Termitude
Legal

Privacy Policy

Last Updated 16-Jun-2026 | Effective Date 16-Jun-2026

This Privacy Policy explains how Nexuus LLC and its affiliates ("Termitude," "we," "us," or "our") collect, use, disclose, and protect personal data in connection with the Termitude platform, websites, APIs, SDKs, embeds, and related services (collectively, the "Services").

Termitude is a system of record for legal and policy documents and end-user consent. Our customers ("Customers") use Termitude to publish documents and capture acceptance from their own end users. In most processing activities described below, the Customer is the controller of the end-user personal data and Termitude acts as a processor under their instructions. When you interact directly with Termitude (for example, as a visitor to our marketing site or as a Customer user of our application), we act as a controller.

1. Who this policy applies to

This policy applies to:

  • Visitors to termitude.com and our marketing pages.
  • Customer users — administrators, legal, security, and developer staff who log into the Termitude application.
  • End users of a Customer's product whose acceptance of a policy is recorded through Termitude (only with respect to data processed on the Customer's behalf).
  • Prospects and contacts who interact with our sales, support, or community channels.

2. Data we collect

2.1 Account & identity data

  • Name, work email, password hash, role, organisation, profile preferences.
  • Authentication signals (SSO identifier, MFA enrolment, session metadata).

2.2 Customer Content

  • Documents, versions, redlines, approval comments, publication settings, and metadata uploaded or generated by Customers.
  • Configuration of policies, jurisdictions, products, plans, and re-consent rules.

2.3 Consent & evidence records (processed on behalf of Customers)

  • End-user identifier supplied by the Customer (user ID, email, account ID).
  • Document and version accepted, exact text snapshot or hash, acceptance method, timestamp.
  • Context signals: IP address, user-agent, locale, country, source application.

2.4 Usage & telemetry

  • Product events, feature usage, performance metrics, error traces.
  • Device and browser information, approximate location derived from IP.
  • Cookies and similar technologies as described in Section 9.

2.5 Billing & commercial data

  • Billing contact, address, tax identifiers, plan and invoice history.
  • Payment method tokens (processed by our payment provider — we do not store full card numbers).

2.6 Communications

  • Support tickets, chat transcripts, sales correspondence, survey responses.

3. How we use personal data

We use personal data to:

  • Provide, operate, and secure the Services and authenticate users.
  • Diff document versions, classify changes, and produce AI-assisted summaries and risk analyses.
  • Record and serve consent evidence on behalf of Customers, including audit exports.
  • Send transactional notifications (re-consent reminders, version updates, security alerts).
  • Provide support, debug issues, and improve reliability and performance.
  • Detect, prevent, and respond to fraud, abuse, and security incidents.
  • Manage billing, taxes, and contractual obligations.
  • Comply with legal obligations and enforce our Terms.
  • With consent or legitimate interest, send product updates and marketing communications you can opt out of at any time.

We do not sell personal data and we do not use Customer Content or end-user consent records to train third-party generative AI models. AI features that summarise or classify document changes operate on Customer Content under contractual confidentiality and are not used to improve foundation models outside the Customer's tenant.

4. Legal bases (EEA, UK, Switzerland)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract — to deliver the Services to Customers and their authorised users.
  • Legitimate interests — to secure, maintain, and improve the Services; to communicate with prospects and existing Customers about relevant features; and to protect against fraud and abuse.
  • Legal obligation — to comply with tax, accounting, and regulatory requirements.
  • Consent — for optional cookies, marketing emails where required, and any other processing that requires explicit opt-in. You may withdraw consent at any time.

For end-user consent records processed on behalf of a Customer, the Customer (as controller) determines the legal basis and is responsible for providing notice and obtaining any required consent from its users.

5. Sharing & sub-processors

We share personal data only with parties that have a legitimate need:

  • Sub-processors that host infrastructure, deliver email, provide support tooling, or assist with analytics. A current list of sub-processors is available on our Security page.
  • Customers, with respect to end-user consent records and configuration data within their tenant.
  • Professional advisers such as auditors, lawyers, and accountants under duties of confidentiality.
  • Authorities when required by law, court order, or to protect the rights, property, or safety of Termitude, our Customers, or others.
  • Acquirers or successors in a merger, acquisition, financing, or sale of assets, subject to standard confidentiality and continuity-of-protection commitments.

6. International transfers

Termitude operates globally. Where personal data is transferred out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) together with supplementary technical, contractual, and organisational measures.

7. Retention

  • Account data — for the duration of the subscription and up to 90 days after deletion, unless a longer period is required by law.
  • Customer Content and consent records — retained per the Customer's configuration. On termination, Customer Content is deleted within 30 days unless a longer period is contractually agreed.
  • Billing records — retained for the period required by applicable tax and accounting law (typically 7 years).
  • Logs and telemetry — retained for up to 12 months unless required for ongoing security investigations.

8. Security

We protect personal data with encryption in transit (TLS 1.2+) and at rest, strict tenant isolation, least-privilege access controls, single sign-on and MFA for staff, continuous monitoring, vulnerability management, annual third-party penetration testing, and an incident response programme. See our Security page for current controls and certifications.

9. Cookies & similar technologies

We use a small number of strictly necessary cookies to operate the Services (authentication, security, load balancing) and, where permitted, analytics cookies to understand product usage. Optional cookies are loaded only after consent in jurisdictions that require it. You can manage cookie preferences in your browser and, where available, in our cookie banner.

10. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete personal data, subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Port your data in a structured, commonly used format.
  • Withdraw consent where processing relies on it.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at privacy@termitude.com. If your data is processed on behalf of one of our Customers (for example, you accepted a policy through a product that uses Termitude), please contact that Customer directly — we will assist them in fulfilling your request.

11. Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate action.

12. US state privacy rights

Residents of California, Colorado, Connecticut, Virginia, Utah, and other US states with comprehensive privacy laws have additional rights, including the right to know, delete, correct, and opt out of certain "sales" or "sharing" of personal data and targeted advertising. We do not sell personal data and do not engage in cross-context behavioural advertising. To exercise your rights, use the contact details below.

13. Changes to this policy

We will update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice with at least 30 days' notice before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.

14. Contact

Questions, requests, or complaints about this Privacy Policy or our data practices can be sent to privacy@termitude.com.