Resources · Policies

Privacy policy.

What we collect, why we collect it, who else gets to see it, and the controls you have over all of it. Written by a human, not a template — and short enough to actually read.

Last updated May 19, 2026Effective June 1, 2026 Print this page support@tooldirectory.ai
At a glance

If you only read one thing, read this.

The six points below cover roughly 90% of what people want to know about a privacy policy. The full text is underneath — it doesn't contradict this summary, it just adds the precision a policy needs to be useful.

Selling your personal dataNeverDetail: We don't — not to ad networks, brokers, or anyone else
Account dataCollected with consentDetail: Email, display name, password hash — required to sign in
Analytics & product telemetryAggregatedDetail: First-party product analytics (PostHog) + Google Analytics for aggregate reporting
Third-party sharingProcessors onlyDetail: Limited to vetted processors (hosting, email, payments) under DPA
Your rights (access, export, delete)Available globallyDetail: GDPR · CCPA · UK GDPR — honored regardless of where you live
Data deletion requests30-day SLADetail: Email support@tooldirectory.ai — processed within 30 days
Section 01

What we collect, and why we need it

We collect the smallest amount of information needed to run the site, keep accounts secure, and improve what we publish. There are four buckets, and that's it.

You give us directly
  • Account: email, display name, salted password hash
  • Profile: bio, avatar, links you choose to add
  • Submissions: tool listings, reviews, ratings, comments
  • Support: messages, attachments, the email you write from
Collected automatically
  • Device: browser, OS, screen size, language
  • Network: IP address, referrer
  • Usage: pages viewed, time on page, search terms
  • Logs: server errors, request timestamps, security events

We do not collect government IDs, biometric data, precise GPS location, or contents of your communications outside the site. We do not buy personal data from data brokers. We do not run third-party ad-targeting pixels (Meta, TikTok, or Google Ads).

Children. The site is intended for users 18 and older. We don't knowingly collect personal information from anyone under that age — if you think a child has submitted data, write to support@tooldirectory.ai and we'll delete it.
Section 02

How we use it

Every piece of data we collect maps to a concrete operational purpose. We don't keep “just in case” data, and we don't repurpose what was collected for one reason into something else without telling you.

  1. 01
    Run the site and your account
    Authenticate sign-ins, deliver the content you requested, save your preferences, send transactional email like password resets and submission status updates.
  2. 02
    Editorial review of submitted tools
    Read tool submissions, screenshot the product, write the review, decide whether to list it. Submitter contact info is used to follow up about the submission and nothing else.
  3. 03
    Improve what we publish
    Aggregated analytics tell us which reviews get read, which comparisons get used, where the search is failing. We never tie analytics back to an individual account.
  4. 04
    Keep the platform secure
    Detect abuse, brute-force attempts, scraping, and spam. Comply with legal obligations when we receive a properly issued request — see section 03.
Section 03

Who we share data with

We do not sell, rent, or trade your personal information. We share data only with the categories of recipients below, only to the extent strictly needed, and only under a written data-processing agreement that binds them to our standards.

  1. 01
    Vetted service providers (processors)
    Hosting (Vercel, Heroku, Neon), CMS (Strapi), product analytics (PostHog, Google Analytics), newsletter (Beehiiv), payments (Stripe), error monitoring (Sentry), CDN and DNS (Cloudflare). Each operates under a signed DPA and the EU Standard Contractual Clauses where applicable.
  2. 02
    Editorial collaborators
    Freelance reviewers who write listings on contract have access to submission contents — not your account credentials, not your IP, not your billing data. NDAs are standard.
  3. 03
    Legal and safety
    If we receive a valid subpoena, court order, or law-enforcement request, we'll disclose only what's legally required, push back on overbroad requests, and notify you whenever we're allowed to.
  4. 04
    Corporate transactions
    If the site is ever sold, merged, or wound down, data may transfer as part of that transaction. You'll be notified by email at least 30 days in advance and given the option to delete your account first.
Section 04

Your rights and how to use them

We grant the rights below to every visitor, regardless of whether you live in a jurisdiction that legally requires it. If you're in the EU, UK, California, Colorado, Virginia, or anywhere else with a comprehensive privacy law, the law still applies on top.

Always available
  • Access — get a copy of what we hold about you
  • Export — download your account data as JSON
  • Correct — fix inaccurate or outdated information
  • Delete — remove your account and submissions
  • Restrict — pause processing while we sort out a dispute
  • Object — opt out of any processing based on legitimate interest
How to exercise them
  • Email support@tooldirectory.ai from the address on file with your request
  • Include the right you're exercising (access, export, correct, delete, restrict, object) and any relevant context
  • We respond within 30 days45 for unusually complex requests, with notice
  • We will not charge a fee or retaliate for exercising any right
  • You can authorize an agent to act for you with written proof
  • EU/UK residents can also complain to your local data protection authority
Identity verification. Before we hand over or delete personal data, we'll confirm the request is genuinely from you — usually by clicking a link sent to the verified email on the account. We never ask for government ID for routine privacy requests.
Section 05

How we keep your data secure

Security isn't a section of a policy — it's the day job. We use industry-standard controls and a few non-standard ones, and we keep them current. Here's what's in place at the time of this update.

  1. 01
    Encryption in transit and at rest
    TLS 1.3 with HTTP Strict Transport Security on every page. AES-256 at rest for the production database and all backups. Passwords are stored as bcrypt hashes with a per-user salt — never reversible, never logged.
  2. 02
    Access controls and audit trails
    Production access is restricted to a small group of administrators, with two-factor authentication required for every admin login. Privileged actions are logged.
  3. 03
    Backups and recovery
    Encrypted backups with point-in-time recovery on the production database. Backups are stored separately from the live database and tested before any major release.
  4. 04
    Breach notification
    If we ever discover a personal-data breach that's likely to affect you, we'll notify you and the relevant supervisory authorities in accordance with applicable law.
Section 06

How long we keep things

We retain personal data only as long as we need it for the purpose it was collected, then we delete or anonymize it. Defaults are below; you can request earlier deletion at any time.

Active account & profileWhile in useRetention window: For the lifetime of the account, plus 30 days after deletion request
Published reviews and submissionsAnonymized on deleteRetention window: Kept for editorial record; byline removed on account deletion
Server & security logs90 daysRetention window: Full logs auto-purge after 90 days
Aggregated analyticsAggregated foreverRetention window: No personal identifiers retained past aggregation
Payment records (paid placements)7 yearsRetention window: Required for tax and accounting compliance
Support correspondence24 monthsRetention window: Kept for context on follow-up tickets, then purged
Section 07

Changes to this policy

When we update this policy we'll change the “Last updated” date at the top and post the new version here. For material changes — anything that expands what we collect, who we share it with, or how long we keep it — we'll call out the change clearly so you have time to review it and, if you'd prefer, close your account before the new version takes effect.

A full revision history is available on request from support@tooldirectory.ai. We don't quietly edit policy text — every diff is dated.

Section 08

Contacting us about privacy

The fastest way to reach us about anything in this policy — a question, a complaint, a request to access or delete data — is by email. Every privacy request goes to the same inbox and is handled by the same small team.

  1. 01
    All privacy questions and requests
    support@tooldirectory.ai · reply within 5 business days, fulfilled within 30 days
  2. 02
    What to include
    The email address on your account, the right you're exercising (access, export, correct, delete, restrict, object), and any context that helps us find the right records.
A question about your data?

Talk to the person who handles this.

All privacy questions — access, export, correction, deletion, or anything else in this policy — go to support@tooldirectory.ai. Email from the address on your account so we can verify it's you.

Email supportRead the terms
Replies in 5 business days · Mon–Fri

Sign up for our newsletter

Receive weekly updates so you can stay up-to-date with the world of AI

Discover, explore, and compare the most innovative AI tools in the industry

Explore

All AI tools

Top 100 AI tools

Curated collections

AI tool alternatives

AI categories

Pricing

AI glossary

Compare AI tools

Blog

Methodology

Editorial team

AI graveyard

Latest collections
Policy

Terms & conditions

Privacy policy

FAQ

Refund policy

Affiliate disclosure