Privacy Policy
1. Who we are
TL;DR Terms (“we,” “our,” “us”) is a personal project operated by an individual based in California, USA. We provide a web application that summarizes and scores publicly available Terms & Conditions and Privacy Policies. For privacy inquiries, reach us at help@tldrterms.app.
2. Quick summary (for humans in a hurry)
| Topic | What we actually do |
|---|---|
| Data collected | E-mail address (plus name/avatar if provided by OAuth) and strictly necessary authentication cookies. No analytics, ads, or tracking cookies. |
| Why | To sign you in, run the analysis you request, save your results, and send essential account e-mails. |
| Sharing | Only with the cloud services that power the app (Supabase, OpenAI, Vercel, Cloudflare). We never sell or rent data. |
| Your rights | Access, correct, delete, export, or object at any time—just e-mail us. |
| Retention | All personal data and stored analyses are deleted immediately when you delete your account. |
| Security | TLS, encryption at rest, role-based access, least-privilege admin accounts. |
| Kids | Under-13s may use the service only with parental consent. |
3. Data we collect and why
| Category | What we collect | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data |
| Create & maintain your account; authenticate you; send required transactional e-mails | Contract (Art. 6 (1)(b)) |
| Authentication cookies | Supabase session token | Keep you logged in securely | Contract |
| Content for analysis | Text we retrieve from the URL you provide or, if retrieval fails, text you paste manually | Generate the AI analysis you request and display past results | Contract |
| IP addresses (passive) | Logged by Supabase & Cloudflare in security logs | Detect fraud and ensure service integrity | Legitimate interest (Art. 6 (1)(f)) |
| Device & browser metadata | Browser user-agent, operating system, device type (sent automatically by your browser) | Debug service issues, ensure compatibility, and help prevent automated abuse | Legitimate interest (Art. 6 (1)(f)) |
Data-minimization pledge: We collect only the data listed above—nothing else. Each item is strictly needed to run TL;DR Terms or keep it safe. We never collect sensitive categories such as payment details, precise geolocation, or advertising IDs.
How we collect: (1) Directly from youwhen you sign up or submit a URL; (2) Automaticallyvia essential cookies and standard HTTP headers; and (3) Passively in security logs created by our cloud providers.
4. How we use your data
- Run the service — sign you in, remember your session, and create your requested analysis.
- Communicate with you — send verification, password-reset, and critical service emails only.
- Protect the service — stop fraud, detect abuse, and secure our infrastructure.
- Improve reliability — debug crashes and ensure the site works on your browser/device.
We never use your data for marketing, profiling, or advertising.
5. Cookies & similar technologies
We use one first-party session cookie from Supabase that is essential for secure authentication. It expires automatically when you log out or after 7 days of inactivity. We do not set any analytics, advertising, or preference cookies.
6. Sharing and disclosure
We share personal data only with these service providers, strictly for the purposes described:
| Provider | Role | Data shared | Safeguards |
|---|---|---|---|
| Supabase (USA/EU) | Authentication, database, storage | Account data, session cookies, submitted content, analysis results | SCCs, ISO 27001 |
| OpenAI (USA) | Large-language-model processing | Extracted text (no account data) | SCCs, internal access controls |
| Vercel (USA/EU) | Hosting & deployment | Encrypted database connections only | SCCs, ISO 27001 |
| Cloudflare (Global CDN) | DNS, TLS, DDoS protection | IP addresses in edge logs | SCCs, SOC 2 |
6.2 Why we share
We share data only so these partners can do the job you expect:
- Supabase — authenticate you and store your account & submitted text.
- OpenAI — transform the text we fetch (or you paste) into an AI summary.
- Vercel — host the website and serve it quickly worldwide.
- Cloudflare — protect the site from attacks and deliver it via CDN.
They may not use your data for their own marketing or advertising.
7. International transfers
Our providers may process data in the United States or other countries. When data originates from the EU/UK, transfers rely on Standard Contractual Clauses (SCCs) or equivalent legal safeguards. You can request a copy via help@tldrterms.app. We monitor legal developments and will pause transfers or add extra safeguards if SCCs are no longer considered adequate.
8. Data retention
| Data type | Retention period |
|---|---|
| Active accounts | We retain account data and analyses until you delete your account or 24 months of inactivity, whichever comes first. |
| Deleted accounts | Erased immediately from live databases; encrypted backups purge automatically after 30 days. |
| Server logs (IP addresses & metadata) | Kept for 30 days purely for security and troubleshooting, then deleted or fully anonymised. |
| Technical backups | Encrypted daily; stored for 30 days before automatic deletion. |
| Support emails | Kept for up to 12 months to resolve ongoing issues, then deleted. |
9. Security measures
- TLS 1.3 for every connection
- AES-256 encryption at rest for databases and object storage
- Firewall & web-application firewall (WAF) on every edge location
- Two-factor authentication for all admin accounts
- Role-based access controls & least-privilege API keys
- Daily encrypted backups stored in a separate region (kept 30 days)
- Annual third-party penetration tests & coordinated bug-bounty program
- Continuous dependency monitoring & prompt patching
While we work hard to protect your data, no online service can guarantee absolute security. Use a strong, unique password.
10. Your privacy rights
You have full control of your data. Here’s how to act:
- Access & portability — Email help@tldrterms.app with subject line “Data Access.” We’ll send you a portable JSON export within 7 days.
- Correction — Use the account settings page to update your email/name, or email us with “Correction Request.” We update within 7 days.
- Deletion — Click “Delete account” in settings or email “Delete My Data.” We’ll wipe live records instantly and purge backups within 30 days.
- Restrict/Object — Email “Restriction Request” to pause processing while we investigate.
We never send marketing emails, so there’s nothing to opt-out of. Transactional emails (security, password reset) are essential and cannot be disabled.
11. Children’s privacy
TL;DR Terms is not aimed at kids, but young programmers might still visit. If you’re under 13, you must have a parent or guardian create and manage the account. We never ask for more than an email. If we learn we’ve stored personal info from a child without consent, we delete it within 48 hours. Parents can email help@tldrterms.app any time to review or erase a child’s data.
12. Changes to this Privacy Policy
We sometimes update this policy to cover new features or changes in the law. We’ll email every account holder and show an in-app banner at least 30 days before a material change takes effect. The effective date at the top tells you which version you’re reading. If you don’t agree, simply delete your account before the new version starts.
13. Contact us
For privacy inquiries, reach us at help@tldrterms.app.
We strive to resolve privacy issues promptly and transparently.