Last updated:
[REVIEW NEEDED] This document is an AI-drafted starting point and has not been reviewed by a lawyer. Do not publish without legal review.
1. Introduction
TheTerms (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it.
This policy applies to the hosted Service at theterms.app. If you self-host TheTerms on your own infrastructure, this policy does not apply — you control all data and are responsible for your own privacy obligations.
[REVIEW NEEDED — confirm data controller identity and registered address]
2. Data We Collect
Account data. When you register, we collect your name, email address, and (if applicable) organisation name. OAuth sign-in via Google or Microsoft provides your email and display name.
Document and signing data. We store the documents, clauses, and versions you create. For signing events, we record the signer’s email address, IP address, user agent string, and timestamp for each action (clause accept/reject).
Usage data. We collect anonymised usage metrics including pages visited, features used, and error logs. This data cannot be used to identify individuals.
Communications. If you contact us by email, we retain that correspondence.
3. How We Use Your Data
We use your data to:
- Provide, operate, and improve the Service
- Send transactional emails (signing invitations, account notifications, password resets) via Resend
- Respond to support requests
- Comply with legal obligations
- Detect and prevent fraud or abuse
We do not sell your personal data to third parties.
4. Data Storage and Security
Storage location. Your data is stored on servers located in [REVIEW NEEDED — confirm hosting region].
Security measures. We implement industry-standard security measures including encryption at rest and in transit (TLS), access controls, and regular security reviews. We follow responsible disclosure practices documented in our Security Policy.
Breach notification. In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law.
5. Third-Party Services
We use a limited number of third-party services:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Resend | Transactional email delivery | resend.com/privacy |
| [Hosting provider] | Cloud infrastructure | [REVIEW NEEDED] |
| Stripe | Payment processing (paid plans only) | stripe.com/privacy |
We do not use advertising networks, social tracking pixels, or behavioural analytics.
6. Data Retention
Account data. Retained for as long as your account is active. Deleted within 30 days of account deletion.
Signing audit trail. Retained for 7 years to support legal enforceability of signed documents. [REVIEW NEEDED — confirm retention period meets your legal requirements]
Usage logs. Retained for 90 days, then permanently deleted.
7. Your Rights (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR / UK GDPR:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Request correction of inaccurate personal data.
- Erasure. Request deletion of your personal data (“right to be forgotten”).
- Portability. Receive your data in a structured, machine-readable format.
- Restriction. Request that we restrict processing of your data in certain circumstances.
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@theterms.app. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk).
8. Cookies
The Service uses strictly necessary cookies for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
[REVIEW NEEDED — audit actual cookie usage and update accordingly]
9. Self-Hosted Instances
If you deploy TheTerms on your own infrastructure using the open-source code (AGPL-3.0), no data is transmitted to us. You are the sole data controller for your deployment and are responsible for your own privacy obligations under applicable law.
10. Children’s Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, contact us at privacy@theterms.app.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service at least 14 days before the changes take effect.
12. Contact
For privacy-related enquiries:
- Email: privacy@theterms.app
- Data Protection Officer: [REVIEW NEEDED — appoint DPO if required]
- Postal address: [REVIEW NEEDED — registered address]