Legal
Privacy Policy
Last updated: June 25, 2026
This Privacy Policy explains how cpywrk ("cpywrk", "we", "us", "our") collects, uses, and protects personal data when you use our website (www.cpywrk.com) and platform (app.cpywrk.com).
cpywrk is the data controller for personal data processed under this policy. Where we engage third-party processors, we do so under written data-processing agreements.
1. Data We Collect
Account data
Name, email address, and password hash when you register. Company name and VAT number where provided for billing purposes.
Billing data
Subscription tier and payment status. Card details are handled entirely by Stripe — we store only a Stripe customer ID and the last 4 digits of the card on file.
Content and brand data
Briefs, brand guidelines, tone-of-voice rules, keyword lists, and corrections you enter into the platform. This data is used to generate and improve content outputs for your account. It is not shared with other customers and is not used to train AI models.
Usage data
Pages visited, features used, article generation events, and error logs. Used to operate, debug, and improve the platform.
Technical data
IP address, browser type, operating system, and session identifiers. Collected automatically when you access the platform.
2. Legal Basis for Processing
We process personal data under the following legal bases (GDPR Article 6):
- Contract performance — account data and billing data are necessary to provide the Service you have subscribed to.
- Legitimate interests — usage and technical data to maintain security, debug, and improve the platform, where our interests do not override yours.
- Legal obligation — retaining billing records as required by applicable tax and accounting law.
- Consent — analytics and personalisation cookies, where you have provided consent via our cookie banner.
3. How We Use Your Data
- Providing, maintaining, and improving the Service.
- Processing payments and managing subscriptions.
- Sending transactional emails (account confirmation, billing receipts, password reset).
- Sending product update emails — you may unsubscribe at any time.
- Detecting and preventing fraud, abuse, and security incidents.
- Complying with legal obligations and responding to lawful requests from authorities.
4. AI Processing and Your Content
Content you submit (briefs, brand rules, corrections) is sent to Anthropic's API to generate article drafts and quality assessments. Anthropic processes this data as a sub-processor on our behalf. Anthropic does not use content submitted via API to train its models.
We do not use your content or output to train or fine-tune any AI model, whether operated by us or a third party.
5. Sub-processors and Data Sharing
We share personal data with the following categories of third parties, under data-processing agreements where required by GDPR:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting and edge delivery | US/EU |
| Stripe | Payment processing | US/EU |
| Anthropic | AI content generation | US |
| [Analytics provider] | Usage analytics (consent-gated) | [Location] |
We do not sell personal data. We do not share it with advertisers or data brokers.
6. International Transfers
Some of our sub-processors operate outside the European Economic Area (EEA). Where data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism.
7. Data Retention
We retain account and content data for as long as your account is active. When you delete your account or your subscription is terminated, we retain your data for 60 days to allow export, after which it is permanently deleted from production systems. Anonymised usage aggregates may be retained for longer for statistical purposes.
Billing records are retained for 7 years as required by applicable accounting regulations.
8. Your Rights Under GDPR
If you are based in the EEA, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your data, subject to legal retention obligations.
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@cpywrk.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption at rest (AES-256) and in transit (TLS), access controls, and regular security reviews. No system is completely secure; we cannot guarantee absolute security.
In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and relevant supervisory authorities in accordance with GDPR.
10. Cookies
We use cookies and similar tracking technologies. See our Cookie Policy for full details.
11. Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated by email at least 14 days before they take effect. The "last updated" date at the top reflects the most recent revision.
13. Contact
For privacy-related questions or to exercise your rights, contact us at privacy@cpywrk.com or by email at privacy@cpywrk.com.