Privacy Policy for Web Summarizer Browser Extension

Effective Date: January 7, 2026

1. Introduction

This Privacy Policy describes how dipl. eng. Christo Tsvetanov ("Company," "we," "us," or "our"), registered in Bulgaria, collects, uses, shares, and protects your Personal Data when you use our Web Summarizer browser extension and related services (collectively, the "Service").

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy complies with the EU General Data Protection Regulation (GDPR) and considers requirements under California privacy laws (CCPA/CPRA).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. Our Terms of Service, available at https://web-summarizer.com/tos.html, incorporate this Privacy Policy by reference.

2. Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person ('Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (like an IP address or cookie ID), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing": Any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Data Controller": The entity that determines the purposes and means of the processing of Personal Data. For the purpose of this Policy, dipl. eng. Christo Tsvetanov is the Data Controller of your Personal Data collected directly by us.
• "Data Processor": An entity that processes Personal Data on behalf of the Data Controller (e.g., our service providers).
• "GDPR": General Data Protection Regulation (EU) 2016/679.
• "CCPA/CPRA": California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

3. Information We Collect

We collect information about you directly from you, automatically through your use of the Service, and potentially from third parties.

3.1. Information You Provide Directly:

• Account Information: When you create a User Account, we collect your email address. This is necessary to establish and manage your account.
• Payment Information: We use Lemon Squeezy as our Merchant of Record to handle all payments and billing. When you subscribe to a paid plan, you provide your payment information (e.g., credit card details, billing address) directly to Lemon Squeezy. We do not collect, process, or store your credit card information. We only receive confirmation of your purchase, a subscription identifier, and your license status from Lemon Squeezy to enable your access to the Service.
• Communications: If you contact us directly (e.g., for support), we may collect your name, email address, the content of your message, and any other information you choose to provide.

3.2. Information Collected Automatically:

• IP Address: We collect your IP address when you interact with our Service (e.g., login, use features). This is used for security purposes (fraud detection, abuse prevention), analytics, and to approximate your general geographic location (country/region level).
• Usage Metadata: We collect metadata about how you use the Service. This includes:
  • The types of operations performed (Summarize, Analyze, Translate).
  • The frequency and timing of these operations (timestamps).
  • Information about your Subscription Plan and usage relative to limits.
  • Technical information about your device and browser (e.g., browser type, operating system, extension version).
  Importantly, we DO NOT collect or log the actual text content you summarize or analyze, nor the generated summaries or analysis results themselves after the operation is complete. The processing happens transiently.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies (like web beacons or local storage) to operate and administer the Service, authenticate users, remember user preferences, and gather usage analytics. See Section 12 ("Cookies and Tracking Technologies") for more details.

3.3. Information from Third Parties:

• Google Firebase Authentication: If you use Google Sign-In or another method provided by Firebase, we may receive certain profile information from Google (like your Google User ID or email address) to facilitate account creation and login. This depends on the permissions granted during the authentication process.
• Lemon Squeezy: We receive transaction status updates, subscription validity confirmations, and basic customer identifiers (but not full financial data) from Lemon Squeezy.

4. How We Use Your Information and Legal Basis (GDPR)

We use the information we collect for various purposes, relying on specific legal bases under GDPR:

• To Provide and Maintain the Service:
  • Creating and managing your User Account.
  • Authenticating your access.
  • Processing your requests (Summarize, Analyze, Translate) by transmitting necessary data to Google Gemini.
  • Enforcing usage limits based on your Subscription Plan.
  Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) - providing the service you requested.
• To Process Payments:
  • Facilitating the order process via Lemon Squeezy (Merchant of Record).
  • Managing subscription renewals and cancellations via the reseller platform.
  Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
• To Improve and Personalize the Service:
  • Analyzing Usage Metadata to understand user behavior, identify popular features, troubleshoot issues, and improve service performance and user experience.
  • Using aggregated and anonymized data for statistical analysis.
  Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) - our interest in improving and developing our Service, provided your fundamental rights do not override these interests. We may rely on Consent (Art. 6(1)(a) GDPR) for certain non-essential analytics cookies.
• To Communicate With You:
  • Sending important service-related notices (e.g., security alerts, changes to terms/privacy policy, subscription status).
  • Responding to your support requests or inquiries.
  • Sending promotional or marketing communications about our products or services (only with your explicit consent).
  Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) - for essential service communications; Legitimate interests (Art. 6(1)(f) GDPR) for responding to inquiries; Consent (Art. 6(1)(a) GDPR) for marketing communications.
• For Security and Fraud Prevention:
  • Monitoring for suspicious activity or violations of our Terms of Service.
  • Using IP addresses and account information to detect and prevent abuse or unauthorized access.
  Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR) - our interest in securing our Service and protecting our rights and users; Legal obligation (Art. 6(1)(c) GDPR) in some cases.
• To Comply with Legal Obligations:
  • Responding to lawful requests from public authorities.
  • Meeting regulatory requirements.
  Legal Basis: Legal obligation (Art. 6(1)(c) GDPR).

5. Data Sharing and Disclosure

We do not sell your Personal Data. We may share your information in the following circumstances:

• Third-Party Service Providers (Data Processors): We share information with third-party vendors and service providers who perform services on our behalf. These include:
  • Google Gemini: To perform the core Summarize, Analysis, and Translate functions. The web page content or selected text you process is sent to Google. Google's use of this data is governed by their terms and privacy policies. We do not control how Google uses this data beyond initiating the processing request.
  • Google Firebase Authentication: To manage user authentication and account services. Google handles authentication data according to its policies.
  • Lemon Squeezy: To act as the Merchant of Record for your orders, process payments, and handle tax compliance. Lemon Squeezy collects and processes your billing information directly according to their privacy policy.
  • Hosting and Infrastructure Providers: To host our Service and store data (including Personal Data like email and IP, and Usage Metadata).
  • Analytics Providers: To help us understand Service usage (may involve cookies and usage data).
  These providers are contractually obligated to protect your data and use it only for the services we request.
• Legal Requirements: We may disclose your information if required by law, subpoena, court order, or other governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: If dipl. eng. Christo Tsvetanov is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction, subject to standard confidentiality arrangements and notice if required by law.
• With Your Consent: We may share your information with third parties when we have your explicit consent to do so.

6. Data Processing by Google Gemini

Crucially, when you use the Summarize, Analysis, or Translate Summary features, the content of the web page or the text you have selected IS SENT TO Google for processing by their Gemini AI models. This is necessary for the features to function. We act as an intermediary, facilitating this data transfer based on your action.

We DO NOT store the content sent to Google Gemini or the results (summaries, analyses, translations) received back from them in our logs after the operation is completed and displayed to you. The processing is transient within our systems.

Google's processing of this data is subject to its own terms and privacy policies. We encourage you to review them: Google Terms of Service and Google Privacy Policy.

7. International Data Transfers

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. As we are based in Bulgaria (EU) and use services from providers like Google and Lemon Squeezy (primarily based in the US), your Personal Data will likely be transferred outside the European Economic Area (EEA).

When we transfer Personal Data outside the EEA, we take steps to ensure that your data receives an adequate level of protection. We rely on mechanisms such as:

• European Commission Adequacy Decisions (where applicable).
• Standard Contractual Clauses (SCCs) approved by the European Commission, implemented with our third-party service providers.
• Other valid transfer mechanisms under GDPR (such as the Data Privacy Framework for US companies).

Our primary third-party providers (Google, Lemon Squeezy) have established processes for handling international data transfers compliantly. Please refer to their respective privacy policies for details.

8. Data Security

We implement appropriate technical and organizational measures to protect the security of your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption (e.g., SSL/TLS for data in transit), access controls, regular security reviews, and secure infrastructure.

However, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

9. Data Retention

We retain your Personal Data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods include:

• Account Data (Email): Retained as long as your User Account is active, and for a reasonable period thereafter to allow for account recovery or as needed for legal/audit purposes.
• IP Addresses: Retained for a limited period (e.g., 90 days) for security logging and abuse detection, unless required for ongoing investigations or legal obligations.
• Usage Metadata: Retained as long as necessary for service improvement, analytics, and reporting. We may anonymize or aggregate this data for longer-term retention.
• Subscription Identifiers (from Lemon Squeezy): Retained as long as your subscription is active and as required for record-keeping.

When we no longer need your Personal Data for the purposes outlined, we will securely delete or anonymize it.

You can request the deletion of your User Account and associated Personal Data by contacting us (see Section 15).

10. Your Data Protection Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following data protection rights under GDPR:

• Right to Access: You have the right to request copies of your Personal Data that we hold.
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
• Right to Erasure ('Right to be Forgotten'): You have the right to request that we erase your Personal Data, under certain conditions. This can often be achieved by deleting your User Account.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Data, under certain conditions.
• Right to Object to Processing: You have the right to object to our processing of your Personal Data based on legitimate interests, under certain conditions. You have an absolute right to object to processing for direct marketing purposes.
• Right to Data Portability: You have the right to request that we transfer the data that we have collected directly from you to another organization, or directly to you, in a structured, commonly used, machine-readable format, under certain conditions.
• Right to Withdraw Consent: If we are processing your Personal Data based on your consent (e.g., for marketing), you have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The Bulgarian supervisory authority is the Commission for Personal Data Protection (CPDP) (www.cpdp.bg).

To exercise these rights, please contact us using the details in Section 15 ("Contact Us"). We may need to verify your identity before responding to your request.

11. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights regarding your personal information under the CCPA/CPRA:

• Right to Know/Access: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information is collected, the business purposes for collecting or sharing information, and the categories of third parties with whom we share information.
• Right to Delete: You have the right to request the deletion of your personal information that we have collected, subject to certain exceptions (e.g., necessary to complete a transaction, detect security incidents, comply with legal obligations).
• Right to Correct: You have the right to request the correction of inaccurate personal information that we maintain about you.
• Right to Opt-Out of Sale/Sharing: We do not "sell" your personal information in the traditional sense. We also do not "share" your personal information for cross-context behavioral advertising as defined by CPRA based on our current use of data. Therefore, we do not offer an opt-out mechanism specific to sale/sharing.
• Right to Limit Use of Sensitive Personal Information (SPI): We collect your email address and IP address. While email address *can* sometimes be considered SPI depending on context under CPRA, we use it only for core service functions like account management, security, and communication directly related to the service, which are generally permissible uses. We do not use SPI for inferring characteristics about you. Therefore, we do not offer a specific mechanism to limit the use of SPI beyond standard account management and deletion options.
• Right of Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to Exercise Your California Rights: To exercise your rights to Know/Access, Delete, or Correct, please contact us using the details in Section 15 ("Contact Us"). We will need to verify your identity before processing your request, which may require you to provide additional information matching our records (e.g., confirming your email address).

Shine the Light: California's "Shine the Light" law (Civil Code Section § 1798.83) permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.

12. Cookies and Tracking Technologies

We use cookies and similar technologies (e.g., local storage) to provide and enhance the Service.

• What are Cookies: Cookies are small text files stored on your device (computer or mobile device) when you visit websites or use applications.
• How We Use Cookies:
  • Essential Cookies: Necessary for the Service to function properly (e.g., authentication cookies managed by Firebase to keep you logged in, cookies to remember your subscription status).
  • Preference Cookies: Used to remember your settings and preferences.
  • Analytics Cookies: Help us understand how users interact with the Service by collecting Usage Metadata (e.g., frequency of feature use). We may use first-party or third-party analytics tools.
• Your Choices: Most web browsers allow you to control cookies through their settings preferences. You can usually set your browser to refuse cookies or alert you when cookies are being sent. However, if you disable essential cookies, some parts of the Service may not function properly (e.g., you might not be able to stay logged in). For more information about managing cookies, visit the help pages of your browser.

13. Children's Privacy

The Service is not intended for or directed at individuals under the age of 16 (or the relevant age of digital consent in your jurisdiction). We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected Personal Data from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers promptly. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us immediately at support@web-summarizer.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you as required by law, which may include posting the revised policy on our website, notifying you through the Service interface, or sending an email to the address associated with your User Account prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for any updates.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you have unresolved concerns, you have the right to complain to a data protection authority (see Section 10).