LAST UPDATED · JUNE 14 2026

Privacy Policy

We designed the desktop product to be local-first — your code, files and AI keys stay on your machine. The parts that do involve us are the website and your account (sign-in, leaderboard, analytics, payments). This policy explains both, honestly. It should be reviewed by qualified counsel and completed with your legal-entity details before you rely on it.

This Privacy Policy explains how The Termi Protocol (“Termi Protocol,” “we,” “us,” “our”) collects, uses and protects personal data when you visit termiprotocol.com, create an account, or use our services (together, the “Service”). It is written to address the EU/UK GDPR, Türkiye’s KVKK, and the CCPA/CPRA (California).

1. Who is responsible for your data (Controller)

The data controller (KVKK: veri sorumlusu) is [LEGAL ENTITY / SOLE PROPRIETOR NAME], [REGISTERED ADDRESS, COUNTRY]. For any privacy question or to exercise your rights, contact [email protected].

2. The local-first principle (what we never receive)

The desktop application runs on your own machine, and you connect your own AI provider with your own key (BYOK). Your source code, files, terminal sessions, prompts, AI outputs and API keys stay on your device. They are not transmitted to, stored on, or processed by Termi Protocol servers. When your agent calls an AI model, that request goes from your machine directly to the provider you configured.

3. Information we collect (website & account)

Account & sign-in. When you create an account we process your email address and an encrypted password, or — if you choose “Continue with Google” — the name, email, profile picture and Google account identifier that Google returns. Authentication is handled by Supabase on our behalf.
Profile & gamification. Your username/display name, avatar, and game progress (XP, level, league, daily usage statistics such as token/cost totals) used to power the leaderboard and your stats. Your username and rank may be shown publicly on the leaderboard.
Product & behavioural analytics. Via Amplitude we collect usage events (pages viewed, clicks, form interactions, sessions, device/browser type, language, and approximate location derived from IP). When you are signed in, these events are associated with your account ID.
Session Replay. Amplitude Session Replay records a reconstruction of your interactions with the website (mouse movement, clicks, navigation) to help us diagnose issues and improve UX. Text you type and form inputs are masked by default, and passwords are never captured. See “Cookies & consent” below.
Infrastructure & security. Our host/CDN Cloudflare processes connection data (IP address, request metadata, approximate location, and bot/threat signals) to deliver, secure and measure the site.
Payments. If you subscribe, our payment processor Creem handles your card/billing details directly. We do not receive or store full card numbers; we keep your subscription tier/status and a processor customer reference.
Communications. If you join a waitlist, contact us or send feedback, we keep your email and message.

4. How we use information & our legal bases

To provide the Service — create and secure your account, run the leaderboard, deliver subscriptions. Legal basis: performance of a contract.
Analytics, Session Replay & product improvement. Legal basis: your consent (where required), otherwise our legitimate interest in understanding and improving the Service.
Security, fraud and abuse prevention (including bot mitigation). Legal basis: legitimate interests / legal obligation.
Communications you requested (product updates, protocol releases, support). Legal basis: consent or legitimate interest.

5. Cookies, local storage & consent

We use essential cookies/local storage to keep you signed in and remember preferences, and analytics technologies (Amplitude) including Session Replay. In the EU/EEA, UK and Türkiye we will ask for your consent to non-essential analytics and Session Replay, and you can withdraw it at any time. You can also block cookies in your browser; essential functionality will still work.

6. Who we share data with (processors / third parties)

We do not sell your personal data. We share it only with service providers who process it on our instructions:

Supabase — authentication & database (account, profile, usage). Hosted in the EU (eu-central-1).
Google — “Sign in with Google” (only if you choose it).
Amplitude — product analytics & Session Replay.
Cloudflare — hosting, CDN, security and traffic analytics.
Creem — subscription payments.

We may also disclose data if required by law or to protect our rights, users and the Service.

7. International data transfers

Some processors (e.g. Amplitude, Cloudflare, Creem, Google) are based in or transfer data to the United States and other countries. Where data leaves the EEA/UK/Türkiye, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent mechanisms.

8. Data retention

We keep account and profile data for as long as your account exists, and delete or anonymise it within a reasonable period after you close it (unless we must retain some records for legal, tax or security reasons). Analytics and Session Replay data are retained for a limited period in line with Amplitude’s settings. Waitlist/contact data is kept until you ask us to delete it or it is no longer needed.

9. Your rights

Depending on where you live (GDPR, KVKK, CCPA/CPRA), you may have the right to: access your data; correct it; delete it; export/port it; object to or restrict processing; withdraw consent; and, under the CCPA, to know, delete, correct and opt out of “sale”/“sharing” (we do not sell or share in that sense). To exercise any right, email [email protected]. You may also lodge a complaint with your supervisory authority — in Türkiye the Kişisel Verileri Koruma Kurulu (KVKK), in the EU your local Data Protection Authority.

10. Security

We use encryption in transit (HTTPS), reputable processors, access controls and other measures to protect your data. No method of transmission or storage is 100% secure, but we work to protect your information and to notify you and regulators of breaches where required.

11. Children

The Service is not directed to children under 13 (or the minimum age in your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

12. Changes

We may update this policy as the product evolves through its protocols. Material changes will be reflected by the “Last updated” date above and, where appropriate, notified to you.

13. Contact

Privacy questions or requests: [email protected].

Read the Terms of Use →