The Record
What we keep. What we don't.
This page tells you, in full and before you decide, what data the system collects, what it does not, where each piece lives, who can see it, and how to remove it. All of it is here, in plain language.
The three promises that matter most
Your letter never touches our servers. It exists in your browser session only — there is never a copy on our side. When you close the tab, it is gone. The downloaded .docx is yours alone.
We do not run analytics on the content of your letter or your assessment. No trackers on the assessment, no behavioural profiling of your responses, no third-party scripts watching what you fill in.
Your assessment answers are encrypted with a key only you hold. Your account is set up with a passphrase that becomes the encryption key. What sits on our side is unreadable without it — including by us.
The rest of this page elaborates those three promises.
What is collected
| What | Can we read it? | When deleted |
|---|---|---|
| Account & sign-in — your email address (used to send your sign-in link) and a yes/no record that you accepted the terms | Yes — this is the one group we need to read to operate your account | When you ask for account deletion |
| Your assessment — everything you record while answering: what you confirmed, who it involved, how much it affected you, and any notes or flags you added | No — encrypted with your passphrase | "Reset questions" wipes it; deleted with account |
| Your letter set-up — the personal touches (how you sign the letter, how you address the people in it) and the list of questions you excluded | No — encrypted with your passphrase. One exception: the simple style choices (writing style, structure, length, recipient) are readable by us — they are picks from a menu, like "longer letter", not content | "Reset customisations" wipes it; personal touches editable any time from your /account page; deleted with account |
| Wellbeing check-ins — the overall result of each safety screening (its tier only) and your wellbeing scores over time, kept so the app can offer re-checks at sensible intervals and show you your trend. Your individual answers in the safety screening, and anything you type there, are never stored | No — encrypted with your passphrase. We can see only the timestamps, so the app knows when a re-check is due | Deleted with account; or turn off trend-saving any time from your /account page — that removes the saved trend data, keeping only what the safety re-check schedule needs |
| Generation history — which model wrote your letter, when, and how many questions went in. Bookkeeping for rate limiting; no content | Yes — bookkeeping only | Preserved on both resets (anti-gaming guard); deleted with account |
| Feedback — optional post-letter feedback you choose to send | Yes — it is meant for us to read so we can improve the product | Deleted with account |
That is the entire list. Anything not in this table is either not collected or lives only in your browser.
What is not collected
- The letter itself. Never saved on our servers. Held in your browser tab only — closing the tab erases it.
- Your individual safety-screening (SRS-8) answers. Only the resulting tier is kept (encrypted, in your wellbeing history); the answers themselves, including anything you type, never leave your browser tab.
- Any behavioural analytics on the assessment or letter content. No heatmaps, no session replays, no scripts recording what you do.
- No third-party scripts load on assessment, customisation, or generation pages.
- No advertising data, no marketing data, no data shared with advertisers. There are no advertisers.
- No password. Sign-in is by one-click email link, so there is no password to store, leak, or be compromised.
Why the letter never reaches our servers
The key architectural decision: the most sensitive content — the letter itself — never touches our database.
Your browser holds the letter inside the open tab itself. When you close that tab, the letter is gone. Not "marked for deletion" — gone. Refreshing the tab keeps it; closing it does not.
Why we made this choice:
- The letter is made to be yours, not ours. We do not need to keep a copy in order to give it to you. You already have it.
- The architectural cost of "we never have it on our side" is cheaper to explain than "we have it but you can trust us."
What this means in practice:
- If you want to keep the letter, save the
.docxsomewhere safe before you close the tab. - If you re-open the tab fresh, the letter is gone, and you regenerate.
- We cannot show you a letter you generated yesterday. By design.
Why your assessment answers stay encrypted
The assessment is where the most personal material lives — what you confirmed about your childhood, who you attributed it to, the notes you wrote in your own words. We treat this material the way password vaults like Bitwarden or ProtonMail treat what you store with them: we hold it, but we cannot read it.
The plain version of how this works:
- When you sign up, your account is set up with a passphrase (either one generated for you, or one you set yourself). That passphrase becomes the key to your assessment.
- The key never leaves your browser. We never see it, never store it, cannot recover it.
- The answers you write are encrypted with that key before they reach us. What sits on our side is unreadable without the key — including by us.
- When you sign back in later, you re-enter the passphrase. The key comes back into your browser, and your assessment becomes readable to you again.
One honest boundary.
For the few seconds it takes to write your letter, your browser unlocks your answers and sends them to the language model — without that step, no letter could be written. That brief pass is the only moment your answers are readable outside your device, and nothing from it is stored: not on our side, not on the model provider's side. Fully end-to-end systems like Signal never have such a moment — and they also could never produce your letter. We chose the letter, and we keep the window as small as it can be.
A backup, in case you forget the passphrase.
At sign-up, you also see a 24-word backup code, shown once. It can unlock your data if you forget your passphrase. We do not have a copy. If you lose both the passphrase and the backup code, what is on our side stays unreadable — to you and to us. There is no recovery button we can offer; we built the system this way so the promise "we cannot read your data" holds honestly.
Authentication: passwordless
Sign-in is by email link. You enter your email, we send a one-click sign-in link, you click. There is no password to create, no password to remember, no password for us to leak.
Our authentication service is hosted in the EU. Sign-in links expire shortly after issue and become single-use after click. We do not retain link tokens after expiry.
Right to export
You can take your data with you.
- Your assessment answers can be exported as a structured file (JSON or CSV) — what you scored, what you attributed where, your notes. Because your answers are encrypted with your passphrase, you need to be signed in and unlocked for the export to work; the unlocking happens in your browser before the export is built.
- Your customisation choices are exported alongside in the JSON variant.
- Your letter is already yours as a
.docxfile. We never had a copy on our side, so there is nothing further to export.
The one-click export action lives on your /account page. Rate-limited to one export per 24 hours per account.
Right to delete
Three scopes, all self-serve from your /account page:
Reset your questions. Deletes your assessment answers, per-question notes, and flags. They disappear from your account and the letter pipeline immediately. Your customisations, profile, and account remain.
Reset your customisations. Deletes your letter customisation choices (writing style, structure, length, recipient, exclusions) and your additional context. They disappear from your account immediately. Your assessment answers, profile, and account remain.
Delete your account. A self-serve action gated by typing your account email as confirmation. Removes everything — profile, answers, preferences, generation history, feedback, the email itself, and your sign-in record. There is nothing left in the live service to associate with you.
In every case the data disappears from the app immediately and is permanently erased from our systems within 30 days. We keep backups solely for disaster recovery — so the service can be restored after a technical failure or accident — never to retain data you have deleted; your deleted data is cleared from them as each backup is dropped in the normal recovery cycle, within that same 30-day window. Throughout, your encrypted answers stay unreadable to us, because the key never leaves your device.
The action is server-side and, from your side, irreversible. We log every reset action — what was reset, when, and a one-way fingerprint of where the request came from (never your raw IP address) — so we can investigate any data-loss report you bring us.
Anonymous-by-design intent
We do not link your assessment data to any external identity beyond the email used for sign-in. We do not enrich your data from third-party sources. We do not buy data about you.
Even within our own operations, we cannot read your assessment content directly — it is encrypted with your passphrase (see Why your assessment answers stay encrypted above). What our internal view shows is your email, your sign-in history, and that your account took the assessment — never what is in the answers themselves.
The minimum viable identifying information is your email. We are exploring fully anonymous access options for future versions, but they are not promised.
Security posture
What we actively do:
- Protected in transit. Every connection between your browser, our backend, our database, and our model provider is encrypted while traveling, so eavesdroppers on the network cannot read it.
- Protected at rest, with an extra layer for your most personal material. Our storage provider encrypts everything stored by default, so a stolen physical disk gives an attacker nothing. On top of that, your assessment answers and the personal terms on your profile are encrypted with a key only you hold (your passphrase). Even with full access to our database, we cannot read this material.
- Your data can be changed only by you. Every write is checked on our servers, and the database itself enforces that no account can touch another account's records — even a bug in the app could not cross that line.
- What you type cannot be turned against your letter. Everything you write is cleaned before it reaches the language model, so stray or malicious text cannot hijack what your letter says.
- Every letter is checked before you see it. Generated letters are validated for leaked internal labels and malformed content, so what reaches you is clean.
- Your browser holds no master keys. What runs on your device can only ever see your own account; the credentials with wider power exist only on our servers.
- Abuse cannot crowd you out. Letter generation is capped per account, which keeps the service available and protected from automated abuse.
What we cannot promise:
- Zero-day protection. No system can promise that. We patch dependencies and follow upstream security advisories.
- Hardened against state-level adversaries. No consumer product can honestly promise that, and we will not pretend to. If your threat model includes nation-state attackers, you need specialist tooling beyond any web product.
What we don't do
None of these have been disabled — they were never built. Inside the product — the assessment, the customisation, the letter — there are no analytics, no behavioural trackers, no fingerprinting scripts, and no event pipelines. We don't know which answers you lingered on, what your letter says, or what your browser fingerprint is. That part is permanent: the content of your assessment and your letter is never measured, profiled, or experimented on.
The list below names specific things you might assume we'd have, because most products do. We don't.
- No trackers on assessment, customisation, or generation pages.
- No behavioural analytics on the content of your letter or your assessment responses.
- No third-party scripts on assessment-flow pages.
- No data sold, shared, or rented to third parties. Ever.
- No advertising integrations. There is no advertising business in this product.
- No nag emails. We do not email you to "come back and finish your assessment."
- No A/B testing on you. The experience of signed-in users is not silently swapped mid-flow.
On the public pages you are reading now, there is also nothing today — no analytics, no trackers. If we ever add measurement here to understand whether these pages do their job, it will be aggregate-only and profile-free — counts, not identities — and we will announce it on this page first.
Hosting and jurisdiction
- Application: Served from US-region serverless functions; static assets distributed via a global content delivery network.
- Database and authentication: Hosted in the EU.
- Letter assembly: Performed by a single large language model accessed through a routing service. For the few seconds the letter is being written, your unlocked answers are sent to the model so it has what it needs. The model is selected on terms that prohibit training on your submitted content. After the letter is returned, nothing from your assessment persists on the routing service or the model — it is a one-time pass.
The EU-region database choice is deliberate. A fuller data-protection statement (lawful basis, data subjects' rights, controller details) will be added when the formal compliance pass is performed.
The honest limit
Privacy guarantees are guarantees about the system as designed. They depend on:
- Our hosting and database providers living up to their security commitments (we audit their public posture; we do not run their data centres).
- Your own device and account security (an attacker with access to your email inbox can sign in as you).
- You keeping your passphrase and backup code safe. Because we do not have a copy of either, losing both means losing access to your assessment answers. The trade-off for "we cannot read your data" is that we also cannot recover it for you.
- The third-party software we build on. Like every web product, ours is assembled from established software components — we pin exact versions, watch for reported vulnerabilities, and update on a schedule.
We can promise the architecture. We cannot promise the world around it.
200 questions — years of clarity.