What we keep. What we don't.

The two sentences that matter most

Your letter is never stored on our servers. It exists in your browser session only. When you close the tab, it is gone from our side. The downloaded .docx is yours alone.

We do not run analytics on the content of your letter or your assessment. No tracking pixels on the assessment, no behavioural profiling of your responses, no third-party scripts watching what you fill in.

The rest of this page elaborates those two sentences.

What is collected

That is the entire list. Anything not in this table is either not collected or lives only in your browser.

What is not collected

• The letter itself. Never saved on our servers. Held in your browser tab only — closing the tab erases it.
• Safety-screening (SRS-8) results. In your browser tab only.
• Wellbeing-baseline (PWA-9) results. In your browser tab only.
• Any behavioural analytics on the assessment or letter content. No pixels, no heatmaps, no session replays.
• No third-party scripts load on assessment, customisation, or generation pages.
• No advertising data, no marketing data, no data shared with advertisers. There are no advertisers.
• No password. Sign-in is by one-click email link, so there is no password to store, leak, or be compromised.

Why the letter never reaches our servers

The key architectural decision: the most sensitive content — the letter, the screening results — never touches our database.

Your browser holds the letter inside the open tab itself. When you close that tab, the letter is gone. Not "marked for deletion" — gone. Refreshing the tab keeps it; closing it does not.

Why we made this choice:

• The letter is the artefact. We do not need to keep it in order to give it to you. You already have it.
• The screening results inform your immediate session (do we need to surface crisis resources, what's your wellbeing baseline). They do not need to persist.
• The architectural cost of "we never have it on our side" is cheaper to explain than "we have it but you can trust us."

What this means in practice:

• If you want to keep the letter, save the .docx somewhere safe before you close the tab.
• If you re-open the tab fresh, the letter and screening data are gone, and you regenerate.
• We cannot show you a letter you generated yesterday. By design.

Authentication: passwordless

Sign-in uses magic links. You enter your email, we send a one-click sign-in link, you click. There is no password to create, no password to remember, no password for us to leak.

Our authentication service is hosted in the EU. Magic links expire shortly after issue and become single-use after click. We do not retain link tokens after expiry.

If invitations are required for early access, a server-side endpoint validates the access code without ever shipping the list of valid codes to the browser.

Per-account access: your data is yours alone

Every record that holds your data is gated by per-account access rules enforced at the database layer. The short version:

• Your responses are only readable by you. The same applies to your preferences, your feedback, and your generation history.

If you want to see the specific access rules, they live in our publicly available source repository.

Right to export

You can take your data with you.

• Your responses can be exported in a structured file (JSON or CSV). The exported rows carry framework and section context only — the questionnaire's source question wording is intentionally excluded so what you receive is your record, not the instrument.
• Your customisation preferences are exported alongside in the JSON variant.
• Your letter is already in your hands as a .docx. We never had a server-side copy, so there is nothing further to export.

The one-click export action lives on your /account page. Rate-limited to one export per 24 hours per account.

Right to delete

Three scopes, all self-serve from your /account page:

Reset your questions. Marks your assessment responses, per-question notes, and flags as deleted — they disappear from your account and the letter pipeline immediately and become permanently unrecoverable after 30 days. The 30-day window exists so an accidental reset can be undone by support; after the window passes, a scheduled sweep hard-deletes the rows and no human or automated path can bring them back. Your customisations, profile, and account remain.

Reset your customisations. Permanently and immediately deletes your letter customisation choices (writing style, structure, length, recipient, exclusions) and your additional context. Your assessment responses, profile, and account remain.

Delete your account. A self-serve action gated by typing your account email as confirmation. Removes everything immediately and permanently: profile, responses (including any that were in the 30-day reset window — no recovery survives account deletion), preferences, generation history, feedback, the email itself. Your sign-in record is deleted. There is nothing left to associate with you.

In every case the action is server-side. Account deletion and customisations reset are irreversible immediately; assessment reset is irreversible after 30 days. We log every reset action (which endpoint, which table, when, from where as a hashed origin identifier — never raw IP) so we can investigate any data-loss report you bring us.

Anonymous-by-design intent

We do not link your assessment data to any external identity beyond the email used for sign-in. We do not enrich your data from third-party sources. We do not buy data about you.

The minimum viable identifying information is your email. We are exploring fully anonymous access options for future versions, but they are not promised.

Security posture

What we actively do:

• Encryption in transit. Every connection between your browser, our backend, our database, and our model provider is encrypted.
• Encryption at rest. Our database provider encrypts stored data at rest by default.
• Server-side validation of all writes. Client cannot insert or update records belonging to another user; per-account rules at the database layer enforce this regardless of client-side bugs.
• Input sanitisation on all user-supplied text before it enters the model prompt — prevents prompt injection from bleeding into letter output.
• Post-generation validation on the letter — checks for internal label leakage and invalid content before the letter is shown.
• No secrets in client code. Browser-side tokens are read-only and account-scoped; privileged server-only tokens never reach the browser.
• Rate limiting. A lifetime cap on letter generations per account guards against runaway costs and abuse.

What we do not promise:

• Zero-day protection. No system can promise that. We patch dependencies and follow upstream security advisories.
• Hardened against state-level adversaries. This is a small product built by one person. If your threat model includes nation-state attackers, this is not the right tool.

What we don't do

None of these have been disabled — they were never built. There are no analytics, no behavioural trackers, no fingerprinting scripts, and no event pipelines anywhere in this product's codebase — not on the assessment, not on the letter view, and not on the public marketing pages you're reading right now. We don't know which buttons you clicked, how long you stayed on this page, or what your browser fingerprint is.

The list below names specific things you might assume we'd have, because most products do. We don't.

• No tracking pixels on assessment, customisation, or generation pages.
• No behavioural analytics on the content of your letter or your assessment responses.
• No third-party scripts on assessment-flow pages.
• No data sold, shared, or rented to third parties. Ever.
• No advertising integrations. There is no advertising business in this product.
• No nag emails. We do not email you to "come back and finish your assessment."
• No A/B testing on you. Variants of the experience are not silently swapped on logged-in users mid-session.

Hosting and jurisdiction

• Application: Served from US-region serverless functions; static assets distributed via a global content delivery network.
• Database and authentication: Hosted in the EU.
• Letter assembly: Performed by a single large language model accessed through a routing service. The assembled prompt does not include your email or your raw notes once sanitised. The model is selected on terms that prohibit training on your submitted content.

The EU-region database choice is deliberate. A fuller data-protection statement (lawful basis, data subjects' rights, controller details) will be added when the formal compliance pass is performed.

The honest limit

Privacy guarantees are guarantees about the system as designed. They depend on:

• Our hosting and database providers living up to their security commitments (we audit their public posture; we do not run their data centres).
• Your own device and account security (an attacker with access to your email inbox can sign in as you).
• The integrity of the dependencies we ship (we use lockfiles, audit upstream advisories, and update on schedule).

We can promise the architecture. We cannot promise the world around it.