Privacy Policy

Last updated: December 7, 2025

1. Introduction

WorkRight.AI ("we", "us", "our") acts as the data controller for personal data processed through our workplace letter generation service. This Privacy Policy outlines our approach to data protection in alignment with GDPR principles (processing, transparency, rights). We are actively implementing all user rights under GDPR Articles 15-22.

By using our service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller and Processors

2.1 Data Controller

WorkRight.AI is the data controller responsible for your personal data. We determine the purposes and means of processing your information.

2.2 Data Processors

We engage the following data processors who process data on our behalf under contractual obligations:

  • Supabase Inc. — Authentication and database hosting
  • Stripe, Inc. — Payment processing
  • OpenAI, L.L.C. — AI content generation
  • Vercel Inc. — Application hosting and delivery

Each processor is bound by data processing agreements that comply with GDPR Article 28 requirements.

3. Information We Collect

3.1 Account Data

  • Email address
  • Password (hashed using bcrypt; never stored in plain text)
  • Account creation timestamp
  • Account status (active, suspended, deleted)

3.2 Subscription and Payment Data

Payment processing is handled by Stripe. We do not store full credit card details. We receive and store:

  • Stripe customer ID
  • Subscription tier (Pro, Pro Plus, Lifetime Pro Plus)
  • Subscription status (active, cancelled, expired)
  • Payment dates and amounts (for billing records)
  • Last four digits of card (via Stripe metadata)

3.3 Generated Content

When you generate letters, we store:

  • Letter type, content, and metadata
  • Generation timestamp
  • Edit history associated with your account
  • User-provided inputs (e.g., names, dates, workplace details)

Security: Generated content is stored in Supabase PostgreSQL databases with encryption at rest. Access is controlled via Supabase Authentication and Row Level Security (RLS) policies that restrict data access to the owning user account only.

3.4 Technical and Usage Data

  • Browser type and version (via user agent)
  • Authentication tokens (session cookies)
  • Onboarding completion status (stored in browser localStorage)

We do not use analytics tracking, advertising pixels, or third-party behavioral monitoring.

4. Legal Basis for Processing

We process your personal data under the following lawful bases as defined by GDPR Article 6:

Contractual Necessity (Article 6(1)(b))

Processing is necessary to provide the service you have subscribed to, including account creation, letter generation, storage, and retrieval.

Legitimate Interests (Article 6(1)(f))

We process data to improve service functionality, maintain security, prevent fraud, and optimize user experience. We have assessed that these interests do not override your rights and freedoms.

Legal Obligation (Article 6(1)(c))

We retain billing and payment records to comply with tax and financial reporting obligations under UK and international law.

Consent (Article 6(1)(a))

Where applicable, we obtain your explicit consent for optional communications such as product updates or marketing (which you may withdraw at any time).

5. How We Use Your Information

We process your personal data for the following purposes:

  • Providing access to the letter generation service
  • Authenticating and authorizing users
  • Processing and managing subscriptions
  • Storing and retrieving generated letters
  • Communicating critical service updates (e.g., security notices, subscription changes)
  • Responding to support requests
  • Improving service functionality and user experience
  • Complying with legal and regulatory obligations
  • Preventing fraud, abuse, and security incidents

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data.

We share data only with trusted processors necessary to operate the service:

Supabase Inc.

Purpose: Database storage, user authentication, and session management.
Data shared: Email, hashed password, generated letters, subscription metadata.
Location: US, EU (data residency configurable).
Security: Encryption at rest, Row Level Security (RLS), SOC 2 Type II certified.

Stripe, Inc.

Purpose: Payment processing and subscription billing.
Data shared: Email, subscription details, payment amounts.
Location: US, EU.
Security: PCI-DSS Level 1 certified. Stripe's privacy policy governs payment data handling.

OpenAI, L.L.C.

Purpose: AI-powered letter generation.
Data shared: User-submitted text inputs (situation details, desired outcomes, etc.) required to generate letters.
Location: US.
Retention: OpenAI retains API inputs for up to 30 days for abuse monitoring, then deletes them. Data is not used to train models unless you explicitly opt in via OpenAI's platform (we do not enable training).
Policy: OpenAI Privacy Policy

Vercel Inc.

Purpose: Application hosting and content delivery.
Data shared: HTTP request metadata (IP addresses transiently processed for routing; not logged or stored by us).
Location: US, global edge network.
Security: TLS 1.3 encryption, DDoS protection, ISO 27001 certified infrastructure.

All processors are contractually required to handle data in accordance with GDPR and UK GDPR standards.

7. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption in transit: TLS 1.3 for all HTTPS connections
  • Encryption at rest: Database-level encryption via Supabase (AES-256)
  • Access control: Row Level Security (RLS) policies enforce user-level data isolation
  • Authentication: Supabase Auth with hashed passwords (bcrypt) and secure session tokens
  • Infrastructure security: SOC 2 Type II compliant hosting environments
  • Monitoring: Anomaly detection for unauthorized access attempts

While we take security seriously, no system is completely secure. You are responsible for safeguarding your account credentials.

8. Data Retention

8.1 Active Accounts

We retain account data and generated letters for as long as your account remains active or as necessary to provide services.

8.2 Account Deletion

Upon account deletion, we permanently erase your personal data within 30 days, subject to the exceptions below.

8.3 Legal Retention Requirements

We retain certain records to comply with legal obligations:

  • Billing and payment records: Minimum 6 years (UK tax law compliance)
  • Fraud prevention logs: Up to 7 years where required for legal claims or investigations

8.4 Backup Retention and Propagation

Deleted data may persist in encrypted backups for up to 90 days due to backup rotation schedules. Backups are inaccessible for operational use and are purged automatically after the retention window.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Article 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Article 17): Request deletion of your data, subject to legal retention obligations.
  • Right to Restriction of Processing (Article 18): Limit how we use your data in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (e.g., JSON export of generated letters).
  • Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent (Article 7(3)): Withdraw consent for optional processing (e.g., marketing emails) at any time.

Exercising Your Rights: To submit a request, contact us at privacy@workrightai.com. We will respond within 30 days as required by GDPR Article 12(3).

Right to Complain: If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.

10. Cookies and Local Storage

We use essential cookies and browser storage for service functionality:

  • Authentication cookies: Supabase session tokens (httpOnly, secure, SameSite=Lax)
  • Local storage: User preferences (e.g., onboarding completion, UI settings)

We do not use: Analytics cookies, advertising trackers, social media pixels, or behavioral profiling technologies.

11. International Data Transfers

Your data may be transferred to and processed in the United States and the European Union by our processors (Supabase, Stripe, OpenAI, Vercel).

These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Processor commitments to GDPR-equivalent data protection standards

12. Children's Privacy

Our service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a child without parental consent, we will delete it immediately.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant impacts on users (GDPR Article 22). AI-generated letter content is advisory and subject to user review and editing.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features.

Notification: Material changes will be communicated via email or prominent notice on our website at least 30 days before taking effect.

Continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Information

For questions, complaints, or requests regarding your personal data or this Privacy Policy, contact:

Data Controller: WorkRight.AI

Email: privacy@workrightai.com

Website: workrightai.com

We will respond to all requests within 30 days in accordance with GDPR requirements.