Legal

Privacy Policy

We built Flag Red to be a tool you can trust with sensitive documents. This policy explains what we collect, why, and how we protect it.

Last updated: April 2026

At a glance

The short version

We collect only what is necessary to provide the service. We do not sell your data. We do not show you ads.

What we collect

Your email address, a hashed password, the documents you upload, and basic technical data such as your IP address and browser type.

Why we collect it

To create and authenticate your account, to run the contract analysis, and to process payments if you purchase a plan.

How long we keep it

Uploaded files are deleted after analysis is complete. Account data is retained while your account is active and deleted within 30 days of account deletion.

What we never do

We never sell your data, never use it for advertising, and never let any person on our team read your uploaded contracts.

Data collection

What personal data we collect and why

Account data

When you create an account, we collect your email address and a securely hashed version of your password. We never store your password in plain text.

You may also sign in via Google or Apple. In that case, we receive your name and email from the respective provider and do not receive or store your password.

Uploaded documents

Files you upload are transmitted securely over HTTPS, stored temporarily on AWS S3, and sent to our AI provider (OpenAI) solely to perform the contract analysis.

No person on our team reads your uploaded documents. Files are deleted after processing. Free-scan results are not saved to any account.

Payment data

Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. We never receive or store your credit card number, CVV, or bank details.

We retain a record of transactions (date, amount, plan) for accounting and support purposes.

Usage data

We collect standard server-side access logs that include your IP address, browser type, operating system, and pages visited. This data is used for security monitoring and service maintenance.

We do not use third-party analytics platforms such as Google Analytics. We do not show advertisements.

Sub-processors

Third-party services we use

We share your data with the minimum number of trusted providers needed to operate the service. We do not share with any other party.

OpenAI

Uploaded document content

To perform the AI-powered contract analysis. OpenAI processes the document text and returns the risk assessment. Documents are not used to train OpenAI models under our enterprise agreement.

Privacy policy
Amazon Web Services (AWS)

Uploaded files, account data

Cloud infrastructure and secure file storage (S3). Data is stored in AWS data centers under their security and compliance standards.

Privacy policy
Stripe

Payment details, email address

Secure payment processing and subscription management. Stripe handles all payment card data. We never receive your card number.

Privacy policy
Google (SSO only)

Name, email address

Optional: if you choose to sign in with Google, we receive your name and email address from Google to create or authenticate your account. Only used if you initiate Google sign-in.

Privacy policy
Apple (SSO only)

Name, email address

Optional: if you choose to sign in with Apple, we receive your name and email address from Apple to create or authenticate your account. Only used if you initiate Apple sign-in.

Privacy policy

GDPR and privacy rights

Your rights over your data

Regardless of where you are located, we respect your right to control your personal data.

Access

Request a copy of all personal data we hold about you.

Rectification

Ask us to correct any inaccurate or incomplete data.

Erasure

Request deletion of your account and all associated personal data. You can also delete your account directly from Settings.

Object

Object to processing based on legitimate interests.

Restriction

Ask us to restrict processing of your data in certain circumstances.

Portability

Receive your personal data in a structured, machine-readable format.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Cookies

We use a single session cookie to keep you logged in. This cookie expires after 30 minutes of inactivity and contains no personal information.

We do not use tracking cookies, advertising cookies, or any third-party cookies. There is no cookie consent banner because there is nothing to consent to.

Retention

Uploaded files: deleted immediately after the analysis is complete. Account data (email, billing history): retained while your account is active, and deleted within 30 days of account closure.

Server logs are retained for up to 90 days for security purposes and then permanently deleted.

Data Controller

Company

Gimucco PTE LTD d.b.a. Flag Red
16 Raffles Quay
#33-03 Hong Leong Building
Singapore 048581

Contact

[email protected]

Changes to this policy

We may update this policy and will notify users of material changes by email or a notice on the site. The date at the top of this page reflects the most recent revision.

For our full legal terms:

Terms of Service Security

Your contracts stay private.

Encrypted upload. AI analysis. Files deleted after processing.

Scan a contract free

AI-assisted analysis. Not a substitute for legal advice.