Privacy Policy
Last updated: February 22, 2026
TermSlayer ("we", "us", "our") is a service provided by chapter42.com, registered at waldeckstraat 1a 7513 BR ENSCHEDE The Netherlands, registered with the Dutch Chamber of Commerce under number 08209536. We are the data controller within the meaning of the General Data Protection Regulation (GDPR). This privacy policy describes what personal data we collect, why and how we process it.
1. What data do we collect?
1.1 Account data
- Email address — required when creating an account.
- Password — stored as a hash (never in plain text).
- Google OAuth data — if you sign in with Google: email address, name and profile picture.
1.2 Analysis data
- Keywords you enter and the country you select.
- SERP data and analysis results (stored per user account).
- Page Audit data: the URL you enter, the keyword, scores and recommendations.
1.3 Billing data (business customers)
- Company name, business address, KvK number, VAT number.
- Invoice details and payment status.
1.4 Payment data
- Stripe session ID, purchased package, number of credits, amount paid.
- We do not store credit card details. All payment data is processed by Stripe.
1.5 Technical data
- Browser fingerprint (FingerprintJS visitorId hash) — an anonymous hash generated in the browser during registration and login. Used solely to prevent abuse.
- Language preference (via cookie).
1.6 Email preferences
- Whether or not you wish to receive email notifications (opt-in/opt-out).
2. Purposes and legal bases
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address, password | Account management and authentication | Performance of contract (Art. 6(1)(b)) |
| Google OAuth data | Sign in with Google | Performance of contract (Art. 6(1)(b)) |
| Keywords, analysis results | Delivery of the service | Performance of contract (Art. 6(1)(b)) |
| Billing data (KvK, VAT) | Invoicing and legal retention obligation | Legal obligation (Art. 6(1)(c)) |
| Payment data (Stripe) | Payment processing | Performance of contract (Art. 6(1)(b)) |
| Browser fingerprint | Prevention of abuse and fraud | Legitimate interest (Art. 6(1)(f)) |
| Email notifications | Service emails (analysis complete, credits expiring) | Legitimate interest (Art. 6(1)(f)) |
| Vercel Analytics (anonymous) | Improvement of the service | Legitimate interest (Art. 6(1)(f)) |
3. Third parties (sub-processors)
We share personal data with the following service providers, solely for the purposes described below:
| Service provider | Purpose | Location |
|---|---|---|
| Supabase (supabase.com) | Authentication and database | US (EU region available) |
| Stripe (stripe.com) | Payment processing | US |
| Resend (resend.com) | Transactional email delivery | US |
| Vercel (vercel.com) | Hosting and analytics | US |
| Upstash (upstash.com) | Rate limiting and caching | US/EU |
| Moneybird (moneybird.com) | Invoicing (NL business) | Netherlands |
| Google Gemini API | AI analysis (no personal data) | US |
| DataForSEO (dataforseo.com) | SERP data (no personal data) | US/EU |
| Firecrawl (firecrawl.dev) | Web scraping (no personal data) | US |
| FingerprintJS (open-source, client-side) | Browser fingerprinting | Local (browser) |
Data processing agreements or Standard Contractual Clauses (SCCs) are in place with sub-processors outside the European Economic Area (EEA), in compliance with the GDPR.
4. Cookies
We use the following cookies:
| Cookie | Purpose | Type | Retention |
|---|---|---|---|
| sb-* (Supabase) | Session authentication | Strictly necessary | Session |
| NEXT_LOCALE | Language preference | Strictly necessary | Session |
| HOMEPAGE_LANG | One-time language redirect | Functional | 1 year |
We do not use tracking cookies, advertising cookies or third-party cookies for marketing purposes. Vercel Analytics operates without cookies by default and does not collect personally identifiable information.
5. Retention periods
| Data | Retention period |
|---|---|
| Account data | Until you delete your account |
| Analysis results | Until you delete your account |
| Billing data | 7 years after the financial year (Dutch legal obligation, Art. 52 AWR) |
| Browser fingerprint | Until you delete your account |
| Payment history | 7 years after the financial year (legal obligation) |
6. Your rights
Under the GDPR, you have the following rights:
- Access — Request what data we process about you.
- Rectification — Have incorrect data corrected.
- Erasure — Have your account and all associated data deleted. This can be done via your account settings or by email.
- Restriction of processing — Request that processing be temporarily restricted.
- Data portability — Request your data in a structured, machine-readable format.
- Objection — Object to processing based on legitimate interest.
- Withdrawal of consent — Where processing is based on consent, you can withdraw it at any time.
To submit a request, send an email to privacy@termslayer.com. We will respond within 30 days.
You also have the right to file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).
7. Account deletion
You can delete your account at any time via your account settings. Upon deletion, all data linked to your account is permanently erased, except for billing data that we are legally required to retain (7 years).
8. Security
We take appropriate technical and organizational measures to protect your personal data, including:
- Encrypted connections (HTTPS/TLS).
- Hashed passwords (never stored in plain text).
- Row Level Security (RLS) in the database.
- Rate limiting on API endpoints.
9. Changes
We may update this privacy policy from time to time. In the event of material changes, we will inform you by email or via a notice in the application. The most recent version is always available on this page.
10. Contact
For questions about this privacy policy, you can reach us at:
- Email: privacy@termslayer.com
- Company: chapter42.com
- Address: waldeckstraat 1a 7513 BR ENSCHEDE The Netherlands
- KvK: 08209536