Privacy Policy

Last updated: March 25, 2026

Termtool (“we,” “us,” or “our”) operates the Termtool platform at termtool.dev. This Privacy Policy describes how we collect, use, and protect information when you use our service.

1. Information We Collect

Account Information

When you create an account, we collect your email address and password (stored as a salted hash by our authentication provider, Supabase). We do not collect your name, phone number, or physical address unless you provide them voluntarily.

App Registration Data

When you register a Shopify app, we collect the app name, optional Shopify App ID, and the API scopes your app uses. This information is used solely to generate compliance documents tailored to your app's data access patterns.

Generated Policy Content

We generate privacy policies and terms of service based on your app's scopes. These generated documents are stored in association with your account for retrieval and regeneration.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We retain only a Stripe customer ID to manage your subscription.

Usage Data

We collect standard web analytics (page views, feature usage) through Vercel Analytics. This data is aggregated and not linked to individual accounts.

2. How We Use Your Information

• To generate scope-aware compliance documents for your Shopify apps
• To process webhook events (GDPR data requests, customer/shop redactions)
• To manage your subscription and billing
• To send transactional emails (account verification, billing receipts, webhook alerts)
• To improve the service based on aggregated usage patterns

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Third-Party Services

We use the following third-party services to operate Termtool:

• Supabase — Authentication and database hosting (data stored in AWS US regions)
• Stripe — Payment processing (PCI DSS Level 1 certified)
• Anthropic (Claude) — AI-powered policy generation (your scopes and app name are sent to generate policies; no customer PII is transmitted)
• Cloudflare — Webhook processing and CDN
• Vercel — Application hosting and analytics
• Resend — Transactional email delivery

Each provider processes data in accordance with their own privacy policies. We select providers that maintain appropriate security certifications and data handling practices.

4. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Generated policies: Retained while your account is active. Deleted with account closure.
• Webhook logs: Retained for 90 days for audit purposes, then automatically purged.
• Payment records: Retained as required by tax and financial regulations (typically 7 years).

5. Your Rights

All Users

• Access your personal data by logging into your account
• Request a copy of your data by emailing us
• Delete your account and associated data at any time

European Economic Area (GDPR)

If you are in the EEA, you have additional rights including data portability, rectification, restriction of processing, and the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is contract performance (providing the service you signed up for) and legitimate interest (improving the service).

California (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

Canada (PIPEDA)

Canadian users have the right to access, correct, and challenge the handling of their personal information. We process data with meaningful consent and limit collection to what is necessary for the stated purposes.

6. Security

We implement industry-standard security measures including encrypted data transmission (TLS 1.3), encrypted data at rest, secure authentication via Supabase Auth, and HMAC signature verification on all incoming webhooks. App secrets are encrypted before storage.

7. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the service after changes constitutes acceptance.

8. Contact

For privacy-related inquiries, contact us at privacy@termtool.dev.