HomeWorkflowsDiscoverHistory
Legal Documents

Privacy Policy

Last updated 2026-03-09

Effective Date: April 17, 2026

TomX Corporation ("TomX," "we," "us," or "our") operates TomLegal AI. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, mobile applications, and related services (collectively, the "Service"). Please read this policy carefully.

1. Information We Collect

Account Information. When you create an account, we collect your email address and display name. If you register using Google sign-in or Sign in with Apple, we may receive your name, email address, and profile picture from the authentication provider. We do not receive your provider password.

Usage Data. We collect information about how you use the Service, including the queries you submit, features you access, session duration, the AI model you select, and interaction logs. For Pro users, research sessions are private. For Guest and Free users, research content is publicly accessible by default.

Device and Technical Data. We automatically collect your IP address, browser type, operating system, and device identifiers when you access the Service. This data is used for security, rate limiting, and service improvement.

Uploaded Files. If you upload files to the Service, we store the file content and associated metadata. Files are used solely to provide semantic search and AI-assisted analysis within your research session. You are responsible for ensuring you have the right to upload any file you submit.

Payment Data. Payments are processed by Stripe, Inc. We do not store your payment card number, CVV, or banking information. We receive and store only your Stripe customer ID and subscription status to manage your account.

Communications. If you contact us, we retain your messages and contact details to respond to your inquiry.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Process payments and manage subscriptions
  • Enforce usage limits (daily and monthly query quotas)
  • Authenticate your identity and maintain session security
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Send transactional communications such as receipts, account notices, and security alerts
  • Respond to your support requests and inquiries
  • Analyze aggregate usage patterns to improve the Service
  • Comply with legal obligations

We do not sell your personal information to third parties.

3. AI Provider Data Processing

Before TomLegal sends a research request, prompt enhancement request, or uploaded-file content to an AI provider, the app asks for your permission. If you do not agree, TomLegal will not send that request to the AI provider.

To generate research responses, your queries, relevant conversation context, selected source settings, model settings, and uploaded-file text are transmitted to third-party AI model and embedding providers. The provider used depends on the AI or embedding model selected for the request. Current providers include:

  • OpenAI, Inc. — for GPT-series models
  • Anthropic, PBC — for Claude-series models
  • Google LLC — for Gemini-series models
  • Groq, Inc. — for fast inference models

Each provider processes your requests under its own privacy policy and data processing terms, and we require providers we use for production service delivery to protect personal data with safeguards comparable to those described in this policy. We do not transmit your payment information, government identification, or account credentials to AI providers. Do not include sensitive personal information, privileged communications, or confidential client data in queries unless you have reviewed and accepted the relevant provider's data handling terms.

4. Information Sharing and Disclosure

We share your information only as described below:

Infrastructure Providers. We use Supabase as our database, authentication, and file storage provider. Supabase processes data on our behalf under a data processing agreement. Your account data, queries, chat history, and uploaded files are stored in Supabase-managed infrastructure.

Payment Processor. Stripe processes all payment transactions. We share your email address and subscription details with Stripe solely for billing purposes.

Search Infrastructure. User queries may be processed through SearxNG, a privacy-respecting meta-search engine, to retrieve web sources. Search queries are not linked to personally identifiable information.

Analytics. We use Plausible Analytics for anonymous page-view analysis. Plausible does not use cookies, does not collect personally identifiable information, and is GDPR-compliant. No individual user behavior is tracked.

Authentication Providers. If you sign in with Google or GitHub, those providers may collect information about your login activity under their own privacy policies.

Legal Requirements. We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of TomX, our users, or the public.

Business Transfers. In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

We do not share your personal information with advertisers or data brokers.

5. Public Research Sessions

Guest and Free Account research sessions are publicly accessible by default. Other users may view your research queries and AI-generated responses through the Service's discovery features. Do not submit confidential, proprietary, or sensitive information in public research sessions. Pro Account sessions are private and not accessible to other users.

6. Data Retention

We retain your account information for as long as your account remains active. Chat history and query data are retained for up to 90 days unless you delete them earlier through your account settings. Uploaded files are retained until you delete them or close your account. Credit transaction records are retained for accounting and legal compliance purposes for a period of seven years. We retain anonymized usage statistics indefinitely.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate or incomplete information
  • Deletion — Request deletion of your personal information, subject to our legal retention obligations
  • Portability — Request your data in a structured, machine-readable format
  • Objection — Object to certain processing activities

To exercise any of these rights, contact us at support[at]tomx.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8. California Residents — CCPA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, disclose, or sell
  • The right to delete personal information we have collected from you
  • The right to opt out of the sale of personal information (we do not sell personal information)
  • The right to non-discrimination for exercising your privacy rights

To submit a CCPA request, contact us at support[at]tomx.com or (888) 995-8669.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us at support[at]tomx.com and we will delete it promptly. Users must be at least 18 years old to create an account.

10. Security

We implement industry-standard technical and organizational measures to protect your personal information, including TLS encryption for data in transit and encryption at rest via our infrastructure providers. We use Stripe's PCI-compliant infrastructure for all payment data. However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

If you become aware of any security vulnerability or unauthorized access to your account, please notify us immediately at support[at]tomx.com.

11. Third-Party Links

The Service may contain links to third-party websites and services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you access through the Service.

12. Changes to This Privacy Policy

We will notify you of material changes to this Privacy Policy by posting a notice on the Service or by sending an email to your registered address at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact

For privacy-related questions, requests, or concerns:

TomX Corporation 5757 Alpha Rd, Suite 504 Dallas, TX 75240 Phone: (888) 995-8669 Email: support[at]tomx.com