Privacy Policy
Last updated: August 13, 2025
This Privacy Policy explains what personal data we collect, how we use it, how we share it, and the choices available to individuals who use our website, app, and AI paraphrasing service (the “Service”). This notice is designed for transparency and to satisfy common requirements under global privacy laws, including GDPR, UK GDPR, ePrivacy, CCPA/CPRA, and similar frameworks, and should be read together with our Cookie Policy.
Who we are and scope
This policy applies to visitors and users of the Service, including individuals who upload content, paraphrase text, or interact with features such as file uploads, history, statistics, and settings. A privacy policy is legally required when an online service collects personal data; most SaaS tools collect at least an email or device identifier, so a clear notice is necessary to disclose collection, use, sharing, retention, and user rights.
Personal data we collect
-
Data provided by users:
Text entered or uploaded to paraphrase (.docx, .pdf, .txt)
Freeze words, settings, language/mode/tone selections
Feedback submitted via forms
Contact details if support is requested or an account is created (if available)
Billing details if paid plans are activated (processed by payment providers)
-
Data collected automatically:
Device and usage data: IP address, browser, OS, pages viewed, timestamps, interactions
Cookie, pixel, and local storage identifiers used for consent, functionality, security, analytics (see Cookie Policy)
-
Data from third parties (when enabled/used):
Payment processors (e.g., transaction metadata)
Analytics or anti-abuse services
CAPTCHA providers
Authentication providers if single sign-on is used
A compliant SaaS privacy policy should clearly list data types, collection methods (direct/automatic/third-party), and the purposes of processing.
How we use personal data
Provide and operate the Service: paraphrasing runs, alternatives, compare mode, history, statistics, and file processing
Maintain security and prevent abuse: rate limits, reCAPTCHA, ad-blocker gates, fraud monitoring
Improve performance and features: diagnostics, analytics in aggregate or de-identified form
Customer support: respond to inquiries, troubleshoot issues
Legal compliance: honor user rights requests, maintain consent logs, comply with laws
Payments (if applicable): process subscriptions and invoices via payment providers
Privacy notices must explain why data is collected and how it is used, including sharing with providers and retention periods.
Legal bases for processing (EU/UK)
Where GDPR/UK GDPR applies, we rely on:
Contract necessity: to deliver core features a user requests
Legitimate interests: to secure, maintain, and improve the Service (balanced with user rights)
Consent: for non-essential cookies/trackers and certain marketing/analytics
Legal obligations: to comply with applicable laws and requests
Best practice is to map purposes to legal bases and distinguish consent-based operations (e.g., non-essential cookies).
Cookies and similar technologies
We use cookies and similar tech (local storage, pixels) for:
Strictly necessary operations (session, security, consent)
Functional preferences (language, UI)
Analytics (usage, performance) with prior consent where required
Marketing measurement (only if enabled and consented)
In the EU/UK, non-essential cookies require opt-in consent, equal accept/reject choices, easy withdrawal, and prior blocking until consent is given.
Sharing and disclosures
We may share personal data with:
Service providers (processors) that help us run the Service (hosting, analytics, anti-abuse, payments, support)
AI model providers used to process paraphrasing requests when selected in settings
Professional advisers (legal, accounting) under confidentiality
Authorities when required by law or to protect rights and safety
Affiliates in connection with corporate transactions (merger, acquisition)
SaaS policies should disclose third-party sharing, processor roles, and links to provider policies where possible. For processor relationships, a Data Processing Agreement (DPA) defines obligations, sub-processor transparency, security, and deletion.
International transfers
Where data is transferred internationally (e.g., from the EEA/UK to other countries), we implement appropriate safeguards such as Standard Contractual Clauses and additional measures as needed. Controllers and processors should ensure SCCs and compliant transfer mechanisms are in place for cross-border flows.
Data retention
We keep personal data only for as long as necessary to fulfill the purposes described, including:
Paraphrase inputs: processed to deliver results; local history is stored in the user’s browser (client-side) unless cleared
Account/support records (if applicable): retained for the account lifetime and a reasonable period after closure
Payment records: retained as legally required
Consent logs: retained per regulatory guidance
SaaS notices should disclose retention periods or the criteria used to determine them.
Security
We use appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, and to maintain confidentiality, integrity, and availability; customers are responsible for safeguarding credentials and securing their environment.
Your rights
Depending on jurisdiction, individuals may have rights to:
Access their data and receive a copy
Correct inaccurate or incomplete data
Delete data in certain circumstances
Object to or restrict processing
Port data to another service
Withdraw consent where processing is based on consent
Lodge a complaint with a supervisory authority
GDPR and related frameworks require clear disclosure of user rights and how to exercise them.
California privacy disclosures (CCPA/CPRA)
For California residents, we provide:
Notice of categories of personal information collected, purposes, and disclosures
Right to know, delete, correct, and limit use of sensitive personal information
Right to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising, and to honor Global Privacy Control (GPC) signals
Non-discrimination for exercising rights
CPRA requires privacy notices to describe collection, use, disclosure, and offer a “Do Not Sell or Share” mechanism where applicable.
Children’s privacy
Our Service is not directed to children under the minimum age required by local law. We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it and, where required, obtain verifiable parental consent.
Managing preferences and exercising rights
Cookies: Use the “Cookie Settings” link in the footer to manage or withdraw consent at any time; non-essential cookies are blocked until consent in relevant jurisdictions.
Requests: To access, delete, correct, or exercise other rights, contact us using the details below. We may verify identity before responding and will reply within the timeframes required by law.
Third-party services and links
The Service may link to third-party websites or integrate third-party services. Their privacy practices are governed by their own policies. Where we act as a processor on your behalf, our DPA sets out roles, sub-processors, security, and deletion commitments.
Changes to this Privacy Policy
We may update this policy from time to time. Material changes will be communicated via the Service or other reasonable means. Please review the “Last updated” date.
Contact us
Email: contact@theparaphrasingtool.com
This policy includes the core disclosures recommended for SaaS privacy notices, including data types, purposes, legal bases, cookies/consent, sharing, transfers, retention, security, user rights, and regional addenda. It aligns with EU cookie consent rules (prior opt-in, equal choices, easy withdrawal) and U.S. CPRA transparency and opt-out requirements for sale/sharing and GPC handling.