Privacy Policy
Who we are
Copydirector is operated by Bram de Waal h.o.d.n. Copydirector, registered in the Netherlands. Contact: privacy@copydirector.io.
What data we collect and why
| Category | Data | Legal basis | Purpose |
|---|---|---|---|
| Account data | Name, email, password (hashed) | Art 6(1)(b) contract performance | Account creation and authentication |
| Subscription data | Plan type, billing status, usage history | Art 6(1)(b) contract performance | Service delivery and billing |
| Brand Base content | Brand name, values, tone of voice, reference texts, website URLs and text extracted from them, briefings | Art 6(1)(b) contract performance | Generating AI-assisted copy outputs |
| Generated Content | AI-generated copy outputs | Art 6(1)(b) contract performance | Storing outputs for user access |
| Refinement conversations | The refinement instructions you type and the successive copy versions produced while iterating on a generation | Art 6(1)(b) contract performance | Letting you refine copy in conversation and keeping the iteration history so the assistant remembers earlier requests |
| Technical data | IP address, session cookies, usage logs | Art 6(1)(f) legitimate interests | Security, fraud prevention, service improvement |
| Content review records | User ID, generation ID, variant index, timestamp, review-confirmation flag, hashed IP, user agent | Art 6(1)(f) legitimate interests (establishing and defending legal claims) | Audit trail showing user reviewed AI-generated content for factual accuracy and brand suitability before download or copy, supporting compliance with consumer protection and product liability obligations |
| Product analytics | User ID, last-seen timestamp, page interactions, briefing form steps viewed, feature engagement events, voluntary feedback submissions | Art 6(1)(f) legitimate interests | Improving the Service based on observed usage patterns and direct user feedback during the closed beta and beyond |
AI processing and third-party data flows
To generate copy outputs, we send your Brand Base content, reference texts, and briefing inputs to Anthropic's Claude API. This includes your brand name, brand values, tone of voice, any text you have uploaded as reference material, and text extracted from website URLs you provide. When you refine a generation, the refinement instructions you provide and the relevant copy versions are also sent to the Claude API, including, where a conversation runs long, a summarised form of the earlier refinement history. It does not include your account credentials, payment data, or other users' data.
Anthropic processes this data as our sub-processor. Anthropic does not use API inputs to train its models. API inputs and outputs are retained by Anthropic for up to 7 days for abuse monitoring purposes, after which they are deleted. Where you use the prompt caching feature, your system prompt (including Brand Base data) may be cached for up to 5 minutes at Anthropic's infrastructure for performance purposes.
Anthropic's servers are located in the United States. This transfer is governed by Standard Contractual Clauses (Module 2 and Module 3) under Commission Implementing Decision (EU) 2021/914, incorporated into Anthropic's Data Processing Addendum.
Data storage
Your account data, Brand Bases, reference texts, and Generated Content are stored in Google Cloud Firestore, configured to EU region (europe-west). Google processes this data as our sub-processor under Google's Cloud Data Processing Addendum incorporating Standard Contractual Clauses.
When you upload a PDF or DOCX file, the file is processed in memory to extract text. The original file is not stored. Only the extracted text is retained in Firestore.
When you provide a website URL, the Service fetches the page and extracts its text. The original page is not stored; only the extracted text is retained in your Brand Base in Firestore and processed in the same way as uploaded materials.
Payment data
Payment processing is handled by Stripe. We do not store your payment card details. Stripe's privacy policy governs the processing of your payment data.
How long we keep your data
| Data category | Retention period |
|---|---|
| Brand Bases, reference texts, Generated Content, refinement conversations | Duration of active account + 30 days following account closure |
| Account data (email, name) | Duration of account + 7 years for tax/legal compliance purposes |
| Usage logs and technical data | 12 months |
| Product analytics and feedback submissions | 24 months |
| Content review records | 5 years from action timestamp |
| Billing records | 7 years (Dutch tax law requirement) |
| Inactive accounts | We will contact you after 12 months of inactivity. If no response within 30 days, your account and content data will be deleted. |
Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art 15): Request a copy of your personal data via the "Download my data" function in your account settings.
- Right to rectification (Art 16): Correct inaccurate data via your account settings.
- Right to erasure (Art 17): Delete your account and all associated data via account settings.
- Right to data portability (Art 20): Export your Brand Bases and Generated Content in JSON format via account settings.
- Right to object (Art 21): Object to processing based on legitimate interests by contacting privacy@copydirector.io.
- Right to restriction (Art 18): Request restriction of processing in certain circumstances.
We will respond to requests within one month. To exercise your rights, contact privacy@copydirector.io.
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.
Sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic Inc. | AI text generation | USA | SCCs (Module 2 + 3) |
| Google Cloud | Data storage (Firestore) | EU (europe-west) | Google Cloud CDPA with SCCs |
| Stripe Inc. | Payment processing | USA / EU | Stripe DPA with SCCs |
| Resend | Transactional email | EU / USA | SCCs |
We will update this list and notify you before adding new sub-processors.
Cookies
We use a minimal number of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Maintains your login session | Session (deleted when browser closes) |
| CSRF token | Strictly necessary | Protects against cross-site request forgery attacks | Session |
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. Because we only use strictly necessary cookies, we are not required to obtain your consent for these cookies under the ePrivacy Directive.
If we introduce any non-essential cookies in the future, we will update this policy and obtain your consent before setting them.
Changes to this policy
We will notify you of material changes by email at least 30 days before they take effect.