Privacy Policy

→ Overview

This Privacy Policy applies to WritiMate ("we", "our", "us") and describes how we handle personal information collected through our website at writimate.com and our platform (together, the "Service"). By using the Service you agree to the practices described here.

If you are located in the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply. If you are in California, the California Consumer Privacy Act (CCPA) applies. We address your rights under both laws in Section 7.

1 What We Collect

We collect data in two ways: information you give us directly, and information generated automatically when you use the Service.

Information You Provide

Account data

Name, email address and password when you create an account. If you sign up via Google or GitHub OAuth, we receive your name and email from that provider instead.

Billing data

Payment information is handled entirely by Stripe. We store only a tokenised card reference and your billing address. We never see or store your full card number.

Connected service credentials

API keys for Ahrefs, OpenAI and WordPress that you add in the platform. These are stored encrypted at rest (AES-256) and never logged in plaintext.

Content & workflow data

Keyword lists, content briefs, generated articles and publishing configurations you create inside the platform.

Support communications

Messages you send us via email or the in-product chat widget, including any attachments you choose to include.

Information Collected Automatically

Usage data

Pages visited, features clicked, workflow runs triggered, and errors encountered. We use this to understand which parts of the product are working well and which need improvement.

Device & connection data

Browser type, operating system, IP address, and referring URL. IP addresses are anonymised within 24 hours of collection.

Cookies & local storage

We use session cookies for authentication and preference cookies to remember your settings. We do not use advertising cookies or third-party tracking pixels.

2 How We Use Your Data

We use your data only for the purposes listed below. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

• Providing the Service — running your keyword research, AI writing and publishing workflows.
• Authentication & security — keeping your account and data safe, detecting fraud and abuse.
• Billing & payments — processing subscriptions, invoices and refunds through Stripe.
• Product improvement — analysing aggregated usage patterns to improve features and fix bugs.
• Support — responding to your questions, bug reports and feature requests.
• Legal compliance — meeting obligations under applicable law, including tax, accounting and data protection requirements.
• Transactional email — sending receipts, password resets, security alerts and important product notices. You cannot opt out of transactional emails while your account is active.
• Product updates newsletter — occasional emails about new features. You can unsubscribe at any time.

3 Who We Share Data With

We do not sell, rent or trade your personal data. We share it only with the service providers necessary to operate the platform, and only to the extent required.

Sub-processors

Stripe

Payment processing. Stripe is PCI-DSS Level 1 certified. Your card data is processed and stored entirely within Stripe's infrastructure.

Amazon Web Services (AWS)

Cloud infrastructure hosting the WritiMate application and databases. All data is stored in eu-west-1 (Ireland) by default, or us-east-1 if you select a US data residency option at signup.

OpenAI

AI content generation. Text prompts constructed from your keywords and briefs are sent to OpenAI's API. OpenAI does not use API data to train models, per their API data usage policies.

Postmark

Transactional email delivery (receipts, alerts, password resets). Email addresses and content are processed to deliver messages you have requested.

Sentry

Error monitoring. Anonymised stack traces are sent to Sentry when the application throws an error. We scrub API keys and user content before any error is logged.

Intercom

In-product support chat. If you use the chat widget, your messages and basic account data (name, email, account tier) are processed by Intercom. You can opt out of the chat widget in your account settings.

Legal Disclosure

We may disclose personal data if required to do so by law, court order, or lawful request by public authorities. Where permitted, we will notify you before complying with such a request.

Business Transfers

If WritiMate is acquired, merges with another entity, or transfers substantially all assets, your data may be transferred as part of that transaction. We will provide notice via email or prominent in-product notice before your data becomes subject to a different privacy policy.

4 Data Storage & Security

Security is not an afterthought at WritiMate — it is built into every layer of the system because our platform handles your content strategy data and third-party API credentials.

• All data is encrypted in transit using TLS 1.3.
• All data is encrypted at rest using AES-256.
• API credentials you connect are stored using envelope encryption with keys managed in AWS KMS. They are never written to logs or readable by support staff.
• Access to production databases is restricted to a small number of engineers, requires MFA, and is fully logged.
• We conduct penetration testing annually and maintain a responsible disclosure programme.
• Our infrastructure is SOC 2 Type II assessed.

Retention

We keep your data for as long as your account is active. If you close your account, we delete your personal data and content within 30 days, except where we are legally required to retain it (for example, billing records which we retain for 7 years for tax and accounting purposes).

5 Cookies

We use the minimum number of cookies necessary to operate the Service. We do not use advertising cookies or share cookie data with ad networks.

Essential cookies

Session authentication and CSRF protection tokens. These are required for the platform to function and cannot be disabled.

Preference cookies

Remember your UI settings such as sidebar state and theme preference. These expire after 12 months.

Analytics cookies (first-party only)

We use a self-hosted, privacy-friendly analytics tool to count page views and understand feature usage. No data is shared with third parties. You can opt out via the cookie banner or your browser settings.

To manage cookies, use your browser's settings or click the "Cookie Preferences" link in the site footer. Note that disabling essential cookies will prevent you from logging in.

6 International Data Transfers

WritiMate is based in the European Union. If you use the Service from outside the EU, your data is still stored in our EU infrastructure by default.

Where we transfer data to sub-processors outside the EEA (for example, to OpenAI or Postmark in the United States), we rely on the following safeguards:

• EU Standard Contractual Clauses (SCCs) — we have executed the approved SCCs with each relevant sub-processor.
• Adequacy decisions — for transfers to countries with an EU adequacy decision, we rely on that decision as the legal basis.
• Data Processing Agreements (DPAs) — we have DPAs in place with all sub-processors that handle personal data.

7 Your Rights

Depending on your location, you have various rights over your personal data. We honour all of the following:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"). We will delete within 30 days unless we have a legal obligation to retain it.
• Portability — receive your data in a machine-readable format (JSON or CSV) so you can transfer it to another provider.
• Restriction — ask us to pause processing your data while a complaint is investigated.
• Objection — object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent — where processing is based on consent (e.g. marketing emails), withdraw it at any time without affecting prior lawful processing.

California residents also have rights under the CCPA, including the right to know, the right to delete, and the right to opt out of the "sale" of personal information. We do not sell personal information as defined by CCPA.

To exercise any right, email us at the address below. We will respond within 30 days (or within the timeframe required by applicable law).

8 Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

9 Changes To This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes — those that significantly affect your rights or how we use your data — we will notify you by email at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

We keep an archive of previous versions. If you would like a copy of a previous version, contact us at the address below.

10 Contact

Questions, concerns or requests about this Privacy Policy should be directed to:

You also have the right to lodge a complaint with your local data protection authority. In the EU, you can find your authority at edpb.europa.eu.