Privacy Policy

TermGuard.ai Limited
Effective Date: 7 April 2026
Company Number: 17137884
termguard.ai

Plain English Summary: TermGuard scans Terms & Conditions so you don't have to. To do that, we collect the minimum personal data necessary: your email address to create an account, the URLs of documents you scan for billing purposes, and anonymous usage counts. We do not store the text of documents you scan. We do not sell your data. We do not use your data for advertising. This policy explains exactly what we collect, why, and who we share it with.

1. Who We Are

This Privacy Policy describes how TermGuard.ai Limited ("TermGuard", "we", "us", "our") collects, uses, stores, and shares personal data when you use our website at https://termguard.ai and our Chrome browser extension (together, the "Service").

2. What Data We Collect and Why

We only collect data that is necessary to provide and improve the Service. The table below sets out each category of data, our legal basis for processing it, and how long we keep it.

2.1 Account Data

Data	Why we collect it	Legal basis	Retention
Email address	To create and manage your account, send transactional emails, and identify you across sessions	Contract performance	Until you delete your account, then 30 days
Name and profile photo (OAuth sign-in only)	Provided by Google or GitHub when you sign in with OAuth; used to identify your account	Contract performance	Until you delete your account, then 30 days
Password (email sign-in only)	To authenticate you	Contract performance	Stored as a one-way hash by Supabase; never in plaintext
Plan and subscription status	To enforce credit limits and gate features to your plan	Contract performance	Until you delete your account, then 30 days

2.2 Usage Data

Data	Why we collect it	Legal basis	Retention
URL of documents scanned	To display your usage history and enforce plan credit limits	Contract performance	12 months from the date of the scan
Credit consumption per action (scan / chat)	To track your credit balance and display your usage history	Contract performance	12 months
Timestamp of each action	To display usage history and detect abuse	Legitimate interests	12 months

Important: We do not store the text content of documents you scan. Document text is transmitted to our AI provider for analysis and discarded immediately after a response is generated — typically within seconds. We never see, log, or retain the contents of the documents you scan.

2.3 Payment Data

Data	Why we collect it	Legal basis	Retention
Stripe customer ID	To link your account to your Stripe subscription	Contract performance	Until you delete your account, then 30 days
Subscription status and period dates	To know which plan you are on and when it renews	Contract performance	Until you delete your account, then 30 days

We never receive or store your card number, CVV, or bank details. All payment information is handled directly by Stripe — see Section 5.

2.4 Extension Data (Chrome Extension only)

Data	Why we collect it	Legal basis	Retention
Authentication token (JWT) and refresh token	Stored locally in `chrome.storage.local` to keep you signed in	Contract performance	On-device only; cleared on sign-out or account deletion
Last scan result and document text	Stored locally in `chrome.storage.local` so results persist if you close and reopen the panel	Contract performance	On-device only; cleared on sign-out or account deletion
User profile cache (email, plan, credit balance)	Stored locally to display account information without a network request on every open	Contract performance	On-device only; updated on each session
Auto-detect setting, dark mode preference, scan mode	Stored locally in `chrome.storage.local` to remember your preferences	Contract performance	On-device only; cleared on account deletion
Custom flags (Pro users)	Stored locally in `chrome.storage.local` to inject your personal rules into scans	Contract performance	On-device only
Offline feedback queue	Temporarily stored locally if feedback is submitted while offline; flushed to our servers on next sign-in	Consent	On-device only; cleared once transmitted
First-run disclosure acceptance	Stored locally to avoid showing the first-run disclosure panel on every launch	Legitimate interests	On-device only

The Extension reads the content of web pages you visit only when you actively initiate a scan or when auto-detect is enabled and the page is identified as a legal document. It does not monitor your general browsing activity.

2.5 Feedback Data

Data	Why we collect it	Legal basis	Retention
Feedback category, description, and page URL	Submitted voluntarily when you send feedback via the extension	Legitimate interests (product improvement)	Retained for as long as it remains relevant to product improvement, or until you request deletion
Plan and extension version at time of feedback	To contextualise feedback for product improvements	Legitimate interests	Retained for as long as it remains relevant to product improvement, or until you request deletion

2.6 Analytics Data (Website only)

Data	Why we collect it	Legal basis	Retention
Page views, button clicks, and install events	To understand how visitors use the website and improve the product	Consent (via cookie banner)	12 months, then anonymised
Anonymised session data	To identify patterns in user journeys	Consent (via cookie banner)	12 months, then anonymised

Analytics are collected using PostHog only if you accept cookies via the cookie consent banner on the website. If you reject cookies, no analytics data is collected. The extension does not use analytics.

2.7 Data We Do Not Collect

To be explicit, we do not collect:

The text content of documents you scan
Your browsing history or the URLs of pages you visit other than the document you choose to scan
Location data (GPS or inferred)
Voice recordings or biometric data
Data about you from third-party data brokers
Data about people who have not signed up for the Service

3. How We Use Your Data

We use your personal data only for the following purposes:

Providing the Service — authenticating you, processing scans and chat messages, enforcing credit limits, and displaying your usage history.
Managing your subscription — processing payments via Stripe, sending receipts and renewal reminders, and handling upgrades and cancellations.
Communicating with you — sending transactional emails (account registration, password resets, subscription events). We do not send marketing emails without your explicit consent.
Improving the Service — using anonymised, aggregated analytics (with consent) and voluntary feedback to understand how the Service is used and where it can be improved.
Security and fraud prevention — detecting and preventing abuse, unauthorised access, and credit circumvention.
Legal compliance — complying with applicable laws, responding to lawful requests from authorities, and enforcing our Terms of Service.

We do not:

sell your personal data to any third party
use your personal data for targeted advertising
use the contents of documents you scan for any purpose other than generating your scan result
use your data to train AI models

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the EU, EEA, or United Kingdom, we process your personal data under the following legal bases:

Processing activity	Legal basis
Creating and managing your account	Article 6(1)(b) — performance of a contract
Processing payments and enforcing plan limits	Article 6(1)(b) — performance of a contract
Sending transactional emails	Article 6(1)(b) — performance of a contract
Retaining usage records for 12 months	Article 6(1)(f) — legitimate interests (billing disputes, abuse prevention)
Analytics (PostHog, consent-gated)	Article 6(1)(a) — consent
Feedback data	Article 6(1)(f) — legitimate interests (product improvement)
Security and fraud prevention	Article 6(1)(f) — legitimate interests
Compliance with legal obligations	Article 6(1)(c) — legal obligation

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time — see Section 8.

5. Who We Share Your Data With

We do not sell your data. We share it only with the following third-party service providers ("sub-processors") as necessary to provide the Service:

Provider	Purpose	Data shared	Privacy policy
Supabase (Supabase Inc., USA)	Database, authentication, and backend infrastructure	Account data, usage data, subscription data	supabase.com/privacy
Anthropic (Anthropic, PBC, USA)	AI analysis of document text	Document text (not retained after response)	anthropic.com/legal/privacy
Stripe (Stripe, Inc., USA)	Payment processing	Email address, subscription details	stripe.com/privacy
Vercel (Vercel Inc., USA)	Website hosting	IP address, request logs	vercel.com/legal/privacy-policy
PostHog (PostHog Inc., USA)	Website analytics (consent-gated)	Anonymised usage events	posthog.com/privacy

All sub-processors are contractually required to process your data only for the purpose of providing their services to us, and to apply appropriate security measures. Where required by applicable law, we have entered into Data Processing Agreements with each sub-processor.

We may also disclose your data to:

Law enforcement or regulatory authorities — where required by applicable law or a valid legal order. We will notify you of such requests where legally permitted to do so.
Successors — in the event of a merger, acquisition, or sale of substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

TermGuard.ai Limited is incorporated in England and Wales. Our sub-processors (listed in Section 5) are based in the United States. When we transfer your personal data from the UK or EU/EEA to the US, we rely on the following transfer mechanisms:

Supabase: Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) where applicable.
Anthropic: Standard Contractual Clauses; we have also entered into a Data Processing Agreement with Anthropic.
Stripe: Stripe is certified under the EU-US Data Privacy Framework and complies with the UK equivalent.
Vercel: Standard Contractual Clauses.
PostHog: PostHog offers EU-hosted data storage; we use their EU region. Standard Contractual Clauses apply regardless.

You may request a copy of the relevant transfer safeguards by contacting privacy@termguard.ai.

You found it. Email easteregg@termguard.ai with the email address linked to your TermGuard account and we will add 50 free credits — one claim per account.

7. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service, subject to the specific retention periods set out in Section 2.

On account deletion:

Account data (email, name, profile photo, plan) is deleted within 30 days.
Usage records (URLs, credit consumption, timestamps) are retained for up to 12 months from the date they were created, then automatically deleted. On account deletion, any remaining usage records are also deleted within 30 days.
Feedback data is retained for as long as it remains relevant to product improvement, or until you request deletion by contacting privacy@termguard.ai.
Payment records (Stripe customer ID, subscription history) are retained for 7 years where required by tax and accounting laws, after which they are deleted.
Data held by sub-processors is subject to their own retention policies; however we instruct them to delete your data on account deletion where technically feasible.

We do not retain backups containing your personal data beyond 90 days of the backup creation date.

8. Your Rights

Depending on where you are located, you have some or all of the following rights regarding your personal data:

Right	Description	How to exercise
Access	Request a copy of the personal data we hold about you	Email privacy@termguard.ai
Rectification	Ask us to correct inaccurate or incomplete data	Email privacy@termguard.ai
Erasure	Ask us to delete your personal data	Use the "Delete Account" button in your dashboard, or email privacy@termguard.ai
Restriction	Ask us to restrict processing of your data in certain circumstances	Email privacy@termguard.ai
Portability	Receive your data in a structured, machine-readable format	Email privacy@termguard.ai
Objection	Object to processing based on legitimate interests	Email privacy@termguard.ai
Withdraw consent	Withdraw consent for analytics at any time	Clear your browser's local storage, or reject cookies via the cookie banner

We will respond to all rights requests within 30 days. We may ask you to verify your identity before acting on a request.

EU/EEA users: You have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.

UK users: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

California users (CCPA/CPRA): You have the right to know, delete, correct, opt out of sale/sharing, and not be discriminated against. We do not sell or share personal information as defined under the CCPA. To exercise your California rights, contact privacy@termguard.ai.

9. Cookies and Tracking

Website

We use the following cookies on the website:

Cookie	Type	Purpose	Duration
Supabase auth session cookie	Strictly necessary	Maintains your login session	Session / 7 days
PostHog analytics cookies	Analytics (consent required)	Tracks page views and interactions for product improvement	1 year

We do not use advertising cookies or third-party tracking pixels.

You can control cookies through:

The cookie consent banner displayed on your first visit to the website
Your browser settings — most browsers allow you to block or delete cookies
Clearing your browser's local storage to withdraw PostHog consent

Chrome Extension

The Extension does not use cookies. It stores data locally using the Chrome storage.local API — this data does not leave your device except as described in Section 2.4.

10. Security

We take the security of your personal data seriously and implement the following measures:

Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
Encryption at rest: Your account data is stored in Supabase, which encrypts data at rest using AES-256.
Authentication tokens: JWT tokens stored in the extension are stored using the Chrome storage.local API, which is sandboxed to the extension and not accessible by web pages.
Row-level security: Our database enforces row-level security policies so that API requests can only access the data belonging to the authenticated user.
No plaintext passwords: Passwords are hashed using bcrypt by Supabase Auth and are never stored or transmitted in plaintext.
Access controls: Administrative access to our database and infrastructure is restricted to named individuals and requires multi-factor authentication.

No method of transmission or storage is completely secure. If you believe your account has been compromised, please contact us immediately at privacy@termguard.ai.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by applicable law.

11. Children

The Service is not directed at anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us at privacy@termguard.ai and we will delete the account and associated data promptly.

12. Third-Party Links

The website and extension may contain links to third-party websites. This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy policies before providing any personal data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the Service. When we make material changes:

We will post the updated policy at https://termguard.ai/privacy with a new effective date.
We will notify you by email to your registered address at least 30 days before the changes take effect, where the changes materially affect your rights.

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, you may delete your account before they take effect.

14. Contact and Complaints

For any questions, concerns, or rights requests relating to this Privacy Policy or our handling of your personal data, please contact:


Email	privacy@termguard.ai
Company	TermGuard.ai Limited
Company No.	17137884
Website	https://termguard.ai

We aim to respond to all enquiries within 5 business days and will resolve complaints within 30 days.

If you are not satisfied with our response, you have the right to escalate your complaint to your local data protection authority:

UK: Information Commissioner's Office — ico.org.uk
EU/EEA: Your national supervisory authority — edpb.europa.eu
USA (California): California Privacy Protection Agency — cppa.ca.gov