Privacy Notice (EU/EEA)

1. Data Controller

Jane Doe Communication AB (org. no. 556663-5321) operates CLM Forge for business users and customer organizations.

Address: Björkvägen 20C, 191 41 Sollentuna, Sweden

Contact: info@janedoe.se

Veeva, Veeva Vault, and Veeva CLM are trademarks of their respective owners. CLM Forge is an independent software service and is not affiliated with, sponsored by, or endorsed by Veeva.

1a. Roles under GDPR (Controller vs. Processor)

CLM Forge is designed for business use. Depending on context, Jane Doe Communication AB may act as either a Data Controller or a Data Processor:

• Processor: When users upload and process files on behalf of a customer organization,Jane Doe Communication AB typically acts as a Data Processor and the customer organization acts as the Data Controller. Processing is then performed under documented instructions and (where applicable) a Data Processing Agreement (DPA).
• Controller: Jane Doe Communication AB acts as Data Controller for its own administrative data such as account administration, billing contacts, service communications, and security/abuse prevention for the platform.

2. Categories of Personal Data

• Account details: work email, username, role, and organization membership.
• Authentication/security logs: login timestamps, IP addresses, device/browser metadata.
• Operational/support records: support tickets and technical troubleshooting metadata.
• Legal acceptance records: accepted legal version, timestamp, and evidence metadata.

2a. Uploaded Files and Generated Outputs

CLM Forge processes uploaded files (for example PPTX and PDF) and generates outputs (for example previews, thumbnails, and packaged conversion results). These files may contain personal data if a customer includes it in the content.

Processing and storage of uploaded and generated files is limited by retention rules described in section 7, and access is restricted to authorised users within the relevant customer account.

In Local Runtime or hybrid deployments, uploaded source files and generated outputs may be processed and stored entirely within customer-controlled environments (for example local disk or customer-managed object storage). In such configurations, CLM Forge does not receive or store these files in its cloud infrastructure unless explicitly configured or agreed in writing.

2b. Cookies and Browser Storage

Authentication uses secure, strictly necessary cookies through our identity provider to keep users signed in and to protect account sessions. We also use browser local storage for interface state such as story bookmarks and settings.

CLM Forge does not use marketing, profiling, or behavioral analytics cookies by default. If non-essential cookies are introduced, users will receive a consent flow before those cookies are set.

See also our Cookie Notice.

2c. Online Metadata Processing

Regardless of deployment model, CLM Forge may process limited metadata through its online services to support authentication, account management, licensing validation, and service operations.

This metadata may include account identifiers, login and session information, usage events, and technical diagnostics required to operate and secure the service. It does not include customer-uploaded content unless explicitly configured.

3. Purposes and Legal Bases (GDPR Article 6)

4. Strict Data Upload Rule (Default)

Users must not upload identifiable personal data for conversion workflows unless explicitly approved in a separate written agreement and controls are enabled.

CLM Forge is not intended for the processing of special categories of personal data under Article 9 GDPR (including health data or patient identifiers), unless explicitly agreed in a separate written agreement with appropriate controls enabled.

Examples of content that must not be uploaded by default include names tied to identifiable individuals, personal contact details, patient identifiers, insurance/security numbers, or any health-related details.

5. Recipients and Subprocessors

We disclose personal data only when needed to operate and secure the service, for example to:

• Supabase (authentication, database, and optional storage fallback infrastructure).
• Cloudflare (R2 object storage for uploaded/generated files when configured).
• Support and operational tooling providers under contract.
• Authorities or advisors where legally required.

A current list of subprocessors (including purpose and location) is available upon request and may also be included in a Data Processing Agreement (DPA) where applicable.

6. International Transfers

Where personal data is transferred outside the EEA, we use lawful transfer mechanisms such as adequacy decisions or Standard Contractual Clauses (SCCs) with supplementary safeguards where required.

6a. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, least-privilege administration, logging, and secure hosting infrastructure.

In the event of a personal data breach affecting customer data, we will notify the relevant controller without undue delay in accordance with GDPR Article 33.

6b. AI and Automated Processing

CLM Forge may use automation to extract metadata and generate conversion outputs from uploaded files. We do not use customer-uploaded files or generated outputs to train public machine learning models, unless explicitly agreed in writing.

7. Retention

We keep personal data only as long as needed for service delivery, security, and legal obligations.

• Account and access metadata: for the lifetime of the account and up to 12 months thereafter.
• Security logs: up to 12 months, unless a longer period is required to investigate incidents or comply with legal obligations.
• Legal acceptance records: retained for evidentiary purposes and up to 10 years where needed to meet limitation-period and compliance requirements.
• Uploaded and generated conversion artifacts are automatically cleaned up according to default retention windows, unless pinned or otherwise agreed in writing:
  • Preview/intermediate files: approximately 21 days.
  • Source files (PPTX, PDF, shared update zip): approximately 60 days.
  • Final deliverables (CSV, slide zips, result packages): approximately 180 days.
• Conversion run records may remain visible after associated files expire. If files expire, previews or downloads may become unavailable and re-upload or re-finalization may be required to regenerate them.
• If a project is deleted, associated runs and stored files are deleted as part of the deletion workflow. No long-term archival backup of customer-uploaded content is maintained beyond defined retention windows.

8. Your Rights

Subject to applicable law, you may request access, rectification, erasure, restriction, objection, and data portability.

If we process your data on behalf of your employer/customer, please contact your organization first as the primary controller.

Where we act as a Data Processor, we will assist the relevant controller (your organization) in responding to requests from data subjects, in accordance with applicable law and our Data Processing Agreement (DPA).

9. Complaints

You may lodge a complaint with your local supervisory authority. For Sweden, this is IMY (Integritetsskyddsmyndigheten).

10. Related Policies

This notice should be read together with our Terms of Use and Data Processing Agreement (DPA).

The Terms of Use also prohibit reverse engineering, scraping of non-public service data, and misuse of confidential information obtained through access to CLM Forge.

11. Contact

General contact: info@janedoe.se

Privacy contact: info@janedoe.se

Legal contact: info@janedoe.se

Security contact: info@janedoe.se