Privacy Policy

Last updated:

We respect your privacy. This policy explains what data we collect, how we use it, and your rights under GDPR and other applicable laws.

Who we are

Controller: Your Company, S.L.
Address: C/ Example 123, 08000 Barcelona, Spain
Email: privacy@yourdomain.com

What we collect

• Account data: email, business name (optional), preferred alias, language.
• Operational data: incoming review notification emails you forward, review text, rating, links; optional owner notes you include between [[[NOTES]]] and [[[/NOTES]]].
• Generated data: summaries, sentiment, topics, red-flag signals, and reply drafts.
• Usage & billing: monthly request counts, token/cost estimates, plan, invoices (via Stripe).
• Technical: IP, device, cookies (auth session, CSRF).

Why we process your data (lawful bases)

• Provide the service (contract): receive emails, generate drafts, send them back.
• Billing & fraud prevention (contract/legal obligation): subscriptions, invoices, anti-abuse.
• Service improvement (legitimate interests): quality metrics, anonymized analytics.
• Consent (where required): marketing emails; certain cookies.

How we use owner notes

Owner notes are treated as private context for drafting. They are never quoted or exposed in public replies. We may store derived, neutral keypoints for guardrails and audit.

Data sharing & processors

We use processors strictly to run the service:

• Email inbound/outbound (e.g., Mailgun/Postmark/Gmail API)
• LLM provider for text processing (e.g., OpenAI)
• Hosting/database (e.g., Supabase/Cloud SQL), object storage, logs
• Payments (Stripe)
• Alerting/analytics (optional)

We do not sell personal data.

International transfers

When data is processed outside the EEA/UK, we rely on adequacy decisions or Standard Contractual Clauses (SCCs). We take reasonable steps to ensure equivalent protection.

Retention

• Account data: for life of the account + up to 24 months after closure (for legal/accounting).
• Inbound emails & drafts: default 12 months (you can request deletion sooner).
• Billing records: 6–10 years to comply with tax law.
• Backups/logs: typically 30–90 days rolling.

Your rights

You can request access, rectification, deletion, restriction, portability, and objection. You can withdraw consent at any time. To exercise rights, email privacy@yourdomain.com. You may also lodge a complaint with your local data protection authority (in Spain: AEPD).

Security

We use encryption in transit, least-privilege access, audit logs, and periodic reviews. No method is 100% secure; please forward only the data necessary to draft replies.

Cookies

We use essential cookies for authentication and session security. Optional analytics cookies will only run with your consent.

Children

Our service is not directed at children under 16. Do not forward content containing children’s personal data.

Changes

If we make material changes, we’ll update this page and notify you by email or in-app.

Contact

Email privacy@yourdomain.com for privacy inquiries or to request data deletion.