TL;DR
Plain English:
- Your text is processed in memory and discarded the moment we return your result.
- We never use your text to train our models. Never. Not even anonymized.
- Account data (email, payment) is encrypted at rest and only used to run your account.
- EU customers' data stays in EU regions. US customers can opt for EU pinning too.
- You can delete everything in one click. We honor that within 24 hours.
Scope
This policy covers the TextSight web app, browser extensions, mobile apps, and API — anything operated by Lacewing Technologies ("we", "us", "TextSight"). It doesn't cover third-party services that link to us.
Data we collect
You give us:
- Account info — email, name (optional), password hash (bcrypt, never the cleartext).
- Payment info — handled entirely by Stripe; we never see your card.
- Text you scan or rewrite — see Your text content for the special rules around this.
- Support messages — when you email us, we keep the thread for support continuity.
We observe:
- IP address (for rate limiting and abuse detection).
- Browser, OS, screen resolution (so we can fix bugs that only happen on specific setups).
- Pages visited, buttons clicked, scan duration (anonymous, aggregated — we use PostHog, self-hosted, EU region).
- Approximate location from IP (country-level only — to comply with regional content rules).
We DON'T collect:
- Your browsing history (the extension only sees what you actively select).
- Your contacts, calendar, files, or anything outside what you give us directly.
- Anything for advertising. We don't run ads, period.
How we use it
- To run your account — login, billing, sending the result of a scan.
- To improve the product — looking at aggregate funnel metrics to find friction.
- To prevent abuse — IP-based rate limiting, fraud detection (Stripe Radar).
- To talk to you — replies to support tickets, product updates if you opt in.
We never sell your data. We never share it with advertisers. We never use it to train models.
Your text content (special rules)
This is the part most people care about. We've split it out into a separate document:
Content Handling Policy. It covers exactly what happens to your text from the moment you paste it to the moment we discard it.
The short version: zero retention by default. Your text exists in our memory only long enough to compute the result. We never persist it unless you explicitly opt in to "Save to history" — and even then, you can delete any saved scan with one click.
Legal basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|
| Running your account | Contract (Art. 6(1)(b)) |
| Billing & tax | Legal obligation (Art. 6(1)(c)) |
| Product analytics | Legitimate interest (Art. 6(1)(f)) — anonymous & aggregated |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in only |
| Abuse prevention | Legitimate interest (Art. 6(1)(f)) |
Sharing & processors
We use a short list of sub-processors. Each one has signed a DPA with us, and we audit them annually.
| Vendor | Purpose | Location |
|---|
| AWS (eu-west-1, us-east-1) | Hosting, inference compute | Ireland / Virginia |
| Stripe | Payments | US (DPA + SCCs) |
| Postmark | Transactional email | US |
| PostHog (self-hosted) | Product analytics | Frankfurt, Germany |
| Sentry (self-hosted) | Error logging | Frankfurt, Germany |
| Cloudflare | DNS, DDoS protection | Global edge |
We do not share data with anyone else — including law enforcement — without a valid legal order. When we do, we tell you (unless legally gagged).
Retention
- Scan text: 0 seconds (discarded immediately).
- Scan history (opt-in): Until you delete it. We don't auto-purge.
- Account info: While your account is active + 30 days after deletion.
- Billing records: 7 years (tax law).
- Support emails: 3 years.
- Server logs: 30 days, then aggregated to weekly counts and purged.
Security
- TLS 1.3 in transit, AES-256 at rest.
- Database encryption with customer-managed keys for Enterprise.
- 2FA required for all employees with production access.
- Quarterly third-party penetration testing.
- SOC 2 Type II audit in progress (expected Q3 2026).
- Bug bounty program — security@textsight.ai.
Your rights
You have the right to:
- Access — see what data we have on you. Download from Settings → Privacy.
- Rectification — fix anything that's wrong.
- Erasure — delete everything. One click in Settings → Delete Account.
- Portability — export your scan history as JSON or CSV.
- Object — opt out of analytics or marketing emails.
- Lodge a complaint — with your supervisory authority (we'd rather you talk to us first).
To exercise any of these, email privacy@textsight.ai. We respond within 72 hours; we resolve within 30 days.
Cookies
We use the minimum number of cookies needed to keep you logged in and tell us aggregate funnel info. Full cookie policy →
Children
TextSight is not directed to children under 13. If you're 13–18, you can use the service with parental consent. We don't knowingly collect data from children under 13; if you believe we have, email privacy@textsight.ai and we'll delete it.
International transfers
EU customer data stays in our Ireland region (eu-west-1) by default. Where transfer to a non-EU country is necessary (e.g. Stripe in the US), we rely on Standard Contractual Clauses (2021/914) and additional safeguards.
Changes
We may update this policy as we change the product. Material changes get notified 30 days in advance by email. Cosmetic edits (typo fixes, clarifications) don't trigger a notice. Past versions are archived here.
Privacy questions, DPA requests, GDPR rights:
For EU representative under GDPR Art. 27, see our contact page.