Appearance
Privacy Policy
Effective date: 2026-04-25
1. Who we are
Term Tracker is an AI-powered contract analysis service operated by Sean McCauley (sole proprietor). For purposes of the GDPR, Sean McCauley is the data controller for personal data processed through Term Tracker.
Contact: sean@seanpmccauley.com
2. What data we collect
Account data
When you register or are invited to a project, we collect your email address, first name, last name, and optional profile photo. Passwords are managed by AWS Cognito; Term Tracker's backend never receives or stores plaintext passwords.
Contract data
Files you upload, the structured terms extracted from those files, project metadata (project name, template fields, document hierarchy), and member role assignments are stored in our systems. This data belongs to you and the project owner.
Usage data
We collect API request logs via AWS CloudTrail (timestamps, request paths, response codes). We do not log contract content in audit trails.
3. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the service | Contract performance (Art. 6(1)(b)) |
| Authenticate accounts and maintain sessions | Contract performance (Art. 6(1)(b)) |
| Detect and respond to security threats | Legitimate interest (Art. 6(1)(f)) |
| Send service-related notices (invitations, verification emails) | Contract performance (Art. 6(1)(b)) |
We do not use your contract data to train AI models. Our AI sub-processors operate under API terms and data processing agreements that prohibit training on customer data. See Sub-processors for details.
We do not sell personal data or use it for advertising.
4. Sub-processors and AI providers
Term Tracker passes contract content to AI providers to extract structured terms. Our current AI sub-processors are Anthropic (Claude) and Google (Gemini). Anthropic retains API inputs for up to 30 days for trust and safety purposes; Google Cloud processes data under a Data Processing Addendum. Neither provider uses customer data for model training under their standard API terms.
Full sub-processor list: /legal/sub-processors
5. Where data lives
All production data is stored in AWS us-east-1 (United States):
- Contract files: S3 (us-east-1)
- Extracted terms and account data: Aurora PostgreSQL (us-east-1)
- Audit logs: CloudTrail + S3 (us-east-1)
Cross-border transfers to EU/EEA customers occur because our AI sub-processors (Anthropic, Google) process data in the United States. These transfers are covered by AWS Standard Contractual Clauses and the sub-processors' respective Data Processing Agreements. See Sub-processors for links to each provider's DPA.
6. Retention
| Data type | Retention period |
|---|---|
| Account data | Kept while your account is active. Deleted within 90 days of an account deletion request. |
| Contract data | Kept while the project exists. Deleted with the project unless the project owner retains it. |
| CloudTrail audit logs | 365 days, then automatically deleted. |
| Aurora automated backups | 35 days. Data in deleted backups is unrecoverable after this window. |
| Anthropic API retention | Up to 30 days (Anthropic standard API policy). |
7. Your rights
If you are in the EU/EEA, UK, or California, you have the following rights regarding your personal data:
- Access and portability -- request a machine-readable copy of the personal data we hold about you.
- Deletion -- request erasure of your data. We will delete within 90 days subject to any legal retention obligations (we currently have none for standard accounts).
- Rectification -- request correction of inaccurate personal data.
- Objection and restriction -- object to or request restriction of certain processing activities.
- Complaint -- you have the right to lodge a complaint with a data protection supervisory authority in your country.
How to exercise your rights: Account deletion is self-service via your account page at trmtrk.com/account. See Deleting Your Account for full instructions. For all other subject-rights requests, email sean@seanpmccauley.com. We will respond within 30 days. Email requests for deletion are also honored as a fallback at the same address.
8. Children
Term Tracker is not directed at users under 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, contact sean@seanpmccauley.com and we will delete it promptly.
9. Changes to this policy
When we make material changes to this policy, we will update the effective date above and publish the revised policy at this URL. If you have a signed Data Processing Agreement with Term Tracker, we will notify you per the terms of that agreement.
10. Contact
For privacy questions or to exercise your rights:
Sean McCauleysean@seanpmccauley.com
Last updated: 2026-04-26