Privacy Policy

Last Updated: February 11, 2026

Wordwand (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services (the “Service”).

Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy.

1. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:

Wordwand
Email: support@wordwand.co

2. Information We Collect

2.1 Information You Provide

Account Information

When you create an account, we collect:

• Email address
• Password (stored in hashed form by our authentication provider)
• User ID (automatically generated UUID)

If you use Sign in with Apple, we receive:

• The email address associated with your Apple ID (or a private relay email if you choose to hide your email)
• A unique identifier provided by Apple

User Profile Data

• Onboarding completion status
• Timestamps related to account activity

Saved Data (Todos and Custom Shortcuts)

• When you use Todo Extraction, extracted action items (todo text, due dates, source text snippets up to 500 characters, completion status) are stored in our database
• Custom Shortcuts you create (name, AI prompt, icon, color, usage statistics) are stored in our database
• This data is associated with your user account and is deleted when you delete your account

Payment Information

When you subscribe to a paid plan:

• Via Stripe (macOS/Web): Stripe customer ID, subscription ID, billing frequency, and subscription expiration date. Stripe handles all credit card processing; we never receive or store your full credit card number.
• Via Apple StoreKit (iOS): Transaction IDs, product IDs, purchase dates, and expiration dates. Apple handles all payment data.

2.2 Information Collected Automatically

Usage Data

• Monthly word count usage
• Daily and monthly Ask AI request counts
• Operation logs including:
  • Type of operation (improve, translate, enhance, Ask AI, Ask AI Vision, extract todos, custom shortcut, speech-to-text, text-to-speech, TTS preprocess)
  • Word count and character count of processed text
  • Operation status and timestamps
  • Error information (if applicable)

Device and Technical Data

• Device type and operating system
• Application version
• IP address (collected by our infrastructure providers and used for API rate limiting and abuse prevention; retained in rate-limit stores for up to 24 hours)
• General location derived from IP address (country/region level)

Crash and Diagnostic Data

Our macOS application uses Sentry, a third-party error monitoring service, to collect crash and performance data. This may include:

• Crash reports (stack traces, exception details)
• App hang and performance data
• Session duration and app lifecycle events
• Device type, operating system version, and app version
• A randomly generated device identifier (not tied to your personal identity)

This data is used solely to identify and fix bugs, improve app stability, and monitor performance. It does not include any of your text content, audio, images, or account credentials.

Server Request Metadata

Our API servers generate structured logs for each request, which may include request identifiers, timestamps, HTTP method, route path, response status codes, and response times. These logs do not contain the content of your text, audio, or images. They are used for operational monitoring, debugging, and security purposes.

2.3 Information We Process But Do Not Store

User Text Content, Audio Recordings, and Images

When you use our AI features (text improvement, translation, enhancement, Ask AI, Ask AI Vision, todo extraction, custom shortcuts, speech-to-text, text-to-speech):

• Your text is transmitted to our servers and third-party AI providers for processing
• When using speech-to-text, your audio recordings are transmitted to OpenAI's Whisper API for transcription
• When using Ask AI Vision, your images (screenshots or photos) are transmitted to Google Gemini for analysis
• We do not permanently store the content of your text, audio, or images
• Content is processed in real-time and discarded after the response is generated
• Our AI providers may temporarily process your content according to their own policies (see Section 5)

2.4 Information Stored Locally on Your Device

The following data is stored only on your device and is never transmitted to our servers:

• Usage statistics (words improved, translations count, etc.)
• User preferences and settings
• Custom dictionary words
• Custom text replacement shortcuts
• Language preferences
• Authentication tokens (stored securely in device Keychain)

3. How We Use Your Information

We use the information we collect to:

3.1 Provide and Maintain the Service

• Authenticate your identity and manage your account
• Process your text through AI features
• Track your usage against subscription limits
• Provide customer support

3.2 Process Payments

• Manage subscriptions and billing
• Verify payment status
• Handle refunds or disputes

3.3 Improve the Service

• Analyze usage patterns to improve features
• Monitor and maintain service performance
• Debug and fix technical issues
• Identify and resolve application crashes and performance problems (via Sentry crash reporting)
• Understand website traffic and visitor patterns (via privacy-respecting analytics)

3.4 Communicate With You

• Send service-related notifications
• Respond to your inquiries and support requests
• Provide information about subscription status or changes

3.5 Comply With Legal Obligations

• Respond to legal requests and prevent harm
• Enforce our Terms and Conditions
• Protect our rights and the rights of others

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data based on the following legal grounds:

5. Third-Party Service Providers

We share your information with the following third-party service providers who help us deliver the Service:

5.1 Google Cloud Platform (Infrastructure)

• Purpose: Our API backend is hosted on Google Cloud Run (Google Cloud Platform). All API requests are processed through this infrastructure.
• Data Shared: Google Cloud Platform, as an infrastructure provider, may have access to request metadata, IP addresses, and server logs in transit
• Security: Google Cloud Platform is SOC 2 and ISO 27001 certified and adheres to the EU Data Processing terms
• Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

5.2 Supabase (Database and Authentication)

• Purpose: User authentication, account management, and data storage
• Data Shared: Email address, user ID, profile data, subscription information, usage logs
• Location: United States
• Security: Row-level security ensures data isolation between users
• Privacy Policy: https://supabase.com/privacy

5.3 Google AI (Gemini)

• Purpose: AI-powered text improvement, translation, enhancement, Ask AI, Ask AI Vision (image analysis), todo extraction, speech-to-text cleanup, and TTS preprocessing
• Data Shared: Text content you submit for processing; images you submit for visual analysis (Ask AI Vision)
• Data Retention: Text is processed and not permanently stored by us; Google's data handling is governed by their policies
• Safety Settings: We enable content safety filters on all AI requests
• Privacy Policy: https://policies.google.com/privacy

5.4 Google Cloud Text-to-Speech

• Purpose: Converting text to spoken audio
• Data Shared: Text content you submit for text-to-speech conversion
• Privacy Policy: https://policies.google.com/privacy

5.5 Stripe (Payment Processing)

• Purpose: Processing payments for subscriptions (macOS and web)
• Data Shared: Email address, Stripe customer ID
• PCI Compliance: Stripe is PCI DSS Level 1 certified
• Privacy Policy: https://stripe.com/privacy

5.6 Apple (StoreKit / In-App Purchases)

• Purpose: Processing in-app purchases (iOS)
• Data Shared: Apple manages all payment data directly
• Privacy Policy: https://www.apple.com/legal/privacy/

5.7 OpenAI (Speech-to-Text / Whisper)

• Purpose: Transcribing audio recordings into text (speech-to-text functionality)
• Data Shared: Audio recordings you submit for transcription
• Data Retention: Audio is processed in real-time and not permanently stored by us; OpenAI processes API data according to their API data usage policy and does not use API data to train models
• Note: When you use the speech-to-text feature, your audio is transmitted to OpenAI's Whisper API for transcription
• Privacy Policy: https://openai.com/policies/privacy-policy

5.8 Sentry (Crash Reporting)

• Purpose: Application crash reporting, error tracking, and performance monitoring for our macOS application
• Data Shared: Crash reports (stack traces, exception information), app hang data, session tracking data, device type, operating system version, app version, and a randomly generated device identifier
• Data NOT Shared: Sentry does not receive your text content, audio recordings, images, email address, or account credentials
• Data Retention: Crash and performance data is retained by Sentry for 90 days by default
• Location: United States
• Security: Sentry is SOC 2 Type II certified
• Privacy Policy: https://sentry.io/privacy/

5.9 Vercel Analytics (Website Analytics)

• Purpose: Privacy-respecting analytics for our website (wordwand.co) to understand visitor traffic and page performance
• Data Collected: Page views, referrer URLs, country (derived from IP), browser type, and operating system
• Privacy Approach: Vercel Analytics does not use cookies, does not track users across websites, and does not collect personally identifiable information. No individual visitor profiles are created.
• Data NOT Collected: IP addresses are not stored; no cross-site tracking; no advertising identifiers
• Location: United States
• Privacy Policy: https://vercel.com/legal/privacy-policy

6. Data Retention

We retain your personal data as follows:

When you delete your account:

• Your account information is deleted from our database
• Usage logs associated with your account are deleted
• Data held by third-party payment processors is retained according to their policies
• Locally stored data remains on your device until you delete the app

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

7.1 Technical Measures

• Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Secure Authentication: JWT token-based authentication with automatic token refresh
• Keychain Storage: Sensitive data (authentication tokens) stored in secure device Keychain
• Row-Level Security: Database-level access controls ensure users can only access their own data
• Webhook Verification: Stripe webhooks are verified using cryptographic signatures
• Rate Limiting: API rate limiting to prevent abuse and protect service availability
• Error Monitoring: Automated crash reporting and server error alerting for rapid incident detection and response

7.2 Organizational Measures

• Limited access to personal data on a need-to-know basis
• Regular security reviews of our infrastructure and code
• Third-party services selected for their security credentials and compliance certifications

7.3 Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by applicable law.

8. Your Rights

8.1 Rights Under GDPR (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

Right of Access

You can request a copy of the personal data we hold about you.

Right to Rectification

You can request that we correct any inaccurate or incomplete personal data.

Right to Erasure (“Right to be Forgotten”)

You can request that we delete your personal data. We will comply unless we have a legal obligation to retain the data.

Right to Restrict Processing

You can request that we limit the processing of your personal data under certain circumstances.

Right to Data Portability

You can request a copy of your personal data in a structured, commonly used, machine-readable format.

Right to Object

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence.

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

Right to Know

You can request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.

Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out

You have the right to opt out of the sale or sharing of your personal information. We do not sell your personal information.

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

8.3 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: support@wordwand.co

We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States.

9.1 Transfer Mechanisms

For transfers from the EEA/UK to the United States, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Our service providers' participation in recognized data transfer frameworks

9.2 Service Provider Locations

10. Children's Privacy

10.1 Age Requirements

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

10.2 Parental Rights

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@wordwand.co. We will take steps to delete such information from our systems.

10.3 COPPA Compliance

In compliance with the Children's Online Privacy Protection Act (COPPA), we:

• Do not knowingly collect personal information from children under 13
• Require users to confirm they meet the minimum age requirement
• Will promptly delete any data collected from children under 13 upon discovery

10.4 Users Ages 13-17

Users between 13 and 18 should review these terms with a parent or guardian. Parents/guardians are responsible for monitoring their minor children's use of the Service.

11. Sign in with Apple Disclosure

When you use Sign in with Apple:

• We receive your Apple ID email (or a private relay email if you choose to hide your email)
• We receive a unique identifier provided by Apple
• We use this information solely for account authentication and communication
• You can manage your Sign in with Apple settings through your Apple ID account

12. Cookies and Tracking Technologies

12.1 Website (Landing Page)

Our website (wordwand.co) uses:

• Essential Cookies: Required for basic website functionality
• Vercel Analytics: We use Vercel Analytics for privacy-respecting website analytics. Vercel Analytics does not use cookies, does not collect personally identifiable information, and does not track visitors across websites. It collects only aggregate data such as page views, referrer information, and general visitor demographics (country, browser, OS).

12.2 Mobile and Desktop Applications

Our applications do not use cookies. We use:

• Local Storage: To store your preferences and settings on your device
• Keychain: To securely store authentication tokens
• Sentry SDK (macOS): Our macOS application includes the Sentry SDK for crash reporting and performance monitoring. Sentry collects crash data, app hang information, and session data to help us identify and fix issues. Sentry does not use cookies and does not track you across applications. See Section 5.8 for full details.

12.3 Your Choices

You can control cookies through your browser settings. Blocking essential cookies may affect website functionality.

13. Do Not Track Signals

Our Service does not currently respond to “Do Not Track” signals. We do not track users across third-party websites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective when posted to our website with an updated “Last Updated” date.

For significant changes, we will notify you by:

• Posting a notice within the Application
• Sending an email to registered users
• Updating the “Last Updated” date prominently

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@wordwand.co

Data Protection Inquiries
For GDPR-related inquiries or to exercise your data protection rights, please email: support@wordwand.co

We aim to respond to all inquiries within 30 days.

16. Additional Information for Specific Jurisdictions

16.1 European Economic Area (EEA) and United Kingdom

You may lodge a complaint with your local data protection authority:

• For EEA: https://edpb.europa.eu/about-edpb/board/members_en
• For UK: https://ico.org.uk/

16.2 California

California Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes.

16.3 Brazil (LGPD)

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) similar to those described in Section 8.1.

16.4 Canada (PIPEDA)

If you are a resident of Canada, you have the right to access your personal information, correct inaccuracies, and withdraw consent to collection, use, or disclosure, subject to legal restrictions.

By using Wordwand, you acknowledge that you have read and understood this Privacy Policy.