Privacy Policy

You give us directly:

• Account data: name, email, password hash, organization.
• Scan inputs: URLs and target sites you submit, optional notes and tags.
• Text you submit for AI rewriting.
• Billing data: handled by Stripe; we receive a customer ID, plan, status, last 4 of card, country, and invoice metadata. We do not store full card numbers.
• Support communications.

Collected automatically:

• Log data: IP address, user agent, timestamps, request paths, response codes.
• Device & cookie data: session cookies, auth tokens, basic device fingerprints used for security and rate-limiting.
• Product analytics: pages viewed, features used, error events.

Scan output (generated by us):

• Page text fetched from URLs you submit (publicly available content).
• Matched terms, categories, severity, scores, and AI-generated rewrite suggestions.

• Provide, operate, secure, and improve the Service.
• Authenticate accounts and prevent fraud, abuse, and unauthorized access.
• Process payments, send transactional emails (receipts, security alerts, trial expiration), and provide support.
• Send product updates and marketing emails — you can unsubscribe at any time.
• Compute aggregated, de-identified statistics for our research and data products.
• Comply with legal obligations and enforce our Terms.

We offer paid data products that include aggregated, de-identified statistics derived from scans across our customer base. Examples include term-prevalence counts by category, severity, and U.S. state, and trend data over time. These products do not identify you, your customers, individual sites, URLs, or any individual person.

Higher-tier “Signals” and “Data Enterprise” products may include per-site findings(URL plus matched terms) derived only from publicly accessible pages. Customer account information (your name, email, billing data, internal notes) is never included in any data product and is never sold.

We do not sell personal information of consumers as defined under U.S. state privacy laws. Where any data product could constitute a “sale” or “share” under applicable law, the Your choices section describes how to opt out.

We share information only as described below:

• Service providers (sub-processors) that host, store, secure, and deliver the Service under written contracts limiting their use to providing services to us.
• Payment processor (Stripe) to charge your card and manage subscriptions.
• Data-product customers, but only the aggregated/de-identified or publicly sourced datasets described above.
• Legal & safety: to comply with law, court orders, or to protect rights, property, or safety.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this Policy.
• With your consent for anything else.

We do not share your account, billing, or scan-input data with advertisers and we do not allow third-party advertising trackers on authenticated pages.

• Supabase — managed authentication, Postgres database, and storage (U.S.).
• Cloudflare — edge runtime, CDN, DDoS protection.
• Stripe — payment processing and billing portal.
• Resend / transactional email provider — transactional and trial-lifecycle emails.
• Model providers used to generate AI rewrites (only when you invoke a rewrite).

We will update this list when sub-processors change materially.

We use first-party cookies and local storage strictly to keep you signed in, remember preferences, and operate basic analytics. We do not use third-party advertising or cross-site tracking cookies.

• Account data: kept while your account is active and for up to 24 months after deletion for legal, tax, and abuse-prevention purposes.
• Scan history & findings: kept for the life of the account, then deleted within 90 days of account deletion.
• Log data: typically 90–180 days.
• Aggregated/de-identified datasets are retained indefinitely as they no longer identify you.

We use encryption in transit (TLS), encryption at rest, role-based access controls, row-level security on customer data, audit logging, and least-privilege secrets. See our Security Statement for details. No system is 100% secure; we cannot guarantee absolute security.

We are based in the United States and process data in the U.S. If you access the Service from outside the U.S., you understand your data will be transferred to and processed in the U.S. and other jurisdictions where our sub-processors operate.

Depending on your jurisdiction, you may have the right to:

• Access, correct, export, or delete your personal information.
• Object to or restrict certain processing.
• Opt out of marketing email (use the unsubscribe link).
• Opt out of any “sale” or “share” of personal information by emailing privacy@riskyterms.lovable.app. Because our data products are aggregated and de-identified, this opt-out primarily affects per-site findings derived from URLs you submitted.
• Lodge a complaint with a supervisory authority (EEA/UK) or your state attorney general (U.S.).

To exercise any right, email privacy@riskyterms.lovable.app. We will respond within 30 days.

The Service is not directed to children under 16 and we do not knowingly collect their data.

We will post changes here and, for material changes, notify you by email or in-app at least 14 days in advance.

Privacy questions: privacy@riskyterms.lovable.app.