This document contains two parts:
Part I — Website visitors (tero.legal)
Part II — Platform users (app.tero.legal)
PART I
Privacy Policy — tero.legal
This Privacy Policy explains how Tero Legal ApS ("Tero", "we", "us", or "our") handles personal data when you visit our website at tero.legal. It does not govern the Tero application platform (app.tero.legal), which is covered by Part II below.
We are fully committed to compliance with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection legislation. Questions about this policy should be directed to privacy@tero.legal.
1. Data Controller
Tero Legal ApS is the company responsible for your data when you visit tero.legal — if you have questions, email privacy@tero.legal.
The data controller for personal data processed through tero.legal is:
Tero Legal ApS
CVR: 46438760
Registered address: Besservej 3. 1, 8240, Aarhus, Denmark
Privacy contact: privacy@tero.legal
2. Personal Data We Collect
We collect limited information when you visit tero.legal — mainly contact details you choose to share and basic technical data generated automatically by your browser. The site sets no cookies and uses no advertising or tracking technologies.
2.1 Information you give us directly
- Contact form and waitlist enquiries: your name, email address, and any message you choose to submit.
- Newsletter or product update subscriptions: name and email address.
- Survey responses: where we invite feedback on our services, we may collect your name, email address, and answers to survey questions. Participation is always voluntary.
2.2 Information collected automatically
When you visit tero.legal, certain technical data is generated automatically:
- Server logs: IP address, browser type, referring page, and pages visited. Retained for up to 30 days for security and diagnostic purposes.
- Cookies: tero.legal sets no cookies. The only client-side storage is two strictly functional preferences kept in your browser's localStorage — tero_lang (your language choice) and tero_theme (light or dark appearance). These are not identifiers, are never used for tracking, and are never transmitted to us or any third party. We deploy no advertising, analytics, or third-party tracking technologies.
Because the site uses no cookies, there is no cookie banner and nothing to consent to. You can clear the two functional preferences at any time through your browser's site-data settings; the site will simply return to its defaults.
2.3 Information from third parties and public sources
We may collect publicly available professional information (such as name, firm, and contact details) about prospective clients for business development purposes. We rely on our legitimate interests in promoting our services to relevant professionals (Art. 6(1)(f) GDPR) as the legal basis for this processing. A Legitimate Interests Assessment has been conducted and is available on request. You may object to this processing at any time by contacting privacy@tero.legal, and we will cease processing your data for this purpose without undue delay.
3. How and Why We Use Your Data
We use your data to deliver the service, keep it secure, and meet our legal obligations. The table below lists every purpose, the legal basis under GDPR, and how long we keep each type of data.
The table below sets out the purposes for which we process personal data on tero.legal, the data involved, the legal basis under GDPR, and the retention period.
| Purpose | Personal data involved | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Responding to enquiries and pre-contractual communications | Name, email address, message content | Art. 6(1)(b) — pre-contractual steps at your request | 24 months from last contact |
| Sending newsletters or product updates (where subscribed) | Name, email address | Art. 6(1)(a) — your consent (withdrawable at any time) | Until you unsubscribe |
| Website security and performance monitoring | IP address, server log data | Art. 6(1)(f) — legitimate interest in securing our systems | 30 days |
| Measuring satisfaction and gathering product feedback via surveys | Name, email, survey responses | Art. 6(1)(f) — legitimate interest in improving our services | Until the relevant contract or relationship ends |
| Business development and prospect outreach | Publicly available professional contact details | Art. 6(1)(f) — legitimate interest in marketing our services to relevant professionals | Until you opt out or the information becomes inaccurate |
We do not use personal data collected through tero.legal for automated decision-making or profiling, and we do not sell your data to third parties.
4. Sharing Your Data
We don't sell your data. It's shared only with our technical sub-processors, within Tero on a need-to-know basis, or when legally required.
We do not sell or trade your personal data. We may share it with:
- Service providers and sub-processors who assist in operating the website (see Section 5).
- Competent authorities, regulators, or courts where we are legally required to disclose information.
- Successors in the event of a merger, acquisition, or other business transfer. In such cases you will be notified in advance.
5. Sub-Processors
Two providers support this website: WebPrompter.ai (website hosting and content delivery, within the EU/EEA) and Namecheap (domain registration and DNS). Both operate under GDPR data processing agreements.
The following service providers operate on our behalf in connection with tero.legal. All are engaged under data processing agreements and comply with GDPR transfer requirements where applicable:
| WebPrompter.ai | Website hosting and content delivery, including handling of demo and contact form submissions. EEA-based provider (Norway); all data processed within the EU/EEA under a GDPR data processing agreement. |
|---|---|
| Namecheap | Domain registration and DNS management for tero.legal. |
6. International Data Transfers
All website data is processed within the EU/EEA. Our hosting provider, WebPrompter.ai, is an EEA-based company that serves tero.legal from EU/EEA infrastructure, so your personal data is not transferred outside the EEA.
Our website hosting provider, WebPrompter.ai, is established in Norway, which is part of the European Economic Area (EEA), and processes website data within the EU/EEA. As a result, no transfer of your personal data to a country outside the EU/EEA takes place in connection with your visit to tero.legal. Should this change in future — for example, if we engage a provider that processes data outside the EEA — any such transfer will be carried out under the safeguards prescribed by GDPR Chapter V, in particular standard contractual clauses (SCCs) approved by the European Commission, together with any supplementary measures required.
7. Data Retention
We keep account and usage data for the duration of your subscription, then delete it. Encrypted document content is deleted within 30 days of termination.
We retain personal data only as long as necessary for the stated purposes or as required by applicable law:
- Server logs: 30 days.
- Contact and enquiry data: 24 months from the date of last interaction, or sooner upon your request.
- Newsletter subscriptions: until you unsubscribe.
- Survey data: until the relevant commercial relationship ends.
When data is no longer required, it is securely deleted or anonymised. Where deletion of backup copies is not immediately possible, the data is isolated and protected until it can be removed.
8. Your Rights
You have the right to see, correct, delete, or export your data at any time — just email privacy@tero.legal. You can also complain to the Danish data authority (Datatilsynet).
As a data subject under the GDPR, you hold the following rights. You may exercise any of them by contacting privacy@tero.legal at any time. We will respond within 30 days and will not charge a fee unless a request is manifestly unfounded or excessive.
- Access: Right to information and access: to know whether we hold data about you and to receive a copy.
- Rectification: To correct inaccurate or incomplete data we hold.
- Erasure: In certain circumstances, to have your data deleted.
- Restriction: To request that we limit how we use your data while a dispute or assessment is pending.
- Portability: To receive your data in a machine-readable format for transfer to another provider.
- Objection: To object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling grounds.
- Withdraw consent: To withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.
Please note: in order to protect your personal data, we may ask you to verify your identity before acting on a request.
You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet): www.datatilsynet.dk · +45 33 19 32 00.
9. Links to Third-Party Websites
If you click a link to another website, this policy no longer applies — check that site's own privacy policy before sharing any information.
tero.legal may contain links to external websites not operated by Tero. This Privacy Policy does not apply to those sites. We are not responsible for their privacy practices and encourage you to review their policies directly before providing any personal data.
10. Contact
If you have any questions or requests about your personal data, you can reach us at privacy@tero.legal.
For any questions, requests, or complaints relating to this policy:
Tero Legal ApS · privacy@tero.legal · Besservej 3. 1, 8240, Aarhus, Denmark
11. Updates to This Policy
We may update this policy from time to time. The effective date at the top will change when we do, and we'll ask for your consent again if anything material changes how we use your data.
We may revise this policy periodically to reflect changes in our practices or applicable law. The effective date shown above will be updated whenever material changes are made. Where material changes affect processing activities that are based on your consent, we will seek your renewed consent before the change takes effect rather than relying on continued use as acceptance. For changes affecting processing based on other legal grounds (such as contract or legitimate interests), continued use of tero.legal after the effective date of the update constitutes acceptance of the revised policy.
PART II
Privacy Policy — app.tero.legal (Platform Users)
Applies to: app.tero.legal · Effective date: 8 May 2026
This Privacy Policy governs the processing of personal data in connection with your use of the Tero application platform at app.tero.legal (the 'Platform'). It should be read alongside any subscription agreement or terms of service you have entered into with Tero Legal ApS ('Subscriber Agreement').
Tero is built on a GDPR-native, zero-knowledge storage architecture. Legal Content stored on the Platform is encrypted client-side using AES-256 before transmission to Tero’s infrastructure. Tero personnel hold only encrypted ciphertext and cannot access or read stored Legal Content. Where you submit content to AI features within the Platform, that content is temporarily decrypted and processed through AWS Bedrock — Amazon’s managed AI inference service — hosted on AWS infrastructure within the European Union. Multiple large language models from different providers may be used depending on the feature. AWS acts as Tero’s sub-processor for this processing under the AWS Data Processing Addendum. Content submitted to AI features is not used to train any underlying foundation model and is not retained beyond the active session. This policy describes the account and operational data we process as data controller, and on what basis.
1. Roles and Responsibility
For your account and login data, Tero is the controller. For documents and queries you upload to the platform, your organisation is the controller — Tero just processes them on your behalf.
Tero Legal ApS is the data controller for account and operational data (name, email address, usage logs, billing information) collected in the course of providing the Platform.
For any personal data contained within the documents and queries you upload or generate on the Platform ('Content'), your organisation acts as the data controller and Tero acts as data processor under GDPR Article 28. Processing of Content is governed by the Data Processing Agreement incorporated into your Subscriber Agreement. Any rights requests relating to personal data included in Content should be directed to your organisation's administrator; if Tero receives such requests, they will be forwarded to the relevant Subscriber.
This policy does not apply to Content itself. Because Content is encrypted at rest and in transit and is inaccessible to Tero, it falls outside the scope of Tero's data controller obligations.
2. Personal Data We Collect
We collect your account details, usage logs, and billing information to run the platform. We do not log the content of your documents or AI queries — only that you used a feature.
2.1 Account and registration data
- Name, email address, and professional role.
- Organisation name, administrator details, and billing contact information.
- Authentication credentials. Passwords are hashed and salted; Tero never stores plaintext credentials.
- Language preferences and account settings.
2.2 Usage and technical data
When you interact with the Platform, the following data is generated automatically:
- Session logs: login timestamps, IP addresses, browser type, device identifiers, and time zone.
- Feature usage metrics: which modules you access (AI Legal Assistant, Tabular Contract Review), frequency of use, and the volume of queries processed. We do not log the content of queries or documents — only that a feature was used.
- Error and diagnostic logs: anonymised technical data used to identify and resolve issues.
- Clickstream and interaction data: pages and features accessed, time spent, and navigation paths within the Platform.
2.3 Billing data
- Subscription plan, billing cycle, and payment method details. Payment card data is handled exclusively by our payment processor and is never stored by Tero.
2.4 Communications
- Support tickets, feedback messages, and any other communications you send to Tero. We may record or retain these to resolve your enquiry and improve our services.
2.5 Publicly available information
The Platform provides access to publicly available legal sources (Danish legislation via Retsinformation, case law via Domsdatabasen, and other official databases). Some of this material may contain references to identifiable individuals. Such data is processed solely to enable accurate and relevant AI responses and is not used to profile individuals or for any other purpose.
3. How and Why We Use Your Data
We use your data to deliver the service, keep it secure, and meet our legal obligations. The table below lists every purpose, the legal basis under GDPR, and how long we keep each type of data.
The table below sets out each processing purpose, the personal data involved, the applicable GDPR legal basis, and the retention period.
| Purpose | Personal data involved | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Delivering and administering the Platform under your Subscriber Agreement | Account data, usage data, billing data | Art. 6(1)(b) — performance of a contract | Duration of subscription |
| Verifying your identity and managing access controls | Account data, session logs | Art. 6(1)(b) — performance of a contract | Duration of subscription |
| Platform security monitoring and incident response | Session logs, IP addresses, device data | Art. 6(1)(f) — legitimate interest in securing systems and protecting users | 12 months |
| Product analytics and service improvement | Usage data, error logs (anonymised where possible) | Art. 6(1)(f) — legitimate interest in developing and improving our services | Duration of subscription |
| Billing and cost calculation | Usage data, billing data | Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interest in accurate invoicing | 5 years (Danish bookkeeping law) |
| Customer support and responding to your enquiries | Account data, communication data | Art. 6(1)(b) — performance of a contract | Duration of subscription + 24 months |
| Satisfaction surveys and product feedback | Name, email, survey responses | Art. 6(1)(f) — legitimate interest in measuring and improving service quality | Until the Subscriber Agreement ends |
| Compliance with legal obligations (bookkeeping, tax, anti-money laundering) | Billing records, account data | Art. 6(1)(c) — legal obligation | 5–7 years under applicable law |
| Protecting Tero's legal rights in the event of a dispute | All categories as necessary | Art. 6(1)(f) — legitimate interest in defending legal claims | Duration of any dispute or limitation period |
We do not use Platform account data for automated decision-making or profiling that produces legal or similarly significant effects. We do not sell personal data to third parties.
4. Sharing Your Data
We don't sell your data. It's shared only with our technical sub-processors, within Tero on a need-to-know basis, or when legally required.
We do not sell or trade your personal data. We may share it in the following circumstances:
- Sub-processors: vendors and service providers engaged to help us operate the Platform (see Section 5). They process data only on our documented instructions.
- Within Tero: access to personal data is restricted to personnel who need it to perform their role and are bound by confidentiality obligations.
- Collaboration features: certain actions you take within shared workspaces may be visible to other users in your organisation. You control what you share.
- Legal requirements: where we are obliged to disclose data to satisfy a legal requirement, court order, or regulatory request.
- Business changes: in connection with a merger, acquisition, or transfer of business assets, personal data may be shared with counterparties under appropriate confidentiality protections and transferred to a successor. Affected users will be notified in advance.
5. Sub-Processors
These are the four services (AWS, Supabase, Koyeb, and AWS Bedrock) that power the platform — all EU-based and all operating under GDPR data processing agreements.
The following sub-processors operate on our behalf to deliver the Platform. All are engaged under GDPR-compliant data processing agreements:
| AWS (Amazon Web Services) | Primary cloud infrastructure. All data stored and processed exclusively in EU regions. AWS GDPR Data Processing Addendum in place. |
|---|---|
| Supabase | Database and authentication services, hosted on AWS EU infrastructure. Processes account and operational data only. Legal Content is encrypted before reaching this layer. |
| Koyeb | Serverless compute for application services. Deployed in EU regions. Koyeb DPA in place. |
| AWS Bedrock (AI inference) | Amazon’s managed AI inference service used to run large language models for the AI Legal Assistant and Tabular Contract Review features. Deployed on AWS infrastructure within the EU. Queries are processed under the AWS Data Processing Addendum; prompt and response data is not used to train foundation models and is not retained beyond the active session. No transfer outside the EU/EEA occurs. |
We will provide advance notice of any material additions or changes to this sub-processor list via your account dashboard or email, giving you reasonable opportunity to raise objections before the change takes effect.
6. International Data Transfers
Your data stays in the EU. AI query processing uses AWS Bedrock, which runs entirely within EU infrastructure, so nothing leaves the EU/EEA in connection with your use of the platform.
Tero is designed to keep personal data within the EU/EEA. AWS, Supabase, and Koyeb are configured to process and store data exclusively in EU regions.
AI query processing is performed via AWS Bedrock, which is deployed on AWS infrastructure within the European Union. No personal data is transferred outside the EU/EEA in connection with AI features on the Platform. The foundation models accessible through AWS Bedrock may be developed by third-party providers; however, Tero’s sub-processing relationship is with AWS, which ensures that inference remains within EU infrastructure under the AWS Data Processing Addendum.
In addition to SCCs, we may rely on the following safeguards for other transfers outside the EU/EEA as relevant: adequacy decisions adopted by the European Commission; the EU-US Data Privacy Framework where a recipient is certified; and, in limited circumstances, applicable derogations under GDPR Article 49. Your data subject rights are unaffected by any such transfers.
7. Data Retention
We keep account and usage data for the duration of your subscription, then delete it. Encrypted document content is deleted within 30 days of termination.
We retain personal data only as long as required by the purposes described in Section 3 or by applicable law:
- Account data: for the duration of your subscription.
- Usage and session logs: up to 12 months.
- Encrypted Content: for the duration of your subscription. Following termination, encrypted ciphertext is deleted within 30 days. Tero cannot decrypt this data at any point.
- Billing records: 5 years under Danish bookkeeping law (Bogføringsloven).
- Support communications: duration of subscription plus 24 months.
- Data held to protect Tero's legal rights: for the duration of any relevant dispute or applicable limitation period.
When the retention period expires, data is securely deleted or irreversibly anonymised. Where data is stored in backup archives that cannot be immediately deleted, it is isolated and protected from further active processing until deletion becomes possible.
8. Security
Your documents are encrypted using AES-256 and Tero staff cannot read them. All connections use TLS 1.3, and we notify regulators and users within 72 hours of any breach.
Tero takes technical and organisational security seriously. Our measures include:
- AES-256 encryption of all Content.
- TLS 1.3 encryption for all data in transit.
- Bcrypt password hashing with per-user salts.
- Role-based access controls and the principle of least privilege across all internal systems.
- Comprehensive audit logging for access to account and operational data.
- AWS VPC isolation and security group controls for backend infrastructure.
- Security reviews conducted prior to each major product release.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify Datatilsynet within 72 hours of becoming aware and will notify affected users without undue delay. For more information on our security practices, see our Security Policy at tero.legal/legal/security.
9. Your Rights
You can access, correct, delete, or export your account data by contacting privacy@tero.legal. Note that Tero cannot decrypt your document content — rights requests for that go through your own organisation.
You hold the following rights under GDPR Articles 15–22. To exercise any of them, contact privacy@tero.legal. We will respond within 30 days and will not charge a fee unless a request is manifestly unfounded or excessive. We may ask you to verify your identity before acting on a request.
- Access: To obtain confirmation of whether we hold data about you and to receive a copy of it.
- Rectification: To have inaccurate or incomplete data corrected.
- Restriction: To request that we limit the processing of your data while a dispute is pending or an assessment is underway.
- Objection: To object to processing based on our legitimate interests. We will cease unless we can show compelling grounds that override your interests.
- Erasure: To have your data deleted where it is no longer needed, where you withdraw consent, or in other circumstances provided by law. Note that legal retention obligations may prevent immediate full deletion.
- Portability: To receive your data in a structured, machine-readable format and have it transferred to another controller.
- Withdraw consent: To withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.
Important note regarding Content: your legal documents and queries are encrypted with a key held only by you (and your organisation's administrator). Tero is technically unable to access, produce, or delete the underlying plaintext. Rights requests relating to personal data within Content should be directed through your organisation's key management process.
You may also lodge a complaint with the Danish Data Protection Authority (Datatilsynet): www.datatilsynet.dk · +45 33 19 32 00.
We will not discriminate against you for exercising any of the above rights.
10. Data Processing Agreement (DPA)
If your organisation uploads personal data about others (clients, employees) to the platform, a Data Processing Agreement (DPA) is automatically part of your subscription. You can request a copy at privacy@tero.legal.
Where your organisation processes documents or data on the Platform that contain personal data relating to third parties (clients, counterparties, employees, or others), your organisation is the data controller for that Content and Tero acts as data processor under GDPR Article 28. A Data Processing Agreement setting out the subject matter, duration, nature, and purpose of processing, as well as your and our obligations, is incorporated by reference into your Subscriber Agreement and is available on request at privacy@tero.legal.
11. Contact
For any data-related questions or rights requests relating to the platform, contact privacy@tero.legal.
For any questions, rights requests, or complaints relating to this policy:
Tero Legal ApS · privacy@tero.legal · Besservej 3. 1, 8240, Aarhus, Denmark
All data protection enquiries are handled by Tero’s designated data protection contact and are responded to directly at the above address. We do not currently meet the thresholds requiring mandatory DPO appointment under GDPR Art. 37; however, data protection is overseen at executive level and our contact holds a certified data protection qualification.
12. Updates to This Policy
We may update this policy when our technology, sub-processors, or the law changes. Active subscribers get at least 30 days' advance notice of material changes.
We may update this policy to reflect changes in our architecture, sub-processors, product features, or applicable law. Material changes will be communicated to active Subscribers via in-platform notification or email with a minimum of 30 days' advance notice before they take effect. Continued use of the Platform after the effective date of an update constitutes acceptance. The current version is always available at app.tero.legal/privacy.