TermLift
TermLift
Security

How we handle your data

No marketing spin. Here's exactly what happens to your files, where your data goes, and what we're still working on.

Files are deleted immediately after analysis. Only AI-generated outputs are saved — and only if you explicitly choose to save the deal.

What happens when you upload a file

1. You Upload

We extract text from your PDF or image. The file is held in memory only.

2. AI Analyzes

Extracted text is sent to Anthropic's API over TLS for analysis.

3. File Deleted

Original file deleted immediately. It never touches our database.

Bottom line: Your original files are never stored. Only AI-generated analysis is saved — and only if you click save.

Encryption

In Transit

All data transmitted over TLS (HTTPS). This applies to file uploads, API calls to Anthropic, and all communication with Supabase and Vercel.

At Rest

Supabase encrypts all stored data with AES-256 encryption. This covers saved deal analyses, account data, and any metadata in our database.

File Deletion

Originals never stored

When you upload a PDF or image, we extract the text in memory and immediately discard the original file. It is never written to a database, never saved to disk storage, and never logged. Once the analysis is complete, the extracted text exists only in the AI response.

If you choose not to save the deal, nothing is persisted at all — the analysis result is discarded when you leave the page.

Extracted Text Storage

Only saved when you say so

Extracted text from your documents is not stored by default. It's sent to the AI, the AI produces an analysis, and the extracted text is discarded.

If you explicitly save a deal, the AI-generated analysis (risk scores, clause breakdowns, recommendations) is stored in your account. The raw extracted text may be stored alongside it so you can reference the original content — but only if you choose to save.

Never Used for AI Training

Anthropic doesn't train on API data

We use Anthropic's API (Claude) for analysis. Anthropic's API terms explicitly state that data sent through the API is not used to train their models. Your contract text is not being fed into future AI models.

We also don't use your data to train any models ourselves. We don't build datasets from user uploads. Period.

GDPR Compliance

Your rights are respected

We comply with GDPR. You can request access to your data, request deletion, correct inaccurate information, or export your data at any time. Email us and we'll handle it.

Our database infrastructure is hosted in the EU through Supabase, which means your stored data stays within EU jurisdiction.

Our Infrastructure

Supabase — Auth & Database

Handles authentication and stores saved deal data. SOC 2 Type II certified. Data encrypted at rest with AES-256. EU-hosted infrastructure.

Row-level security (RLS) is enabled on all database tables. This means queries are enforced at the database level — users can only read, update, or delete their own data. Even if there were an application-level bug, RLS prevents cross-account data access.

Vercel — Hosting

Application hosting and edge functions. SOC 2 certified. Provides DDoS protection, automatic HTTPS, and edge caching. Our serverless functions run here, including the file processing and AI analysis endpoints.

Anthropic — AI Analysis

Extracted text is sent to Anthropic's Claude API for contract analysis. Anthropic does not use API data to train models. Data is transmitted over TLS and is not stored by Anthropic beyond their standard API log retention for abuse monitoring.

What We Don't Do

  • Sell your data to anyone — ever
  • Use your data for advertising or marketing profiles
  • Train AI models on your uploads or saved data
  • Store your original uploaded files after processing
  • Share data with third parties beyond the services listed above
  • Access your saved deals unless you ask us to for support purposes

Being Honest: Limitations

We believe in being upfront. We're a startup, and while we take security seriously, there are things we haven't done yet:

  • We're not SOC 2 certified ourselves. Our providers (Supabase, Vercel) are. We haven't gone through the certification process as a company.
  • No penetration testing yet. We haven't hired a third party to attempt to break into our systems. It's on our roadmap.
  • No formal incident response plan. If something went wrong, we'd handle it — but we don't have a documented, rehearsed procedure yet.
  • Not end-to-end encrypted. Data is encrypted in transit and at rest, but we can technically access stored data on the server side.
  • Small team. We don't have a dedicated security team. Security is handled by the same people building the product.

We're improving this as we grow. If you have specific security requirements, reach out and we'll be honest about whether we can meet them.

Questions?

If you have security concerns or questions about how we handle your data, we'd rather you ask than wonder.

Security questions: hello@termlift.com

Privacy requests: hello@termlift.com

General support: hello@termlift.com

Ready to analyze your first contract?

Your files are deleted immediately after processing. Only the AI-generated insights you choose to save are stored in your account.

Try TermLift free