Privacy Policy

1. Who We Are

Gentlr is operated by Pleasant Secret Labs ("we", "us", "our"). We are the data controller responsible for your personal data.

Contact:
Email:

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

Email address
Name (or username)
Password (stored securely hashed)
Authentication provider (if using Google or Apple sign-in)

2.2 Usage Data

When you use our transformation service, we collect metadata about your usage:

Collected	NOT Collected
Message type (Slack, Email, WhatsApp)	❌ Your original message text
Transformation options selected	❌ The transformed output text
Message length (character count only)	❌ Message content
Improvement percentages	❌ Personal information in messages
Source and target language (if translation used)
Features used (Viewsifier™, clarity, concise)
Timestamp

        Important: We do NOT store the actual content of your messages in our database. Your message text is processed in real-time and not retained by us.
      

2.3 Payment Information

Payment processing is handled by third-party providers (Apple App Store, Google Play, or Stripe via RevenueCat). We do not store your credit card details. We only receive:

Subscription status (active/expired)
Subscription type
Transaction identifiers

2.4 Feedback Data NEW

When you provide feedback on transformations or the app, we collect:

Rating: Your thumbs up or thumbs down response
Comment: Any optional comment you choose to provide
Context: Which feature or transformation the feedback relates to
Timestamp: When the feedback was submitted

Feedback is linked to your account so we can follow up if needed, and to help us understand usage patterns.

        Your feedback helps us improve: We review feedback to identify issues, improve our AI prompts, and prioritize new features. Providing feedback is always optional.
      

2.5 Feature Access Requests

Some features (like Viewsifier™) may require approval. When you request access:

We record your request and any message you include
Your request is reviewed by our team
We may contact you via email regarding your request

2.6 Browser Extension NEW

When you use the Gentlr Chrome browser extension, the following applies:

What the Extension Accesses

Data Type	Purpose	Storage
Text you select on webpages	To transform the text you choose	Not stored (processed in real-time)
Authentication tokens	To keep you logged into your Gentlr account	Stored locally in your browser
Your transform settings	To remember your preferences	Stored locally in your browser

Extension Permissions Explained

activeTab: Allows reading text you select on the current tab. We only access the specific text you highlight—not your browsing history, passwords, or other page content.
storage: Saves your login session and preferences locally in your browser so you don't have to log in repeatedly.
contextMenus: Adds "Transform with Gentlr" to your right-click menu for convenient access.

        What the Extension Does NOT Do:
        Does NOT track your browsing history
Does NOT access pages you don't interact with
Does NOT read passwords, form data, or sensitive fields
Does NOT collect any data unless you explicitly select text to transform
Does NOT run in the background when not in use

      

Data Flow

When you transform text via the extension:

You select text and click "Transform" (or use the context menu)
The selected text is sent securely to our servers (same as the web app)
Our servers send the text to Anthropic's Claude AI for transformation
The transformed text is returned to your browser
Neither we nor Anthropic retain your message content long-term

3. How We Use Your Data

We use your data for the following purposes:

Purpose	Legal Basis (GDPR)
Provide the transformation service	Contract performance
Manage your account	Contract performance
Process payments	Contract performance
Show you usage statistics and insights	Legitimate interest
Improve our service based on feedback	Legitimate interest
Process feature access requests	Legitimate interest
Generate aggregated analytics	Legitimate interest
Respond to support requests	Legitimate interest
Comply with legal obligations	Legal obligation

3.1 Internal Analytics NEW

We use aggregated, anonymized data to understand how Gentlr is used:

Total number of transformations performed
Most popular features and settings
Language usage patterns
Feedback trends (satisfaction rates)

This data helps us improve the service for all users. Individual usage data is only accessible to authorized administrators for support purposes.

3.2 Admin Notifications

Our team receives notifications about certain events to help us manage the service:

New user signups (to monitor growth)
Feature access requests (to process approvals)
Feedback submissions (to respond to issues)
System errors (to maintain service quality)

These notifications contain minimal information necessary for their purpose and are only accessible to authorized team members.

3.3 Automated Decision-Making & AI Processing NEW

Gentlr uses artificial intelligence to transform your messages. Here's what you should know:

How AI Processing Works

What happens: Your message text is sent to Anthropic's Claude AI, which analyzes it and generates a transformed version
Human oversight: No automated decisions are made about you personally—the AI only transforms text you submit
No profiling: We do not use AI to profile you, make predictions about you, or make decisions that affect your rights

Your Control

You choose what text to transform
You can edit or reject any transformation
You control your transformation settings
You can delete your data at any time

        GDPR Note: Under Article 22 of GDPR, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. Gentlr's AI processing is a tool you control—it does not make decisions about you.
      

We do not sell your personal data to third parties.

4. Data Sharing & Sub-Processors

We use trusted service providers ("sub-processors") to help operate Gentlr. Below is a complete list of all third parties who may process your data, what they receive, and where they are located.

Data Processing Agreements: We have Data Processing Agreements (DPAs) in place with all sub-processors that handle personal data, ensuring they meet GDPR and other regulatory requirements.

4.1 Complete Sub-Processor List

Provider	Purpose	Data Processed	Location
Anthropic	AI text transformation	Message text (temporary)	United States
Supabase	Database & authentication	Account info, usage metadata	United States
Cloudflare	Web hosting, CDN, security	IP address, request logs	Global (edge locations)
Google	OAuth sign-in, Fonts	Email, name (OAuth); IP (Fonts)	United States
Apple	Sign in with Apple	Email (or relay), user ID	United States
Resend	Transactional email	Email address, email content	United States
RevenueCat	Subscription management	User ID, subscription status	United States

4.2 Detailed Provider Information

Anthropic (Claude AI)

Your message text is sent to Anthropic's Claude API for transformation processing.

What they receive: Your message text (temporarily)
Retention: Up to 30 days for safety monitoring
Training: Anthropic does NOT use API data to train their AI models
Privacy Policy: anthropic.com/privacy

Supabase

Our database and authentication provider.

What they store: Account info, usage metadata, feedback, preferences
Security: SOC 2 Type II certified, encrypted at rest and in transit
Privacy Policy: supabase.com/privacy

Cloudflare Pages

Hosts our web application and provides security services.

What they receive: IP address, browser type, request headers, page URLs
Purpose: DDoS protection, CDN caching, SSL/TLS encryption
Privacy Policy: cloudflare.com/privacypolicy

Google

Used for optional social sign-in and web fonts.

Google Sign-In: If you choose to sign in with Google, we receive your email address and name from your Google account
Google Fonts: Our website loads fonts from Google's servers. This means Google receives your IP address when you visit our site
Privacy Policy: policies.google.com/privacy

Apple

Used for optional social sign-in.

Sign in with Apple: If you choose to sign in with Apple, we receive either your real email or an Apple relay email, plus a unique user identifier
Hide My Email: Apple's relay email feature is fully supported
Privacy Policy: apple.com/legal/privacy

Resend

Sends transactional emails on our behalf.

What they receive: Your email address and email content (password resets, notifications)
Retention: Email logs retained for 30 days
Privacy Policy: resend.com/legal/privacy-policy

RevenueCat

Manages subscriptions across app stores.

What they receive: Anonymous user ID, subscription status, purchase history
Note: We do not share your email or name with RevenueCat
Privacy Policy: revenuecat.com/privacy

4.3 Browser Extension Data Flow

When using the Chrome browser extension, data flows through the same providers listed above. The extension itself:

Stores authentication tokens locally in your browser (not on our servers)
Sends transform requests to our Supabase backend
Routes through Cloudflare for security
Uses Anthropic for AI processing

The extension does NOT send data to any additional third parties beyond those listed above.

4.4 Changes to Sub-Processors

We will update this list if we add new sub-processors. For material changes that affect how your data is processed, we will notify you via email at least 30 days in advance when feasible.

5. Security Measures NEW

We implement appropriate technical and organizational measures to protect your personal data:

5.1 Technical Security

Encryption in Transit: All data is encrypted using TLS 1.2+ (HTTPS) between your browser and our servers
Encryption at Rest: Database contents are encrypted using AES-256
Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plain text
API Security: All API endpoints require authentication; rate limiting prevents abuse
Infrastructure: Hosted on SOC 2 compliant infrastructure (Supabase, Cloudflare)

5.2 Access Controls

Principle of Least Privilege: Team members only have access to data necessary for their role
Authentication: Admin access requires multi-factor authentication
Audit Logging: Access to sensitive data is logged and monitored

5.3 Data Minimization

We do not store your message content in our database
We collect only the metadata necessary for service operation
Usage statistics are aggregated and anonymized where possible

5.4 Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify affected users within 72 hours (as required by GDPR)
Report to relevant supervisory authorities as required by law
Take immediate steps to contain and remediate the breach

        Security Questions? If you have concerns about our security practices or want to report a vulnerability, please contact us at 
        
      

6. Data Retention

Data Type	Retention Period
Account information	Until you delete your account
Usage statistics	Until you delete your account
Feedback submissions	Until you delete your account
Feature access requests	Until you delete your account
Message content (at Anthropic)	Up to 30 days
Payment records	As required by law (typically 7 years)

7. Cookies & Local Storage

We use cookies and similar technologies for the following purposes:

7.1 Essential Cookies

Required for the app to function. These cannot be disabled.

Authentication cookies: Keep you logged in (set by Supabase)
Session cookies: Maintain your session state

7.2 Preference Cookies

Language preference: Remember your UI language choice
Feature preferences: Remember your default settings

We do not use advertising or tracking cookies.

7.3 Browser Extension Storage

The Chrome extension uses chrome.storage.local to store:

Authentication session: Your encrypted login token so you stay signed in
User preferences: Your transform settings (message type, options)
Feature toggles: Whether floating button and context menu are enabled

This data is stored only on your device and is not sent to our servers (except authentication tokens which are sent with each transform request to verify your identity).

        Clearing Extension Data: You can clear all extension data by:
        Logging out within the extension
Removing the extension from Chrome
Clearing browser data in Chrome settings

      

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from using Gentlr.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

8.1 All Users

Access: Request a copy of your personal data
Deletion: Request deletion of your account and data
Correction: Update or correct your information

8.2 EU/UK Residents (GDPR)

Under the General Data Protection Regulation, you have the following additional rights:

Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
Restriction: Request limited processing of your data while we address a concern
Objection: Object to processing based on legitimate interest
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time
Lodge a Complaint: With your local supervisory authority (see list below)

Supervisory Authorities

UK: Information Commissioner's Office (ICO) - ico.org.uk
Ireland: Data Protection Commission - dataprotection.ie
Germany: Your state's data protection authority (Landesdatenschutzbeauftragter)
France: CNIL - cnil.fr
Other EU: Your country's Data Protection Authority

8.3 California Residents (CCPA/CPRA) ENHANCED

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have specific rights:

Your Rights

Right to Know: What personal information we collect, use, disclose, and sell
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Of sale or sharing of personal information
Right to Limit: Use and disclosure of sensitive personal information
Right to Non-Discrimination: Equal service and pricing regardless of privacy choices

Categories of Personal Information Collected

Category	Examples	Source	Business Purpose
Identifiers	Email, name, user ID	You provide directly	Account creation, authentication
Commercial Info	Subscription status, credits	Payment processors	Billing, service delivery
Internet Activity	Usage metadata, features used	Automatic collection	Service improvement, analytics
Geolocation	IP-based country/region	Automatic collection	Language defaults, compliance
Inferences	Usage patterns	Derived from activity	Service personalization

Do Not Sell or Share My Personal Information

        We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. We never have and never will. Therefore, there is no need to opt-out, but you may still contact us if you have questions.
      

Sensitive Personal Information

We do NOT collect sensitive personal information as defined by CPRA (Social Security numbers, financial account details, precise geolocation, racial/ethnic origin, religious beliefs, health information, sexual orientation, etc.).

8.4 How to Exercise Your Rights

Submit a Request: Email us at with your request.

Verification Process

To protect your privacy, we must verify your identity before processing requests:

We will ask you to confirm the email address associated with your account
For deletion requests, we may send a confirmation link to your registered email
If we cannot verify your identity, we may request additional information

Authorized Agents

California residents may designate an authorized agent to make requests on their behalf. To do so:

Provide written authorization signed by you
We may still require you to verify your identity directly
We may deny requests from agents who cannot provide proof of authorization

Response Times

GDPR: Within 30 days (extendable by 60 days for complex requests)
CCPA/CPRA: Within 45 days (extendable by 45 days with notice)
All others: Within 30 days

9. International Data Transfers

Your data may be transferred to and processed in countries outside your own, including the United States, where our service providers are located.

9.1 Transfer Mechanisms

For EU/UK users, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): Approved by the European Commission, included in our contracts with sub-processors
Data Processing Agreements: In place with all vendors handling personal data
Adequacy Decisions: Where applicable, we rely on adequacy decisions for data transfers

9.2 Sub-Processor Locations

All our current sub-processors are located in the United States, with Cloudflare having global edge locations. See Section 4.1 for the complete list.

10. Children's Privacy

Gentlr is not intended for children under 16 years of age (or 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal data from children.

If you believe a child has provided us with personal data, please contact us immediately at . We will promptly delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Posting the new policy on this page
Updating the "Last updated" date
Sending an email notification for material changes (GDPR: at least 30 days notice)

For material changes affecting how we use your data, we will obtain your consent where required by law before implementing the changes.

Previous versions of this policy are available in our Version History.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Pleasant Secret Labs

Privacy Inquiries:
Security Issues:
General Support:

We aim to respond to all inquiries within 48 hours.

EU Representative

If you are located in the European Union and wish to contact a representative, please email us at and we will provide you with the appropriate contact information.