Privacy Policy

Last updated: May 20, 2026

Who we are

Zurhaar Tools is a sole proprietorship (eenmanszaak) registered in the Netherlands, operated by Andreas Zurhaar. Contact: [email protected]

Our products

This policy applies to our browser extensions and the supporting backend at zurhaartools-api.andreaszurhaar.workers.dev:

  • Job Red Flag Detector — analyses the text of a job posting you open and flags concerning patterns.
  • ToS Scanner — analyses the text of a Terms of Service or Privacy Policy page you open and produces a plain-language summary of risks.

What data we collect

Our products collect only the minimum data necessary to function:

  • License key — stored locally in your browser to authenticate your purchase. Sent to our backend with each scan to verify your remaining credit balance. Not shared with third parties beyond what is described below.
  • Email address — collected at purchase through our payment provider (Stripe) to deliver your license key and receipts.
  • Page content you choose to scan — when you click "Scan", the visible text of the current page (for ToS Scanner: the Terms of Service or Privacy Policy you are viewing; for Job Red Flag Detector: the job posting you are viewing) is sent to our backend API, which forwards it to a third-party analysis provider (see "Third-party processing" below). The submitted text typically contains no personal data, but if you choose to scan a page that contains your own personal information, that text will be transmitted as described. This content is processed in real time and is not retained by our backend after the response is returned.
  • Scan transactions — we record that a scan of a given type occurred against your license key (for credit accounting), but we do not store the page text, the URL, or the analysis result.

What we do not collect

  • We do not track your browsing history or activity.
  • We do not collect personal data beyond your email address and license key.
  • We do not use cookies or analytics trackers on our website or extensions.
  • We do not sell, share, or transfer your data to third parties for advertising or marketing purposes.

Browser extensions

Our browser extensions request permissions to access page content on websites you visit. This permission is used solely to extract text when you explicitly click the "Scan" button. The extracted text is sent to our backend API and forwarded to a third-party analysis service to generate results (see "Third-party processing" below). No data is collected, transmitted, or processed without your action. The submitted text is not stored on our servers and is not used to train any models.

Third-party processing

To produce the analysis displayed by our extensions, we forward the submitted page text to Anthropic, PBC, a sub-processor based in the United States. The text is sent to Anthropic's API (model: Claude Haiku) over an encrypted connection, analysed in real time, and the result is returned to you.

Anthropic processes this data on our behalf under its commercial terms and privacy policy. Inputs and outputs are not used to train Anthropic's models. Anthropic retains API inputs and outputs for up to 30 days for abuse-monitoring purposes, after which they are deleted. Because Anthropic is located in the United States, this constitutes a transfer of data outside the European Economic Area; the transfer is covered by Anthropic's contractual safeguards.

We do not send your license key, email address, or any account identifier to Anthropic — only the page text you submit for analysis.

Payment processing

Payments are handled by Stripe. We do not store or have access to your payment card details. Stripe processes payments in accordance with their own privacy policy.

Data storage and retention

License keys, credit balances, and the email address associated with a purchase are stored on Cloudflare's infrastructure. Data is transmitted over HTTPS and access is restricted to authenticated requests only.

Submitted page text is held only in memory for the duration of the scan request and is discarded once the response is returned. We retain a per-scan transaction record (license key, scan type, timestamp) for credit accounting and fraud prevention, but this record does not include the page content, the URL, or the analysis result. Purchase records are retained for the period required by Dutch tax law (seven years).

Your rights and how to contact us

Under the GDPR (in the Netherlands: AVG), you have the following rights regarding the personal data we hold about you:

  • Right of access (recht op inzage) — request a copy of the personal data we hold about you.
  • Right of rectification (recht op rectificatie) — ask us to correct inaccurate or incomplete personal data.
  • Right of erasure / right to be forgotten (recht op vergetelheid) — ask us to delete your personal data, subject to legal retention obligations described below.
  • Right to restrict processing (recht op beperking) — ask us to limit how we process your data while a dispute or request is being resolved.
  • Right to data portability (recht op dataportabiliteit) — receive your personal data in a structured, machine-readable format, or have it transferred to another provider.
  • Right to object (recht van bezwaar) — object to processing of your personal data based on our legitimate interests.
  • Right not to be subject to automated decision-making (Article 22 GDPR) — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not take such decisions about you.
  • Right to lodge a complaint — file a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens.

To exercise any of these rights, contact us at [email protected]. We respond within 30 days (extendable to 3 months for complex requests, with notice in the first month). To help us locate your records, please send your request from the email address used at purchase.

Retained data after erasure requests: Some records (transaction history, license keys linked to purchases) are retained for 7 years to satisfy Dutch tax law (Art. 52 AWR). When you request erasure, we anonymize these records — replacing your email with a placeholder — rather than delete them entirely. After the 7-year retention period, full erasure applies.

Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated revision date.