Privacy Policy

1. Data controller

The data controller is BITOR SOFTWARE SL, with registered office at C/Milanesat 5, Local 1, 08017 Barcelona, Spain.

For any matter relating to this policy or to exercise data protection rights, the User may contact: support@textguardai.com.

If applicable legislation requires the appointment of a Data Protection Officer (DPO), users will be informed and provided with the corresponding contact details through this Privacy Policy and/or the Site.

2. Purposes of processing

Personal data provided by users through forms available on the Site and/or generated through use of the Services may be processed for the following purposes:

• Account creation and management (registration, authentication, account administration).
• Provision of the Services: automatic detection of AI-generated content and text humanisation, access to the features of the contracted plan, management of purchases and subscriptions, including billing, payments, fraud prevention and customer support.
• Responses to queries and requests submitted through contact forms or by email.
• Transactional communications relating to the contracted Services (e.g. purchase confirmations, service notifications, security alerts).
• Newsletters and commercial communications, only when the User has expressly requested or consented to receive them, and always with the option to unsubscribe at any time.
• Compliance with legal obligations applicable to the controller (e.g. tax and accounting obligations, or responses to legitimate requests from competent authorities).
• Security and integrity of the Site and the Services, including prevention of abuse, unauthorised access and attacks.

3. Data collected

When a User registers and uses the Services, TextGuardAI collects and securely stores the following personal data:

• Identification data: name, email address.
• Authentication data: hashed password (never stored in plain text) or Google sign-in identifier.
• Billing data: Stripe customer identifier, transaction history, currency, contracted plan, billing period. We never store your full card details (number, CVV, expiry date); these are handled directly by Stripe on its PCI-DSS Level 1 infrastructure.
• Text submitted to the service: the texts the User enters into the detector or humaniser are processed automatically to return the result. See the next section on transfers to analysis providers.
• Technical data: IP address, browser type, operating system, country (inferred from IP to determine currency), access timestamps. Used for security and fraud prevention.
• Preferences: language, theme (light/dark), preferred currency.

3.1 Processing of text submitted to the detector and humaniser

When the User submits text to the AI detector or humaniser, the text is transmitted via encrypted connection (HTTPS/TLS) to the external analysis providers that TextGuardAI uses to process the requests:

• GPTZero (provider of the AI-generated content detection service). See its privacy policy at gptzero.me/privacy-policy.
• DeepSeek (provider of the language model used for humanisation). See its policy at platform.deepseek.com/privacy.

TextGuardAI stores each full analysis — including the original text submitted to the detector or humaniser, the result returned by the analysis provider, and the associated metadata (date, processing time, detected language, scoring metrics) — as an integral part of the contracted service. Storage allows the User to:

• Access the full history of their analyses from their dashboard, consulting past results at any time.
• Re-run, export, share or compare previous analyses without having to re-submit the text.
• Organise their analyses through folders, tags and notes.

This storage is an essential feature of the service. By subscribing to any plan, the User expressly accepts the storage and processing of their analyses under the terms described in this policy. The legal basis for this processing is the performance of the contractentered into with the User (art. 6.1.b of the GDPR), without prejudice to the User's right to delete analyses individually or request total deletion of their history at any time (see section 8 on User rights).

Analyses are stored on servers located within the European Economic Area (EEA), encrypted at rest and in transit (TLS 1.3). Only the User who owns the analysis can access it; access control is applied at database level via Row Level Security (RLS).

During processing, the text is transmitted encrypted to the aforementioned analysis providers (GPTZero, DeepSeek). These providers process the text as data processors for TextGuardAI and do not use it for their own purposes beyond providing the contracted service.

The User is responsible for ensuring that the texts they submit to the Services do not contain third-party personal data without a lawful basis, confidential information, or material protected by professional privilege.

4. Legal basis for processing

The legal basis for processing personal data depends on the purpose pursued and may include:

• Performance of a contract (or pre-contractual measures) when the User purchases, subscribes to or uses the Services (account management, text analysis, billing, customer support).
• User consent where required (e.g. newsletters/commercial communications; non-essential cookies).
• Compliance with legal obligations applicable to BITOR SOFTWARE SL (accounting, tax, consumer law).
• Legitimate interest of the controller, where applicable, after weighing the balance of interests: in particular for service security, fraud prevention, and improving the reliability of the Site and the Services. Users may object to processing based on legitimate interest in accordance with applicable legislation.

Providing certain data may be necessary for the provision of the Services. If the User does not provide the required information, the Service may be unavailable or limited.

5. Data processors and third parties

TextGuardAI may share personal data with the following data processors, strictly necessary for the provision of the Services, under corresponding data processing agreements and in compliance with the GDPR:

• Supabase — database hosting, authentication and storage. Data hosted in the EU region (Frankfurt). Policy: supabase.com/privacy.
• Stripe — card payment processing and subscription management. PCI-DSS Level 1 certified. Policy: stripe.com/privacy.
• GPTZero — AI-generated content detection analysis. Submitted text is transmitted for analysis and is not retained by TextGuardAI.
• DeepSeek — language model for text transformation (humanisation).
• SMTP provider (Resend or other) for sending transactional emails (registration confirmation, password recovery, invoices).

All data processors have been selected by applying sufficient guarantees to protect User rights, and they offer the minimum contractual guarantees required by the GDPR (standard data protection clauses where applicable, or location within the EEA).

6. Hosting

All personal data collected by TextGuardAI is stored on servers located in Spain and/or within the European Economic Area, and, where applicable, with the appropriate GDPR-compliant safeguards.

7. Data retention

Personal data will be kept only for as long as necessary to fulfil the purposes described in this policy:

• Account and service data: for the duration of the User's relationship with the Services and, where applicable, for the time needed to handle claims or disputes.
• Billing and transaction data: for the periods required by applicable tax and accounting legislation (minimum 4 years in Spain for invoices, up to 6 years for accounting documents).
• Marketing communications: until the User withdraws consent or unsubscribes.
• Support or contact requests: for the time needed to handle the request and, if necessary, for a reasonable period to manage follow-ups or claims.
• Analysis history (texts submitted to the detector/humaniser and results): kept while the User maintains an active subscription and for thirty (30) days after cancellation thereof, as a grace period allowing reactivation without data loss. After this period, the history is deleted irrecoverably, unless specific legislation requires it to be kept longer (e.g. in the case of an ongoing judicial request).
• Analyses deleted by the User: when the User deletes an analysis from their dashboard, it enters a soft delete state for thirty (30) days to allow recovery in case of mistake. After this period, the analysis is permanently purged from the database and applicable backups.

Once the data is no longer needed, it will be securely deleted or anonymised. Where applicable, data may be blocked/restricted for the legally established periods.

8. User rights

In accordance with current data protection legislation, users have the following rights:

• Right to request, access and/or rectify the personal data collected by TextGuardAI.
• Right to request the deletionof the personal data collected ("right to be forgotten").
• Right to request the restriction of processing of personal data.
• Right to request portability of personal data.
• Right to object to processing, including automated individual decision-making where applicable.
• Right to withdraw consent at any time when processing is based on it, without affecting the lawfulness of processing carried out before such withdrawal.
• Right to decide on the fate of personal data after death, where national legislation so provides.

If a User has any question regarding their rights, they can contact the data controller at support@textguardai.com, indicating the right they wish to exercise and providing sufficient information to verify their identity when necessary. The controller will respond within a reasonable period not exceeding 30 days.

Additionally, the User has the right to lodge complaints about the processing of their personal data with the competent data protection authority if they believe their rights have been violated. In Spain, the competent authority is the Spanish Data Protection Agency (AEPD): www.aepd.es.

9. Data security

The data controller undertakes to protect and ensure the security of the personal data of all users. This involves careful monitoring of all personal data and ensuring that it is never shared with third parties without a valid legal basis.

TextGuardAI applies appropriate technical and organisational measures to protect data against unauthorised access, loss, destruction or alteration: encryption in transit (TLS 1.3), encryption at rest, authentication via JWT with token rotation, granular access control (RLS), audit logs and least-privilege access for the team.

Should the integrity, confidentiality or security of users' personal data be compromised, the data controller undertakes to inform all affected users as required by applicable legislation.

10. Minors' consent

Under Spanish law, processing of minors' personal data based on consent is only valid when the minor is at least fourteen (14) years old. For users under 14, consent must be given by the holder of parental authority or legal guardianship.

TextGuardAI may carry out various checks to ensure that a User is of legal age to consent.

11. Use of cookies

TextGuardAImay use cookies and similar technologies, which are small files stored on the User's device during browsing of the Site, to improve the browsing experience and enable essential functionality of the Site.

Where applicable legislation requires it, non-essential cookies (including analytics and advertising cookies, if used) will only be installed after the User has provided consent through the Site's cookie consent mechanism. Users will receive clear information and the ability to accept, reject or configure cookies, and to withdraw their consent at any time.

12. Changes to the Privacy Policy

TextGuardAI reserves the right to modify this Privacy Policy at any time to adapt it to legislative or case-law changes or changes in processing practices. The version in force shall always be the one published on the Site, with the date of the last update indicated at the top of this document. Users are advised to review this policy periodically.