Privacy Policy
Last updated: 2026-06-07 — Effective: 2026-06-07
1. The short version
- We do NOT retain your submitted text by default. It is deleted from logs and cache within 24 hours unless you explicitly opt in to detection history.
- We do NOT train our detector on your text without your explicit per-product opt-in.
- Detection result caches use SHA-256 hashes, never plaintext. Two users submitting identical text get a cached result without us storing either copy.
- We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
- You have rights — access, deletion, portability, correction, restriction — exercisable from your dashboard or by emailing privacy@deepaidetector.com.
2. Data controller & contact
For the purposes of the EU/UK GDPR, LGPD, and similar laws, the data controller is the operator of Deep AI Detector (deepaidetector.com) ("we", "us", "our", "the Service").
- Privacy contact: privacy@deepaidetector.com
- Security contact: security@deepaidetector.com (see also /.well-known/security.txt)
- Legal contact: legal@deepaidetector.com
- Postal address: available on request to verified data subjects.
3. EU/UK Representative & Data Protection Officer
We do not currently meet the GDPR Article 37 threshold that compels a formal Data Protection Officer (we do not engage in large-scale systematic monitoring of data subjects nor process large-scale special-category data as a core activity). Privacy queries are handled by our designated privacy contact above.
When required by GDPR Article 27 or UK GDPR Article 27 (no establishment in the EU/UK), we will appoint and publish here an EU/UK representative. Until then, EU/UK data subjects may contact us directly via the addresses in §2.
4. What we collect
| Category | Examples | Required? |
|---|---|---|
| Account info | Email, hashed password (Argon2id), display name, account tier | Required to create an account |
| Authentication identifiers | Session token (HTTP-only cookie), CSRF token, optional 2FA secret | Required when logged in |
| Submitted text | The text you paste/upload for detection | Required to run a detection. Plaintext retained only per your dashboard setting; otherwise hashed. |
| Detection metadata | Timestamp, word count, AI/human verdict, model version, language, tier used | Required to compute and display your verdict |
| Billing info | Stripe customer ID, subscription/PAYG status, billing email, country (for VAT/sales tax), invoice metadata | Required for paid plans. Card data handled by Stripe; we never see PAN. |
| Usage data | Detection count per period, rate-limit consumption, API key activity | Required for tier enforcement |
| Anonymous IP fingerprint | SHA-256 hash of IP, salted per day. Never plaintext IP. | Required for anonymous-tier abuse prevention |
| Coarse geolocation | Country only, derived from request headers | Required for VAT/sales tax + legal-basis routing |
| Support correspondence | Email content, attachments, ticket metadata | Optional, only if you contact us |
We do not intentionally collect special-category data under GDPR Article 9 (health, biometric, racial, religious, sexual-orientation, political-opinion data). If you choose to paste such data into the detector, it is processed under the same minimal-retention rules above.
5. Sources of personal data
- Directly from you: when you register, log in, paste text, submit support tickets, or pay.
- Automatically from your device: IP (hashed at edge), user-agent, referrer, rough country, request timing.
- From sub-processors: Stripe returns billing status; Resend returns email delivery status; Cloudflare returns abuse signals.
We do not buy personal data from data brokers.
6. Purposes & legal bases (GDPR Art. 6 / UK GDPR Art. 6 / LGPD Art. 7)
| Purpose | Categories | Legal basis (GDPR/UK GDPR) | LGPD basis |
|---|---|---|---|
| Providing the detection service | Submitted text, account info, metadata | Art. 6(1)(b) — performance of a contract | Execution of contract |
| Account creation & login | Email, password hash, session token | Art. 6(1)(b) | Execution of contract |
| Billing & tax compliance | Billing info, country | Art. 6(1)(b) + 6(1)(c) — legal obligation (tax) | Legal obligation |
| Anti-abuse, rate limiting, fraud prevention | Hashed IP, usage data | Art. 6(1)(f) — legitimate interest in protecting the Service | Legitimate interest |
| Transactional email (verification, receipts, security alerts) | Art. 6(1)(b) | Execution of contract | |
| Product analytics (aggregated, no third-party trackers) | Anonymised usage counters | Art. 6(1)(f) — legitimate interest in improving the Service | Legitimate interest |
| Opt-in detector training contributions | Submitted text (only with explicit per-product consent) | Art. 6(1)(a) — consent | Consent |
| Marketing email (only if you opt in) | Art. 6(1)(a) — consent | Consent | |
| Defending legal claims | Any necessary records | Art. 6(1)(f) + 6(1)(c) | Regular exercise of rights |
Where we rely on legitimate interest, you may object under GDPR Art. 21 by emailing us. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing (GDPR Art. 7(3)).
7. What we do NOT do
- We do not sell personal information (CCPA/CPRA "sale" definition).
- We do not share personal information for cross-context behavioral advertising (CPRA "share" definition).
- We do not share detection text with third parties.
- We do not use your detection text to train models without your explicit opt-in.
- We do not log plaintext detection text beyond the 24-hour cache TTL.
- We do not retain IP addresses in plaintext.
- We do not use third-party advertising, retargeting, or analytics SDKs (no Google Analytics, no Meta Pixel, no TikTok Pixel).
- We do not employ dark patterns to obtain consent, withdraw subscriptions, or close accounts.
8. Sub-processors
We engage the following sub-processors. They process personal data only on our instructions, under written agreements that meet GDPR Art. 28 (Data Processing Agreements) and equivalent LGPD/UK GDPR requirements.
| Sub-processor | Purpose | Data categories | Region |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, edge, CDN, database (D1), storage (R2), KV, Turnstile bot defence, Workers AI | All | Global (EU/UK data routed via EU edges where possible) |
| Modal Labs, Inc. | Serverless GPU ML inference | Submitted text (transit only, not retained beyond request) | US |
| Stripe, Inc. / Stripe Payments Europe Ltd. | Payment processing | Billing info, card details (handled by Stripe; we don't see PAN) | US + EU/UK |
| Resend, Inc. | Transactional email delivery | Email address, message content | US |
For B2B customers on Business+ tiers, we make our standard Data Processing Addendum available, including EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
9. International data transfers
Some sub-processors are in the United States. Where personal data of EU/EEA, UK, or Swiss residents is transferred outside its home jurisdiction, we rely on:
- The EU Standard Contractual Clauses (2021/914) with our sub-processors;
- The UK International Data Transfer Addendum for UK transfers;
- The EU–US Data Privacy Framework (and UK Extension / Swiss–US framework) where the sub-processor is self-certified;
- Transfer Impact Assessments documenting supplementary measures (encryption in transit + at rest, access controls, no government-access disclosures received).
For LGPD transfers from Brazil, we rely on equivalence findings or contractual safeguards as set out in LGPD Art. 33.
10. Data retention
- Anonymous tier: 24-hour cache only; no user-visible history.
- Registered free tier: 7 days of detection history, auto-purged after.
- Paid tiers (Pro / Team / Enterprise): forever, unless you delete.
- PAYG / API-only: 7 days history.
- Account data: until you delete your account. Inactive accounts are eligible for purge 24 months after last login (we email you first).
- Billing records: retained 7 years for tax compliance (this overrides deletion requests for those specific records).
- Hashed IP fingerprints: 30 days, then purged.
- Server access logs: 24 hours, then purged.
- Support tickets: 24 months after last reply.
11. Security measures (GDPR Art. 32)
We implement technical and organisational measures appropriate to the risk, including: TLS 1.3 in transit, AES-256 at rest, Argon2id password hashing, HMAC-signed inter-service requests, least-privilege IAM, MFA for admins, dependency scanning, and incident response runbooks. See /legal/security for the long version.
12. Breach notification (GDPR Art. 33–34, UK GDPR, LGPD Art. 48)
If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours where required;
- Notify affected data subjects without undue delay where the risk is high;
- Publish a post-incident summary on our status page once the incident is contained.
13. Your rights — GDPR / UK GDPR
If you are in the EU/EEA, UK, or Switzerland you have these rights:
- Right of access (Art. 15) — a copy of your personal data.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure / "right to be forgotten" (Art. 17) — subject to legal-retention exceptions.
- Right to restrict processing (Art. 18).
- Right to data portability (Art. 20) — machine-readable JSON export.
- Right to object (Art. 21) — to processing based on legitimate interest or direct marketing.
- Rights related to automated decision-making (Art. 22) — see §19.
- Right to withdraw consent (Art. 7(3)) where processing is based on consent.
- Right to lodge a complaint with a supervisory authority — your local DPA, the UK ICO, or the supervisory authority of the alleged infringement.
To exercise any right, use the dashboard self-service tools or email privacy@deepaidetector.com. We respond within 30 days (extendable by 60 days for complex requests, per Art. 12(3)).
14. Your rights — California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you:
- Right to know what personal information we collect, use, disclose (Cal. Civ. Code §1798.110, 1798.115).
- Right to delete personal information (§1798.105), subject to statutory exceptions.
- Right to correct inaccurate personal information (§1798.106).
- Right to opt out of sale or sharing (§1798.120). We do not sell or share personal information, so there is nothing to opt out of, but you may still submit a request to confirm this. A "Do Not Sell or Share My Personal Information" link is provided in our footer for transparency.
- Right to limit use of sensitive personal information (§1798.121). We only process sensitive personal information (your password hash and authentication tokens) for the purposes permitted under §7027 of the CCPA Regulations.
- Right to non-discrimination for exercising your rights (§1798.125).
- Right to portability in a readily usable format.
Categories of personal information collected in the last 12 months: identifiers (email, account ID), commercial information (subscription history), internet activity (hashed IP, request logs), geolocation (country level), and inferences (detection-tier eligibility). Sources: from you directly, from your device automatically, from sub-processors. Purposes: provision of the Service, anti-abuse, billing, security. No personal information was sold or shared in the past 12 months.
How to submit a request: dashboard self-service, or email privacy@deepaidetector.com. We verify identity using your account credentials. Authorized agents must provide a signed permission and a copy of valid ID. We respond within 45 days, extendable by 45 more.
15. Your rights — other US states, LGPD, PIPEDA
- Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA): the rights above (access, deletion, correction where applicable, portability, opt-out of sale/targeted advertising/profiling) apply. We do not engage in targeted advertising or profiling with legal/significant effects, so there is little to opt out of, but the right exists.
- Brazil (LGPD): rights of confirmation, access, correction, anonymisation/blocking/deletion, portability, deletion of consented data, information about sub-processors, revocation of consent, and to file complaints with the ANPD. Exercise via privacy@deepaidetector.com.
- Canada (PIPEDA): rights of access, correction, withdrawal of consent. We follow PIPEDA's 10 fair-information principles. Complaints may be filed with the Office of the Privacy Commissioner of Canada.
- Quebec (Law 25): rights of access, rectification, deletion of consent-based processing, automated-decision review.
- Australia (Privacy Act 1988): rights of access and correction; complaints to the OAIC.
- South Africa (POPIA), Japan (APPI), South Korea (PIPA), India (DPDPA 2023): equivalent rights apply where the law is in force.
16. Children
The Service is not intended for children under 16 (under 13 in the United States, where COPPA applies). We do not knowingly collect personal data from children. If you believe a child has provided data, email privacy@deepaidetector.com and we will delete it.
17. Do Not Track & Global Privacy Control
We do not engage in cross-site tracking, so DNT signals have no behaviour to disable. We honor the Global Privacy Control (GPC) signal (globalprivacycontrol.org) as a valid opt-out request under the CCPA/CPRA and equivalent state laws.
18. CalOPPA disclosure
As required by California Business & Professions Code §22575 (CalOPPA): this Privacy Policy describes the categories of personal information we collect, the categories of third parties with whom we share it, the process for users to review and request changes to their personal information, how we notify users of policy changes, and the policy's effective date — all set out above. We do not engage in third-party advertising.
19. Automated decision-making & AI
Our detection model produces an AI-likelihood probability score. This is an automated output but is not a "decision producing legal or similarly significant effects" within the meaning of GDPR Art. 22(1) — the score is an opinion, not a determination about you. Customers using the score as input to their own decisions (academic, hiring, etc.) are independently responsible for human review. See our AI Detection Disclaimer and EU AI Act Disclosure.
You may request human review of any detection result via support@deepaidetector.com.
21. Changes to this policy
We may update this Privacy Policy. Material changes will be communicated by email at least 30 days in advance and posted at the top of this page with a new effective date. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
22. Contact & complaints
- Privacy: privacy@deepaidetector.com
- Security: security@deepaidetector.com
- Legal: legal@deepaidetector.com
- EU/EEA residents: you may complain to your local Data Protection Authority. UK residents: the Information Commissioner's Office (ico.org.uk). Brazilian residents: ANPD (gov.br/anpd). Canadian residents: the OPC (priv.gc.ca).