the safeguards of Chapter V of the GDPR (Standard Contractual Clauses or other approved measures) and inform data subjects in accordance with Article 13 of the GDPR.

7. Retention periods

  • Account and tenant content data: for the duration of the contractual relationship. Following a deletion request or termination of the contract, tenant data is retained for a grace period of 30 days to allow export and accidental recovery, after which it is irreversibly deleted unless a legal retention obligation applies.
  • Audit logs: retained for a maximum of 730 days (24 months), after which they are automatically purged by the retention job configured on the platform.
  • Billing data: up to 6 years from the last entry, in accordance with Spanish commercial and tax regulations.
  • Commercial enquiries: up to 24 months from the last interaction, unless converted into a contractual relationship.

8. Data subject rights

Under Articles 15 to 22 of the GDPR, you may exercise the following rights in relation to your personal data:

  • Access (Art. 15): obtain confirmation of whether we process your data and access to it.
  • Rectification (Art. 16): request correction of inaccurate or incomplete data.
  • Erasure(“right to be forgotten”, Art. 17): request deletion where the legal conditions are met.
  • Restriction of processing (Art. 18): request restriction of processing in the cases provided by law.
  • Data portability (Art. 20): receive your data in a structured format and transmit it to another controller where processing is based on contract or consent and is carried out by automated means.
  • Objection (Art. 21): object to processing based on legitimate interest, including profiling.
  • Not to be subject to automated decision-making (Art. 22): EUCLM does not make decisions with legal effects based solely on automated processing without meaningful human involvement in critical contracting workflows.

9. How to exercise your rights

You may exercise your rights by any of the following means:

  • Email to privacy@euclm.com, attaching a copy of an identity document where necessary to verify your identity.
  • If you are an administrator of your organisation in EUCLM, you may initiate export or deletion requests from the dashboard at Settings → GDPR (/dashboard/gdpr).

We will respond to your request within one month of receipt, extendable by a further two months in cases of particular complexity, in accordance with Article 12(3) of the GDPR.

10. Right to lodge a complaint with a supervisory authority

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): https://www.aepd.es, C/ Jorge Juan, 6, 28001 Madrid.

11. Cookies and similar technologies

For detailed information about the cookies used, please see our Cookie Policy.

12. Changes to this policy

EUCLM may amend this Privacy Policy to reflect regulatory, technical, or processing changes. We will notify material changes by email to account administrators or by prominent notice in the application at least 30 days in advance where required. The date of last update appears at the beginning of this document.