Privacy Policy
This Privacy Policy explains what personal data Writegarden processes when you use the Writegarden website (writegarden.com) and product (app.writegarden.com), why we process it, how long we keep it, who we share it with, and your rights under the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller for personal data processed in connection with Writegarden is Writegarden. For any data-protection enquiry — including to identify the responsible party for a formal request — contact privacy@writegarden.com.
A formal Data Protection Officer (DPO) has not been appointed, as it is not mandatory for our type and scale of processing. All data-protection enquiries are handled at the address above.
2. Data We Collect
2.1 Account Data
- Email address (used for authentication and communication)
- Password (hashed and salted; we never store or access your plaintext password)
- Account creation date and last login timestamp
2.2 Business Profile Data
- Company name, website URL, and industry
- Business type, description, and tone of voice
- Target audience, unique value proposition, and business goals
- Competitor information
2.3 SEO and Keyword Data
- Keywords and keyword research results
- Search volumes, keyword difficulty scores, CPC data
- SERP analysis data and competitor keyword analysis
2.4 Generated Content
- AI-generated articles (HTML content)
- AI-generated images (PNG files)
- Meta descriptions, titles, and SEO scores
- Article status history (draft, published, etc.)
2.5 Integration Data
- OAuth access and refresh tokens for connected platforms (Webflow, Shopify, WordPress, Wix, Framer, Google Search Console)
- These tokens are encrypted using AES-256-GCM before storage and are used solely to publish content or retrieve data on your behalf
2.6 Usage Data
- Article generation and publishing events
- Keyword analysis completions
- Onboarding progress
- Feature usage patterns
3. Purpose and Legal Basis
We process your data under the following legal bases as defined by the GDPR:
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing the Service | Contract performance (Art. 6(1)(b)) | Account, business profile, content |
| AI content generation | Contract performance (Art. 6(1)(b)) | Business context, keywords, competitors |
| Publishing to CMS platforms | Contract performance (Art. 6(1)(b)) | Content, integration tokens |
| SEO analysis and keyword research | Contract performance (Art. 6(1)(b)) | Domain, keywords, location |
| Service improvement | Legitimate interest (Art. 6(1)(f)) | Usage data, aggregated analytics |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Account data, access logs |
| Marketing communications | Consent (Art. 6(1)(a)) | Email address |
4. AI Data Processing
To generate content, we send certain data to third-party AI providers. This section explains what data is sent, to whom, and what safeguards are in place.
| AI System | Purpose | Data Sent | Provider |
|---|---|---|---|
| GPT-4 / Claude | Article generation | Business context, keywords, competitor data | OpenRouter (US) |
| Perplexity | Domain research | Website URL, domain name | OpenRouter (US) |
| Gemini 2.5 Flash | Image generation | Article context, style preferences | OpenRouter (US) |
| Custom AI | Keyword suggestions | Keyword lists, business context | OpenRouter (US) |
Safeguards: We do not send your email address, password, or OAuth tokens to AI providers. Only the business context and content-related data necessary for generation is transmitted. All requests are made server-side through our secure backend, not from your browser.
For more information about how AI is used in our Service, please see our AI Disclosure Policy.
5. Third-Party Data Processors
We use the following third-party service providers (sub-processors) to deliver our Service:
| Processor | Purpose | Data Handled | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All user and business data | AWS (EU region) |
| Vercel | Marketing-site hosting and delivery | Public pages; form submissions in transit | EU edge / US |
| Cloudflare Turnstile | Bot/abuse mitigation on web forms | Captcha verification tokens | Global |
| DataForSEO | Keyword and SEO metrics | Domain, keywords, location codes | EU |
| N8N Cloud | Workflow orchestration | Article generation payloads | EU |
| OpenRouter | AI model access (GPT-4, Perplexity, Gemini) | Prompts, business context, images | US |
| Stripe | Subscription billing and payment processing | Billing details; card data handled by Stripe | US / Ireland |
| ScreenshotOne | Website screenshot capture | Website URLs | Outside EEA (SCCs) |
We also interact with third-party CMS platforms (Webflow, Shopify, WordPress, Wix, Framer) when you choose to publish content. These interactions are initiated by you and governed by the respective platform's terms and privacy policies.
6. International Data Transfers
Some of our sub-processors operate outside the European Economic Area (EEA). When your data is transferred to countries without an EU adequacy decision, we ensure appropriate safeguards are in place:
- OpenRouter (US): Transfer is covered by Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by a Transfer Impact Assessment.
- Webflow / Shopify (US/Canada): Only when you initiate content publishing; governed by their respective data processing agreements.
You may request a copy of the applicable transfer safeguards by contacting privacy@writegarden.com.
7. Data Retention
We retain your data only for as long as necessary for the purposes described in this policy:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Business profile data | Duration of account + 30 days after deletion |
| Generated articles and images | Duration of account + 90 days after deletion |
| Keyword and SEO data | Duration of account + 30 days after deletion |
| OAuth tokens | Until disconnected or account deletion |
| Server logs | 90 days |
After the retention period, data is permanently and irreversibly deleted from our systems and sub-processor systems.
8. Your Data Protection Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): You may request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): You may correct inaccurate or incomplete data through your account settings or by contacting us.
- Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact privacy@writegarden.com. We will respond within 30 days as required by the GDPR.
You also have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD) or your local supervisory authority.
9. Cookies
Our use of cookies is described in our Cookie Policy. Essential cookies required for authentication and basic functionality are set without consent. Non-essential cookies (analytics, marketing) require your explicit consent before being set.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS for all communications)
- Encryption at rest for stored data
- AES-256-GCM encryption for OAuth tokens
- Row-Level Security (RLS) policies ensuring data isolation between organizations
- Server-side credential management (API keys and secrets are never exposed to browsers)
- Hashed and salted passwords
- Regular security reviews and updates
11. Children's Data
The Service is a B2B platform designed for business use and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact privacy@writegarden.com and we will take steps to delete such data.
12. Automated Decision-Making
The Service uses AI and automated processing in the following ways:
- Keyword suggestions: AI analyzes your business context to suggest relevant keywords and identify negative keywords.
- Business inference: AI infers business characteristics from your domain data to improve content relevance.
- Content generation: AI generates articles and images based on your inputs.
These automated processes assist in content creation but do not produce legal effects or similarly significant effects on you. All AI-generated outputs are recommendations that you review and control before publication.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by displaying a prominent notice in the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.
14. Contact
For privacy-related questions, data subject requests, or complaints, contact privacy@writegarden.com.
Supervisory authority: Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt.