TermPeek Privacy Policy

Effective date: May 8, 2026 Last updated: May 8, 2026 Version: 1.0

This Privacy Policy explains how TermPeek ("TermPeek", "we", "our", or "us") collects, uses, discloses, and protects personal information when you use the TermPeek browser extension and related services (the "Service").

TermPeek is an informational tool that analyzes legal documents you encounter — such as Terms of Service, privacy policies, and contracts — and provides plain-language summaries. TermPeek is an informational tool, not a legal service. Nothing generated by TermPeek is legal advice. For details on this positioning, see our Terms of Service.

1. Who we are

TermPeek is operated by an individual controller based in Mexico. See Section 15 for controller identity and direct privacy contact.

If you are in the European Economic Area, the United Kingdom, or Switzerland, and you prefer to direct inquiries to a local representative, contact us via the channel in Section 15 and we will provide applicable routing.

2. Summary (you can read this in 30 seconds)

• We do not store the documents you analyze. Their text is sent to our AI processor for analysis and is not retained after the analysis completes.
• We do not require an account, email address, or login. To use the free tier, you do not share any personal identifier beyond an anonymous device identifier.
• We do not sell or share personal information for cross-context behavioral advertising.
• We use three subprocessors for AI analysis, backend infrastructure, and payments (the latter only for Pro subscribers), named in Section 5.
• If you upgrade to Pro, Polar (our payment processor and merchant of record) collects the minimum payment data it needs; that information never reaches TermPeek's servers.
• You have rights depending on where you live: ARCO rights (Mexico), CCPA rights (California), GDPR rights (European Economic Area, UK), and equivalent rights in other jurisdictions. See Section 8.

3. What we collect and why

We group the data we handle by how it is generated and where it lives. We only handle what we need to provide the Service.

3.1 Data stored locally in your browser (chrome.storage.local)

This data lives only in your browser's extension storage. It never leaves your device unless we explicitly mention transmission below.

3.2 Document content that you analyze

When you trigger an analysis (via context menu or popup), the text extracted from the page you are viewing is transmitted to our backend (Cloudflare Worker) and forwarded to our AI subprocessor (Anthropic) for analysis.

• The extracted text is processed in real time via streaming, and is not stored on TermPeek's systems after the stream completes.
• The analysis result (risk score, issue list, summaries) is sent back to your browser and displayed in the side panel. The result is held in your browser's memory and is discarded when you close the browser.
• We do not keep server logs containing the document text.
• Anthropic retention (subprocessor). Although TermPeek does not retain the document on its own systems, our AI subprocessor (Anthropic) may retain the analysis input and output for a limited period — generally up to 30 days — for abuse detection, incident response, and service reliability, under its own retention policy and Data Processing Addendum. See Section 5 for the subprocessor's safeguards and Section 9 for the consolidated retention summary.
• Content you choose to submit. TermPeek does not actively collect special categories of personal data (see Section 3.5). However, the document text you choose to submit for analysis may incidentally contain sensitive information (for example, health, financial, or identity data). Any such content is processed solely to provide the requested analysis and is not used by TermPeek for any other purpose.

If the document you are viewing exceeds our analysis cap (60,000 characters), only the first portion up to the cap is analyzed; a banner in the extension notifies you of the truncation.

3.3 Network and infrastructure data (Cloudflare)

Our backend Worker runs on Cloudflare. Cloudflare processes the following as part of delivering the Service:

About the anti-abuse telemetry hash. When you submit a document for analysis, our Worker computes an irreversible cryptographic hash from a fixed set of technical metadata that your browser and the network send automatically with every HTTP request (your IP address, User-Agent, browser hints, language preference, and the country and network operator that Cloudflare derives server-side). The hash is stored in our Cloudflare KV storage alongside your anonymous device identifier (UUID) and the calendar month, with a 30-day automatic expiration. This hash is used only to protect the Free tier from abuse and does not block, throttle, or alter your analysis in any way. We do not use it for advertising, behavioral profiling, cross-site tracking, identification of you as a person, or any purpose beyond protecting the Free tier from abuse. The legal basis is described in Section 6, the retention summary in Section 9, and your right to object in Section 8.3.

3.4 Payment data (Pro subscribers only, processed by Polar)

If you upgrade to Pro, you go through a checkout page hosted by Polar (our payment processor and merchant of record). Polar collects:

• Email address
• Name (if you choose to provide one)
• Payment method details (card, etc.)
• Billing country for tax purposes

TermPeek does not receive or store your payment method details. Polar tells us only:

• That a subscription is active for your anonymous device identifier
• Subscription status changes (canceled, renewed, failed payment)

Email and payment details stay with Polar. See Polar's Privacy Policy for details of Polar's own processing.

3.5 What we do not collect

• We do not collect your email address in the Free tier (no account is required).
• No cross-site tracking or behavioral advertising. We do not engage in cross-site tracking, we do not build behavioral profiles, and we do not use tracking cookies, web beacons, pixel tags, client-side fingerprinting techniques (such as canvas fingerprinting, WebGL fingerprinting, audio probing, font enumeration, or any JavaScript-based extraction of device entropy from your browser), or third-party analytics for advertising. We do not monitor which websites you visit outside of analyses you explicitly trigger. The anonymous device identifier and monthly usage counter described in Section 3.1 are local-only technical signals that enable subscription verification and the Free-tier limit — they are not used to track you across sites or to build a profile of your behavior. The server-side anti-abuse telemetry hash described in Section 3.3 is a separate, narrow-purpose technical measure: it processes only HTTP request headers your browser already sends automatically (no JavaScript runs in your browser to collect additional data), it is irreversible, it is purged after 30 days, and it is used solely to detect Free-tier abuse — never for tracking, profiling, or advertising.
• We do not collect precise geolocation.
• Special categories of personal data. We do not actively collect special categories of personal data (such as health, biometric, genetic, financial identifiers, or neural data). However, the content you choose to submit for analysis may incidentally include such information. As described in Section 3.2, anything you submit is processed solely to provide the requested analysis and is not used by TermPeek for any other purpose.

4. How we use AI

TermPeek uses artificial intelligence to analyze legal documents. Specifically:

• Provider: Anthropic (Claude API). The model used is a Claude Haiku version (currently claude-haiku-4-5); the specific model may change over time with product updates.
• Country of processing: Anthropic's infrastructure is located primarily in the United States.
• What the AI does: generates the risk score (1–10), category-by-category summaries of problematic clauses, plain-language explanations, and impact statements, based on the document text you submit.
• What the AI does not do: provide legal advice, make significant automated decisions about you (it does not decide your credit, housing, employment, education, healthcare, or insurance eligibility), or profile your behavior for advertising. TermPeek's AI analyzes the text of legal documents — not you. It does not build behavioral profiles of individual users, does not infer attributes about you, and is not used to make decisions about you as a person. See Section 3.5 for related limits on what we collect, and Sections 8.2 and 8.3 for the corresponding CCPA (ADMT) and GDPR (Art. 22) positions.
• Transparency (EU AI Act Art. 50(1) and Korean AI Basic Act Art. 31(1)): You are informed that you are interacting with an AI system both in our welcome tab at first install and persistently in the side panel footer where analyses appear. This notice fulfills the transparency obligation under Art. 50(1) of Regulation (EU) 2024/1689 (EU AI Act), applicable from 2 August 2026, and under Article 31(1) of the Framework Act on Artificial Intelligence Development and Establishment of a Foundation for Trustworthiness (인공지능 기본법, Korean AI Basic Act), effective from 22 January 2026.
• Human oversight: TermPeek does not re-train or fine-tune the underlying AI model based on the documents you analyze. Anthropic's own use of API data is governed by the Anthropic Data Processing Addendum and is limited to abuse detection, incident response, and service reliability — not model training — as of the effective date of this Policy.

For more detail on the limits of AI analysis, see our in-product disclaimer in the welcome tab and our Terms of Service.

5. Subprocessors

We rely on three subprocessors to operate the Service. A subprocessor is a third party we engage to process personal information on our behalf.

We will notify you of changes to our subprocessors with at least 15 days' notice via an in-product banner and by updating this Privacy Policy. Your continued use of the Service after such notice constitutes acceptance of the change.

6. Legal bases for processing (EEA, UK, Switzerland)

Where GDPR or UK GDPR applies, we process your personal data under the following legal bases (Art. 6 GDPR):

We do not primarily rely on consent (Art. 6(1)(a)) as the legal basis, because the processing above is necessary to provide the Service you requested. That said, certain voluntary actions you take — such as submitting content for analysis — may constitute an affirmative action that legitimizes the corresponding processing.

For processing grounded in legitimate interests (Art. 6(1)(f)), we have weighed our interest in operating and protecting the Service against your rights and freedoms and concluded that the minimal data involved (anonymous device identifier, monthly usage counter, operational logs including truncated IP data used only for rate limiting and abuse prevention, and the irreversible anti-abuse telemetry hash described in Section 3.3, which stores only the hash output for 30 days and never the raw request metadata) does not override those rights. We do not engage in behavioral profiling or cross-site tracking (see Section 3.5). You have the right to object at any time to processing based on legitimate interests under Art. 21 GDPR; see Section 8.3 for how to exercise this right.

We do not actively process special categories of data (Art. 9 GDPR); see Section 3.5 for how content you submit is handled where it may incidentally include such data.

7. International transfers

TermPeek's Service involves transfers of personal data to the United States (Anthropic) and globally (Cloudflare edge network). Where the transfer is out of the EEA, UK, or Switzerland, we rely on:

• EU Standard Contractual Clauses (SCCs) — Modules Two (controller-to-processor) and Three (processor-to-processor), as incorporated in Anthropic's and Cloudflare's Data Processing Addenda.
• Supplementary measures as applicable, including encryption in transit (TLS 1.3) and encryption at rest where supported by the subprocessor.
• Cloudflare's network architecture routes data to the nearest healthy edge, which for EU users typically keeps request handling within the EU — though ephemeral transfers to other regions may occur.

Polar (our payment processor) is based in the Netherlands and is within the EU; Pro subscriber payment data does not leave the EU as part of Polar's standard processing.

For users in Mexico: transfers to Anthropic (US) and Cloudflare (global) are covered under LFPDPPP 2025 Art. 29-31, with your implicit authorization for transfers strictly necessary to provide the Service, as disclosed in this Privacy Notice.

For users in Japan (APPI Article 28(2)): when we transfer your personal information to Anthropic PBC (United States), we disclose the following as required by APPI Article 28(2):

• (i) Country of the recipient: the United States.
• (ii) Personal information protection system in the recipient country: the United States does not have a comprehensive federal data protection law equivalent to APPI; sectoral laws and state laws apply, including the California Consumer Privacy Act (CCPA/CPRA) and similar regimes in other states. The U.S. is not currently designated by the PPC as a country with an equivalent data protection level under APPI Article 28(1).
• (iii) Measures the recipient implements: Anthropic PBC has implemented organizational and technical measures including (a) the Anthropic Data Processing Addendum, which incorporates EU Standard Contractual Clauses (Modules Two and Three) for international transfers; (b) SOC 2 Type II certification; and (c) the no-training commitment described in Sections 4 and 5 of this Policy. For details, see Anthropic's Privacy Policy and the Anthropic Data Processing Addendum.

By using the Service, you consent to this transfer. The same disclosure applies to transfers to Cloudflare's global edge network (operated by Cloudflare, Inc., United States), with the additional measure of Cloudflare's ISO 27001 and SOC 2 Type II certifications and Cloudflare's Data Processing Addendum incorporating EU Standard Contractual Clauses.

For users in South Korea (PIPA Article 28-8, effective since 15 September 2023): when we transfer your personal information to Anthropic PBC (United States), we disclose the following as required by PIPA Article 28-8(1):

• Recipient: Anthropic PBC.
• Country of the recipient: the United States.
• Purpose of the transfer: AI-based analysis of the document text you submit, generating the risk score and category-by-category summaries described in Section 4 of this Policy.
• Items of personal information transferred: the document text content you submit, the anonymous device identifier (UUID), and your language preference (locale).
• Recipient's retention period: Anthropic generally retains API request and response data for up to 30 days, as described in Section 3.2 of this Policy.
• Procedure to withdraw consent: stop using the Service and uninstall the extension to terminate any further transfers. Note that withdrawal does not affect transfers already completed.

By using the Service, you consent to this transfer. The same disclosure applies to transfers to Cloudflare's global edge network (operated by Cloudflare, Inc., United States), where the items transferred are limited to operational data (IP address for rate limiting, subscription status cache, request metadata) and the retention period is consistent with the data retention summary in Section 9 of this Policy.

8. Your rights

Regardless of where you live, you have the right to contact us at privacy@termpeek.com with any question or request about your personal data. We will respond within the shortest of the applicable legal time limits (20 days under LFPDPPP, 30/45 days under GDPR, 45 days under CCPA).

Pseudonymous identifiers and practical limitations (Art. 11 GDPR and equivalents). TermPeek operates with pseudonymous identifiers (an anonymous UUID generated in your browser) and does not collect information that would allow us to identify you as a person. To exercise any right over the data linked to your use of the Service (Pro subscription status, anti-abuse telemetry hash), you must provide us with your anonymous device identifier (UUID) in your request. Without that additional information, we cannot link your request to specific data and the request may be denied under Art. 11(2) GDPR or equivalent provisions in other jurisdictions. The right to object to future processing (for example, to the anti-abuse hash) can be exercised without providing a UUID.

8.1 If you are in Mexico — ARCO rights (LFPDPPP 2025)

You have the right to:

• Access (Acceso) your personal data we hold and obtain information about its processing.
• Rectify (Rectificación) inaccurate, incomplete, or outdated personal data. In practice, the data we hold about you (Pro status, anti-abuse hash) consists of automatically derived metadata that is not rectifiable as a concept; payment data is handled by Polar.
• Cancel (Cancelación) your personal data from our systems (this may end your ability to use the Service).
• Object (Oposición) to specific processing activities, including processing that produces automated decisions with legal or significant adverse effects on you.

To exercise these rights, send a request to privacy@termpeek.com with: (a) your name and contact means for response; (b) the right you wish to exercise; (c) any data that helps us identify the processing you refer to (for example, the anonymous device identifier stored by your extension, available in the extension's settings view). We will respond within 20 business days as required by LFPDPPP Art. 32.

If you are dissatisfied with our response, you may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (SABG), the Mexican federal authority for personal data protection under LFPDPPP 2025.

8.2 If you are in California — CCPA/CPRA rights

You have the right to:

• Know what personal information we have collected, used, and disclosed about you, including the categories, sources, and purposes.
• Delete your personal information we hold, subject to statutory exceptions.
• Correct inaccurate personal information we hold about you. In practice, the data we hold consists of automatically derived metadata that is not rectifiable as a concept.
• Opt out of sale or sharing of personal information (CCPA §1798.135). TermPeek does not sell or share personal information as those terms are defined by CCPA/CPRA, so this option does not apply to our current operations.
• Limit the use of sensitive personal information (SPI). We do not collect SPI as defined by CCPA/CPRA §1798.140(ae), so there is nothing to limit.
• Non-discrimination: we will not discriminate against you for exercising any CCPA right.
• Global Privacy Control (GPC): if your browser sends a valid GPC signal to termpeek.com, we will treat it as a valid opt-out of sale/sharing request where applicable. As stated above, TermPeek does not sell or share personal information, so in practice this signal does not change our operations.

To exercise these rights, contact privacy@termpeek.com. We will respond within 45 days. We may request information necessary to verify your request; for users without an account, verification may be limited to matching the anonymous device identifier you provide.

Automated Decision-Making Technology (ADMT) — California 2026 regulations: In our current assessment, TermPeek's use of AI does not constitute automated decision-making technology for "significant decisions" as that term is defined in the 2026 CCPA regulations (§7001(ooo)), because it does not produce legal effects and does not significantly affect users in a direct manner — it does not decide your access to financial services, housing, education, employment, independent contracting, healthcare services, or essential goods and services. The AI output is informational content that you review yourself. On that basis, the Pre-use Notice and opt-out requirements in §7220 et seq. do not currently apply to our use of AI. This assessment will be reviewed periodically as the regulatory landscape and the product's scope evolve, and this Policy will be updated accordingly if our position changes.

8.3 If you are in the European Economic Area, the United Kingdom, or Switzerland — GDPR rights

You have the right to:

• Access (Art. 15): obtain confirmation that we process your data and a copy of that data.
• Rectification (Art. 16): correct inaccurate or incomplete data. In practice, the data we hold consists of automatically derived metadata that is not rectifiable as a concept.
• Erasure / "right to be forgotten" (Art. 17): request deletion of the data linked to your UUID (Pro subscription status, anti-abuse telemetry hash) where legal grounds exist.
• Restriction of processing (Art. 18): request that we restrict the processing of the data linked to your UUID in the situations described in Art. 18 (contested accuracy, pending objection resolution, etc.).
• Data portability (Art. 20): receive data you provided in a structured, commonly used, machine-readable format (applies only to data processed on the basis of consent or contract). In practice, the only data we hold under a contractual basis is your Pro subscription status, which can be exported on request.
• Objection (Art. 21): object to processing based on legitimate interests, in particular the anti-abuse telemetry hash described in Section 3.3. We will assess the objection under the Art. 6(1)(f) balancing test and stop the relevant processing unless we can demonstrate compelling legitimate grounds.
• Not to be subject to a decision based solely on automated processing (Art. 22): TermPeek's AI analysis does not produce decisions that have legal or similarly significant effects on you, so Art. 22 obligations are not triggered.
• Lodge a complaint with a supervisory authority (Art. 77): you may contact the data protection authority in your EU/EEA country of residence, work, or the place of alleged infringement. For users in the UK, the Information Commissioner's Office (ICO). For users in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC).

To exercise these rights, contact privacy@termpeek.com. We will respond within 30 days (extendable to 60 days for complex requests under Art. 12(3) GDPR).

8.4 If you are in other U.S. states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Montana, Iowa, Tennessee, etc.)

You have rights substantively equivalent to the California rights above, including access, deletion, correction, portability, and opt-out of targeted advertising / sale / profiling. We honor Universal Opt-Out Mechanism (UOOM) signals (including GPC) as applicable in states where they are required.

To exercise these rights, contact privacy@termpeek.com. We will respond within the applicable statutory period for your state (typically 45 days).

8.5 If you are in any other jurisdiction

You may contact us with any privacy request at privacy@termpeek.com. We will evaluate the request under applicable law and respond in good faith.

8.6 If you are in Japan — APPI rights (Act on the Protection of Personal Information)

If you reside in Japan, the Act on the Protection of Personal Information (個人情報保護法, "APPI") provides you with rights over your personal information that we hold or process about you, including:

• Disclosure (開示請求権, Article 33): request access to the personal information we hold about you and the purposes of its processing.
• Correction, addition, or deletion (訂正・追加・削除請求権, Article 34): request correction, addition, or deletion of personal information that is inaccurate. In practice, the data we hold consists of automatically derived metadata that is not correctable as a concept; deletion can be honored upon request.
• Cessation of use, deletion, or third-party provision (利用停止・消去・第三者提供停止請求権, Article 35): request that we stop using the personal information linked to your UUID (Pro subscription status, anti-abuse telemetry hash), delete it, or stop providing it to third parties, where the processing exceeds the disclosed purpose, was obtained unlawfully, or is otherwise grounds-based. TermPeek does not provide personal information to third parties under APPI Article 27 (our subprocessors named in Section 5 are entrusted processors, not third-party recipients).

To exercise these rights, send a request to privacy@termpeek.com. We will respond without undue delay as required by APPI Article 38.

The supervisory authority is the Personal Information Protection Commission (個人情報保護委員会, "PPC"), which you may contact at https://www.ppc.go.jp/.

For details on the cross-border transfer of your personal information to Anthropic (United States) — limited to the document content you submit for analysis, processed in real time and not retained by TermPeek — and Cloudflare (global edge network) — limited to standard HTTP request metadata that your browser sends to any web service you interact with, plus the anti-abuse hash described in Section 3.3 — including the country of the recipient, the data protection system in that country, and the measures the recipient implements as required by APPI Article 28(2), see Section 7 of this Policy.

8.7 If you are in South Korea — PIPA rights (Personal Information Protection Act) and Korean AI Basic Act

If you reside in South Korea, the Personal Information Protection Act (개인정보 보호법, "PIPA") provides you with rights over your personal information, including:

• Right to inspection (열람권, Article 35): request access to the personal information we hold about you and information about its processing.
• Right to correction or deletion (정정·삭제권, Article 36): request correction or deletion of inaccurate or improperly collected personal information. In practice, the data we hold consists of automatically derived metadata that is not correctable as a concept; deletion can be honored upon request.
• Right to suspension of processing (처리정지권, Article 37): request suspension of the processing of the personal information linked to your UUID, in particular the anti-abuse telemetry hash described in Section 3.3 (processed under legitimate interest). We will assess the request under the applicable PIPA grounds and stop the relevant processing unless we can demonstrate compelling legitimate grounds.
• Right to be informed and to withdraw consent (Articles 15 and 22): request information about how your data is processed and withdraw consent where the processing relies on it. In practice, TermPeek processes data under legitimate interest (PIPA Art. 15(1)(4)) and contractual basis (Pro subscription), not under consent, so the withdraw-consent right does not apply to our current operations. The right to be informed is fulfilled by this Policy.

To exercise these rights, send a request to privacy@termpeek.com. We will respond within 10 days as required by PIPA Article 35(3) (extendable up to 10 additional days where justified).

The supervisory authority is the Personal Information Protection Commission (개인정보보호위원회, "PIPC"), which you may contact at https://www.pipc.go.kr/.

For details on the cross-border transfer of your personal information to Anthropic (United States) — limited to the document content you submit for analysis, processed in real time and not retained by TermPeek — and Cloudflare (global edge network) — limited to standard HTTP request metadata that your browser sends to any web service you interact with, plus the anti-abuse hash described in Section 3.3 — including the recipient, the country, the purpose, the items of personal information transferred, the recipient's retention period, and the procedure to withdraw your consent as required by PIPA Article 28-8 (effective since 15 September 2023), see Section 7 of this Policy.

Korean AI Basic Act compliance. TermPeek qualifies as a generative AI service under the Framework Act on Artificial Intelligence Development and Establishment of a Foundation for Trustworthiness (인공지능 기본법, "Korean AI Basic Act," effective since 22 January 2026). The transparency notice described in Section 4 — informing you that you are interacting with an AI system at first install (in our welcome tab) and persistently in the side panel footer where analyses appear — also satisfies the transparency obligation under Article 31(1) of the Korean AI Basic Act for users in the Republic of Korea.

9. Data retention summary

10. Children

TermPeek is not intended for use by anyone under 16 years of age, and we do not knowingly collect personal data from children under 16. If you believe a child under 16 has used the Service, contact us at privacy@termpeek.com and we will delete any data linked to that minor's anonymous device identifier (UUID), as described in Section 8 (Your rights). Document content analyzed by the minor is not retained by TermPeek (see Section 3.2).

This threshold (16+) applies globally and is consistent with:

• GDPR Art. 8 (minimum consent age for information society services — member states may set between 13 and 16; we apply the more protective 16 as a uniform global threshold).
• COPPA (US) — applies to children under 13; TermPeek's 16+ threshold is more protective.
• LFPDPPP 2025 and Mexican Civil Code — parental authority considerations.

11. Security

We use standard technical and organizational measures to protect your personal data:

• TLS 1.3 encryption in transit for all communication between the extension, our Worker, and our subprocessors.
• No persistent storage of document content on our servers.
• Subprocessor selection based on availability of SOC 2, ISO 27001, or equivalent third-party security certifications.
• Rate limiting (20 requests per minute per IP) at the Worker level to deter abuse.
• Principle of least privilege: the extension requests only the permissions strictly needed to operate (see the extension's manifest in the Chrome Web Store listing).

No system is perfectly secure. If you believe your data was accessed or used in a way that violates this Policy, contact us at privacy@termpeek.com immediately.

12. Storage technologies we use

TermPeek uses only chrome.storage.local, a browser-managed storage area that lives on your device and is cleared when the extension is uninstalled. We do not use:

• Tracking cookies, web beacons, or pixel tags
• chrome.storage.sync (which would sync data across your devices via Google)
• Third-party analytics SDKs
• Session recording tools
• Fingerprinting

If you visit termpeek.com (our website), standard website cookies may be used by Cloudflare for bot protection and caching. These do not track individual users across sites and are not used for advertising. The Polar checkout flow, hosted at polar.sh, sets its own cookies for payment functionality — see Polar's Privacy Policy for details.

13. Chrome Web Store Limited Use certification

In compliance with the Chrome Web Store Developer Program Policies, TermPeek's use of any data obtained through Chrome Web Store APIs is limited as follows:

• Use of data is limited to providing or improving TermPeek's single purpose: analyzing legal documents at the user's request and providing informational risk scoring and summaries.
• No transfer of user data to third parties except as strictly necessary to provide or improve TermPeek's single purpose, as part of a merger or acquisition after explicit prior consent, or to comply with applicable law.
• No use of user data for serving personalized advertisements.
• No sale of user data to data brokers or information resellers.
• No use of user data to determine creditworthiness or for lending purposes.

14. Changes to this Policy

We may update this Privacy Policy from time to time. When we make a material change — for example, adding a new subprocessor, changing the legal basis for processing, or expanding the categories of data we collect — we will:

• Update the "Last updated" date at the top of this Policy.
• Publish a summary of the change at the top of this Policy for at least 30 days after the update.
• If the change materially reduces your rights, we will provide at least 15 days' advance notice before the change takes effect.

Your continued use of the Service after a change takes effect indicates acceptance of the updated Policy. If you do not accept a change, your remedy is to stop using the Service and uninstall the extension.

15. Contact

For privacy questions, rights requests, or complaints: privacy@termpeek.com

Controller: Leonardo Villa Salcedo, residing in Mexico (operating as an individual controller).

Chief Privacy Officer / Data Protection Officer: Leonardo Villa Salcedo, in personal capacity, acting as the designated point of contact for privacy matters under PIPA Article 31 (Republic of Korea), GDPR Article 37 (where applicable), and as the standard point of contact under APPI, LFPDPPP, CCPA/CPRA, and other applicable frameworks. Contact: privacy@termpeek.com.

For the fastest response, include in your message:

• The nature of your request (e.g., "I want to exercise my GDPR right of access").
• Your country of residence (so we apply the correct legal framework).
• Any identifier that helps us locate data about you — if you are a Pro subscriber, the email you used at Polar checkout; in any case, the anonymous device identifier stored by your extension, available in the extension's settings view.

End of TermPeek Privacy Policy (EN)