Privacy Policy
Last updated:
1. Data Controller
2. Data We Collect
Data you provide directly:
- Email address — required to create an account and deliver the service
- Payment information — collected and processed by Paddle (we never see your card details)
Data collected automatically:
- IP address and browser type — used for security and abuse prevention
- Session data — stored in a server-side cookie to keep you logged in
- Usage data — anonymised page views (no cookies, no cross-site tracking)
3. Legal Basis (GDPR Art. 6)
- Art. 6(1)(b) — Contract: email and payment data, to provide and bill the service
- Art. 6(1)(f) — Legitimate interest: security logs, anonymised analytics, fraud prevention
- Art. 6(1)(c) — Legal obligation: invoicing records retained as required by applicable law
4. Sub-processors
- Paddle (payments) — processes payment data on our behalf
- Resend (transactional email) — sends magic-link and notification emails
6. Data Retention
- Account data — retained while active; deleted within 30 days of account deletion
- Invoicing records — retained for 10 years as required by applicable tax law
- Security logs — retained for 30 days
7. International Transfers
Paddle and Resend may process data outside the EU; both maintain EU Standard Contractual Clauses (SCCs) to ensure adequate protection.
8. Your Rights (GDPR)
As an EU resident you have the right to:
- Access (Art. 15) — obtain a copy of your personal data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — delete your account and personal data
- Restriction (Art. 18) — restrict how we process your data
- Portability (Art. 20) — receive your data in a machine-readable format
- Object (Art. 21) — object to processing based on legitimate interest
To exercise any of these rights, email . We respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority.
9. Changes
We may update this policy. For significant changes we will notify you by email at least 14 days in advance.