Privacy Policy
Last updated: April 15, 2026
1. Who We Are
Smallprint is operated by Kunley SASU, a company registered in France.
Contact: [email protected]
This policy explains how we collect, use, and protect your personal data when you use Smallprint at https://small-print.ai.
2. Data We Collect
Account Data
- Email address
- First name, last name
- Authentication provider (email or Google)
- Account creation date
Document Data
- PDF documents you upload for analysis
- Analysis results (scores, clauses, structured data)
- Document metadata (file name, upload date, detected company, document type)
Usage Data
- Scan history (dates, document types)
- Feature usage (comparisons, re-scans)
- Session data (login times, device type)
Technical Data
- IP address (for rate limiting and security only)
- Browser type and version
- Cloudflare analytics (aggregated, no personal tracking)
Payment Data
Payment processing is handled entirely by Lemon Squeezy. We do not store credit card numbers, bank details, or other financial information on our servers. See Lemon Squeezy's privacy policy for details.
3. How We Use Your Data
We use your data to:
- Provide the service: process your documents, generate analyses, display your dashboard
- Secure your account: authenticate you, prevent fraud, enforce rate limits
- Improve the service: analyze pseudonymized scan data to refine our analysis quality (see section 7)
- Produce comparative studies (optional, consent-based): generate internal benchmarks by matching pseudonymized profiles with contract structures, so we can tell a broker whether their client's contract is above or below comparable profiles. You can opt out at signup or at any time from your settings.
- Build public features: aggregated, anonymized company scores and rankings
- Communicate with you: send verification emails, service updates, billing notifications
We do not:
- Sell your personal data to third parties
- Use your data for advertising
- Share your uploaded documents with other users
- Hand your data over to third-party AI vendors for them to train their own models on
4. Legal Basis (GDPR)
We process your data under the following legal bases:
- Contract performance (Art. 6(1)(b)): processing your documents and managing your account
- Legitimate interest (Art. 6(1)(f)): security, fraud prevention, service quality analytics on pseudonymized data
- Explicit consent (Art. 6(1)(a)): participation in comparative studies (opt-in at signup), marketing communications
- Explicit consent on special categories (Art. 9(2)(a)): any analysis of contracts containing health data (prévoyance, santé) requires the broker to certify the client's explicit consent before upload. Smallprint relies on that certification as the legal basis for processing the health-related content.
- Legal obligation (Art. 6(1)(c)): retaining invoicing data as required by French law
5. Data Storage and Security
All data is stored on European infrastructure with encryption at rest and in transit. Authentication uses secure, encrypted sessions. Passwords are hashed using industry-standard algorithms. All communications are encrypted via TLS/HTTPS. We enforce rate limiting and automated abuse prevention on all endpoints. Security headers are active on all responses.
6. Data Sharing
We share data only with the following service providers, strictly for operating Smallprint:
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting, database, CDN, security | All service data |
| Lemon Squeezy | Payment processing | Email, name, billing info |
| Resend | Transactional emails | Email address, name |
| OAuth authentication | Email, name (only if you use Google sign-in) |
We do not share your data with any other third parties.
7. Pseudonymized and Aggregated Data — Comparative Studies
Smallprint runs an internal comparative study pipeline that helps us answer questions like "how does this health insurance contract compare to the typical contract offered to a self-employed developer in the Syntec collective agreement earning 60k€?" To do that, we process analyzed contracts alongside anonymized client profile data.
What we retain and process
- The structured output of the analysis (scores, clauses, coverage amounts, contract structure)
- Profile dimensions used for matching: professional status (TNS/PL/employed...), IDCC code, CCN, household structure (marital status, children count), broad revenue bracket
What we strip before running any comparative study
- Names, e-mail addresses, phone numbers
- Physical and billing addresses
- SIRET numbers of individual clients
- Free-text notes written by the broker on the client profile
This is pseudonymization, not full anonymization: a stable internal token replaces identifying fields so the same client's contracts can be tracked over time without exposing who they are. The mapping between the token and the original identifiers stays encrypted on our side and is never used for comparative studies.
Your right to opt out
Participation in comparative studies is a separate, optional consent collected at signup. You can withdraw it at any time by writing to [email protected] — we will exclude your data from future comparative studies within 30 days and remove historical references where technically possible.
Regardless of your consent, we also compute aggregated, fully anonymized statistics (e.g. "the average coverage gap on dental care is X%") for public display. This data cannot be traced back to any individual user or document.
8. Data Retention
- Account data: retained as long as your account is active. Deleted within 30 days of account deletion request.
- Document data: retained as long as your account is active. You can delete individual documents from your dashboard.
- Analysis results: retained as long as the associated document exists.
- Anonymized company data: retained indefinitely (cannot be linked to you).
- Server logs: retained for 30 days for security purposes.
- Billing data: retained for the duration required by French tax law (10 years for invoices).
9. Your Rights (GDPR)
As a user in the EU, you have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate personal data
- Erasure: request deletion of your personal data ("right to be forgotten")
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Restriction: request limitation of processing
- Withdraw consent: where processing is based on consent
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the French data protection authority (CNIL): https://www.cnil.fr
10. Cookies
Smallprint uses only essential cookies required for the service to function: authentication and security. We do not use advertising cookies, tracking cookies, or analytics cookies that identify individual users.
11. International Transfers & Sub-processors
Your data is processed by the following sub-processors. We have verified that each provides adequate safeguards for personal data protection under GDPR:
| Sub-processor | Role | Location | DPA |
|---|---|---|---|
| Cloudflare, Inc. | Hosting and infrastructure | EU (Western Europe) | Cloudflare DPA |
| Anthropic, PBC | AI contract analysis (Claude API) | United States | Anthropic DPA |
| Resend, Inc. | Transactional email | United States | Resend Privacy |
| Google Ireland Ltd | OAuth authentication | Ireland/US | Google DPA |
Transfer mechanisms: All US-based sub-processors are covered by Standard Contractual Clauses (SCCs) incorporated in their respective DPAs, and/or certified under the EU-US Data Privacy Framework.
Zero data retention at Anthropic: When Smallprint calls the Claude API to analyze your documents, Anthropic processes the request in real-time and does not store the documents on its side, nor uses them to train its own AI models. This is Anthropic's contractual commitment — see Anthropic's Commercial Terms. This paragraph only describes what Anthropic does. Smallprint itself retains the analyzed documents and structured output on its own infrastructure for the duration of your subscription (see sections 3, 7, and 8).
Data localization: We configure our infrastructure to process and store data in European data centers whenever technically possible.
12. Children
Smallprint is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us at [email protected].
13. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), you have the following rights:
- Right of access: Request a copy of all personal data we hold about you
- Right to rectification: Correct inaccurate personal data
- Right to erasure: Request deletion of your account and all associated data (documents, analyses, profile)
- Right to data portability: Receive your data in a structured, machine-readable format (JSON export)
- Right to object: Object to processing based on legitimate interests
- Right to restriction: Request temporary restriction of processing
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
Data retention: We retain your data for the duration of your account. When you delete your account, all personal data, uploaded documents, and analysis results are permanently deleted within 30 days.
Data breach notification: In the event of a personal data breach likely to result in a risk to your rights, we will notify the CNIL within 72 hours and affected users without undue delay.
14. Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of contract |
| Document analysis | Performance of contract |
| Payment processing | Performance of contract |
| Security (rate limiting, fraud prevention) | Legitimate interest |
| Service improvement (aggregated analytics) | Legitimate interest |
| Email communications (service updates) | Performance of contract |
| Marketing communications | Consent (opt-in) |
15. Data Protection Officer
Entity: Kunley SASU, France
Contact: [email protected]
Supervisory authority: CNIL — Commission Nationale de l'Informatique et des Libertés
Website: www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
16. Changes to This Policy
We may update this privacy policy from time to time. We will notify registered users of material changes by email. The "last updated" date at the top of this page will reflect the most recent revision.