1 Who We Are
WordGPT Ltd ("WordGPT", "we", "us") is the data controller for personal data collected through the WordGPT platform.
Data Protection Officer (DPO): dpo@wordgpt.app
General privacy enquiries: privacy@wordgpt.app
2 Data We Collect
| Category | What exactly | When collected |
|---|---|---|
| Account data | Name, email address, role (student/researcher), institution, password (hashed — never stored in plain text) | When you register |
| Billing data | Payment confirmations and billing address. Card or bank credentials are collected only on Swich hosted PayIn pages — we never see or store full card or account numbers. | When you subscribe |
| Usage data | Features used, pages visited, buttons clicked, time spent, error logs — to improve the service | Continuously while using app |
| Device data | Browser type, OS, device type, IP address, approximate location (city/country level) | On every visit |
| Documents | Text, files, PDFs you upload or create — processed to deliver the service, deleted within 24 hours unless saved | When you use writing/AI features |
| Communications | Emails, support tickets, feedback — to respond to you | When you contact us |
| Cookies | Session cookies, preference cookies, analytics cookies — see Section 7 | On visit |
3 How We Use Your Data
- To provide the Service: Processing your documents, running AI checks, formatting, generating citations
- To manage your account: Authentication, billing, subscription management
- To improve the Service: Analysing usage patterns (anonymised/aggregated — not linked to your identity)
- To communicate with you: Service updates, security alerts, billing notices, optional product tips
- To ensure security: Detecting fraud, abuse, and security threats
- To comply with law: Responding to valid legal requests from authorities
4 Legal Basis for Processing (GDPR)
| Processing activity | Legal basis |
|---|---|
| Providing the Service you requested | Contract (Art. 6(1)(b) GDPR) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Service improvement analytics (anonymised) | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails (optional) | Consent (Art. 6(1)(a)) — opt-out anytime |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
5 We Never Sell Your Data
This applies to all users globally, including California residents under CCPA/CPRA. You have the right to opt out of sale — but there is nothing to opt out of because we never sell data.
6 Data Sharing with Third Parties
We share data only with trusted service providers who process it on our behalf under strict data processing agreements:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | GPT-4o AI features | Document text (no personal identifiers) | USA (SCCs applied) |
| Anthropic | Claude AI features | Document text (no personal identifiers) | USA (SCCs applied) |
| Moonshot AI (Kimi) | Long-document AI | Document text (Researcher plan) | China (SCCs applied) |
| Perplexity AI | Research AI | Document text (Researcher plan) | USA (SCCs applied) |
| Swich | Payment processing (PayIn) | Payment reference and billing metadata necessary to fulfil your subscription (no full PAN or bank secrets on our servers) | Per Swich / PSP arrangements |
| Firebase (Google) | Authentication | Email, name | EU (adequacy decision) |
| Cloudflare | Security, CDN | IP address, traffic data | Global (SCCs applied) |
All third parties are contractually bound to use your data only for the specified purpose, maintain appropriate security, and not disclose it to others.
We may also disclose data to comply with a valid legal order, court order, or government request. We will notify you of any such request unless legally prohibited from doing so.
7 Cookies
We use the following cookies:
| Type | Purpose | Can you opt out? |
|---|---|---|
| Essential | Login session, security tokens — the site cannot function without these | No (required) |
| Preferences | Remember your settings (dark mode, language) | Yes |
| Analytics | Understand how users navigate the site (anonymised) | Yes — cookie banner |
| Marketing | We do not use advertising/tracking cookies | N/A — we don't use these |
You can manage cookie preferences through our Cookie Settings panel or your browser settings. See our full Cookie Policy.
8 Data Retention
| Data type | Retention period |
|---|---|
| Processed documents (not saved) | Deleted within 24 hours of processing |
| Saved documents in your library | Until you delete them or close your account |
| Account data | Duration of account + 30 days after closure |
| Billing records | 7 years (legal/tax obligation) |
| Support communications | 3 years |
| Security logs | 12 months |
| Anonymised analytics | Indefinitely (not linked to you) |
9 Your Rights
Depending on your location, you have the following rights regarding your personal data:
| Right | What it means | Available to |
|---|---|---|
| Access | Get a copy of all personal data we hold about you | All users |
| Rectification | Correct inaccurate data | All users |
| Erasure | Delete your personal data ("right to be forgotten") | EU/UK/Brazil/others |
| Portability | Receive your data in a machine-readable format | EU/UK/Brazil |
| Restriction | Limit how we process your data | EU/UK |
| Object | Object to processing based on legitimate interests | EU/UK |
| Opt-out of sale | We don't sell data, so this is always satisfied | California (CCPA) |
| Non-discrimination | No worse service for exercising your rights | California (CCPA) |
To exercise any right, email privacy@wordgpt.app. We will respond within 30 days (EU/UK: within 1 month as required by GDPR Article 12). Identity verification may be required.
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g. ICO in UK, your national DPA in the EU).
10 International Data Transfers
Our primary servers are in the EU. When data is transferred to third-party providers in the US or other countries, we use Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent mechanisms. A list of transfer safeguards is available on request.
11 Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, contact privacy@wordgpt.app and we will delete it promptly.
12 Security
We protect your data with 256-bit TLS encryption in transit, AES-256 at rest, access controls, and regular security audits. In the event of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR Article 33.
13 Changes to This Policy
We will email you and post a notice at least 14 days before material changes take effect. Your continued use of the Service after that date constitutes acceptance.
14 Contact Our DPO
Data Protection Officer: dpo@wordgpt.app
General privacy: privacy@wordgpt.app
Response time: Within 5 business days
You can also use our Contact page to send us a message directly.