R Rewritelyapp
Sign inTry free
Privacy policy

Privacy policy

Effective May 21, 2026 · Plain-language summary at the top, full text below.

Plain-language summary. We store the minimum data needed to run the product. Your documents are encrypted at rest and deleted 30 days after your last edit. We never use your documents to train any model. We don’t sell personal data, ever. If you delete your account, we delete everything within 7 days.

1. What we collect

  • Account data, email, hashed password (or OAuth identifier), preferences, billing identifiers from Stripe.
  • Document data, the text of any document you submit for polishing, the polished output, the rubric scores, the detector verdicts. Encrypted at rest (AES-256).
  • Usage data, counts of polishes, words used, detector checks. Aggregated for billing and capacity planning.
  • Diagnostic data, errors, request timings. Stripped of document content.

2. What we do not collect

  • We do not use cookies for advertising. The only cookies we set are session and CSRF.
  • We do not buy or sell email lists.
  • We do not track your activity outside Rewritelyapp.

3. How long we keep things

  • Documents: 30 days after last edit by default. You can change this to 90 days or ‘manual deletion only’ in your profile.
  • Account data: until you delete your account.
  • Billing records: 7 years for tax compliance (anonymized after account deletion).
  • Diagnostic logs: 30 days.

4. Training

We do not use your documents to train any model, ours or anyone else’s. The fine-tuning data for our polish adapter is drawn entirely from public academic-writing sources and 4,800 author-permissioned essays collected before launch. Methodology →

5. Subprocessors

We rely on a small set of vendors. Each handles only what they need:

  • Google Cloud Vertex AI (europe-west4), serves the polish model (Gemini 2.5 Pro via Model Garden + Gemini for embeddings). Google does not train on customer data submitted to Vertex AI.
  • Google Cloud Run (europe-west1), hosts our application layer.
  • Supabase (EU region), database and authentication.
  • Stripe, payments.
  • Resend, transactional email.

A Data Processing Agreement (DPA) with each is available on request for institutional customers.

6. Academic integrity

We have an explicit stance on what we will and won’t do with respect to academic integrity. Read it here →

7. Your rights

Under GDPR / CCPA / similar regimes, you have the right to access, export, correct, or delete your data. All four are available from your profile without contacting us. Or email privacy@rewritelyapp.com.

8. Children

Rewritelyapp is not directed at users under 16. If you become aware that a minor has created an account, please email us.

9. Changes

Material changes to this policy will be announced 30 days in advance via email. The full revision history is published on our changelog.

10. Contact

Data controller: Rewritelyapp Limited, registered in the United Kingdom. Email privacy@rewritelyapp.com.