Introduction
This Privacy Policy describes how TermsBox ("we", "us", or "our") collects, uses, and shares your personal information when you use our website at termsbox.com and our legal document generator services (collectively, the "Service").
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.
Information We Collect
Information You Provide
When you use our Service, we collect information you provide directly to us, including:
- Account Information: Email address and name when you create an account
- Business Information: Company name, business details, website URL, and other information you enter into our document generators
- Generated Documents: Full text and content of all legal documents you generate through our Service, including all form inputs and selections
- Payment Information: Billing information processed securely through Paddle, our payment processor and Merchant of Record (we do not store complete payment card numbers, but we do store Paddle customer IDs, subscription IDs, and transaction IDs)
- Contact Information: Information you provide when contacting us for support
Information Collected Automatically
When you access our Service, we automatically collect certain information, including:
- Session Data: IP address and user agent (browser information) stored with your login sessions for security and fraud prevention
- Usage Data: Pages visited, time spent on pages, links clicked, and other usage statistics collected through analytics tools
- Device Information: Browser type, operating system, and device identifiers
- Cookies: We use cookies and similar tracking technologies including authentication cookies, analytics cookies, and advertising cookies (see our Cookie Policy for complete details)
- Authentication Tokens: Temporary login codes (valid for 15 minutes) and session tokens (valid for 30 days) to keep you signed in
How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our Service
- Generate customized legal documents based on your input
- Process payments and prevent fraud
- Send you technical notices, updates, security alerts, and support messages
- Respond to your comments, questions, and customer service requests
- Monitor and analyze trends, usage, and activities in connection with our Service
- Detect, prevent, and address technical issues and fraudulent activity
- Comply with legal obligations
How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
- Service Providers: With third-party vendors who perform services on our behalf (e.g., Paddle for payment processing, Resend for email delivery, Railway for hosting, and analytics services)
- Legal Requirements: If required by law or in response to valid requests by public authorities
- Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business
- With Your Consent: With your explicit consent or at your direction
Third-Party Services
Our Service integrates with the following third-party services that may process your personal information:
- Paddle: Paddle.com Market Ltd acts as our payment processor and Merchant of Record, handling payments, billing, and sales tax (see Paddle's Privacy Policy). We store Paddle customer IDs, subscription IDs, and transaction IDs.
- Resend: Email delivery service for sending generated documents, confirmation emails, and transactional notifications (see Resend's Privacy Policy)
- Google Analytics, Google Tag Manager & Google Signals: Website analytics, user behavior tracking, cross-device tracking for signed-in Google users, conversion tracking, and remarketing (see Google's Privacy Policy and Google Signals)
- Google Ads: Advertising, remarketing, and conversion tracking (see Google Ads Privacy)
- Hosting & Infrastructure: Vercel or Railway for application hosting and content delivery network (CDN) services. Server logs may capture IP addresses and request data.
- Upstash (Optional): Redis-based rate limiting and caching when enabled. May store IP addresses and request identifiers for abuse prevention.
These third parties may use cookies and similar technologies to collect information about your online activities across different websites. We do not control third-party cookies and recommend reviewing their privacy policies for more information.
Google Analytics, Google Signals & Cross-Device Tracking
We use Google Analytics with Google Signals enabled, which allows Google to associate your activity with your Google account if you are signed in. This enables:
- Cross-Device Tracking: Google may track your visits across multiple devices (desktop, mobile, tablet) to provide aggregate reports.
- Remarketing: Personalized ads based on your visit to our website.
- Demographics & Interests: Aggregate demographic and interest data.
- Enhanced Measurement: Automatic collection of page scrolls, outbound clicks, site search, video engagement, and file downloads.
Your Google Data Controls:
- Opt Out of Personalized Ads: Visit Google Ads Settings.
- Access or Delete Your Data: Visit Google My Activity.
- Disable Google Signals: Use our cookie preferences to reject analytics cookies, or adjust your Google account settings.
Data Security
We implement appropriate technical and organizational security measures to protect your personal information. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
Data Retention
We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:
- Account Data: Retained until you delete your account or request deletion
- Session Data: Login sessions expire after 30 days and are deleted upon expiration; IP address and user agent are stored only within the session record for security and fraud prevention
- Login Codes: Passwordless login tokens expire and are deleted after 15 minutes
- Generated Documents: Stored indefinitely until you delete them or close your account
- Payment Records: Retained for 7 years to comply with tax, accounting, and legal obligations
- Email Records: Transactional email logs retained for 90 days for delivery verification
- Audit Logs: Security and access logs retained for 1 year for fraud prevention and investigation
- Backups: Database backups retained according to hosting provider schedules (typically 30-90 days)
When we no longer need your information or upon your request for deletion, we will securely delete or anonymize it, subject to legal retention requirements.
Your Rights
Depending on your location, you may have certain rights regarding your personal information:
- Access: Request access to the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information
- Portability: Request a copy of your information in a structured, machine-readable format
- Objection: Object to our processing of your personal information
- Restriction: Request restriction of processing of your personal information
To exercise these rights, please contact us at the email address provided below.
GDPR Compliance (EU/EEA Users)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information based on the following legal grounds:
- Contract Performance: Account creation, document generation, payment processing, and service delivery
- Legitimate Interests: Fraud prevention, security monitoring (IP address and user agent logging), service improvement, analytics, and marketing
- Legal Compliance: Payment records retention, tax obligations, and responding to legal requests
- Consent: Analytics cookies, advertising cookies, and marketing emails (where required and obtained)
Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects.
International Transfers: Your data may be transferred to the United States and other countries. We use Standard Contractual Clauses (SCCs) approved by the European Commission and rely on adequacy decisions where applicable to ensure appropriate safeguards.
Data Subject Requests: To exercise your GDPR rights, email us at [email protected] with your request. We will verify your identity and respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
CCPA Rights (California Users)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Request disclosure of personal information we collect, use, disclose, and sell (we do not sell personal information)
- Right to Delete: Request deletion of your personal information, subject to legal retention requirements
- Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit: Limit the use of sensitive personal information (we do not use sensitive personal information for purposes requiring opt-out)
- Right to Non-Discrimination: You will not face discrimination for exercising your CCPA rights
How to Submit Requests: Email [email protected] with your request. We will verify your identity using your email address and account information, and respond within 45 days (extendable by 45 additional days if needed). You may designate an authorized agent to submit requests on your behalf by providing written authorization.
Data We Collect: See the "Information We Collect" section above for categories and sources of personal information.
Sale/Sharing: We do not sell or share personal information for monetary or other valuable consideration. Third-party cookies from Google Analytics and Google Ads may constitute "sharing" under CCPA; you can opt out via our Cookie Policy or browser settings.
Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete such information.
International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.
Contact Us
If you have any questions about this Privacy Policy, please contact us at:
Email: [email protected]
TermsBox is a service by Lunera AS, Org. nr. 936863590, Sigurd Hoels Vei 8, 0655 Oslo, Norway.
Important Legal Notice
This Privacy Policy was generated using TermsBox legal document generator. The information provided in legal templates and policies is for informational purposes only and does not constitute legal advice. TermsBox does not provide legal services or create an attorney-client relationship. For specific legal advice tailored to your situation, please consult with a qualified attorney.