Privacy Policy

1. Introduction

Welcome to Essy ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our essay planning application.

Legal Entity and Data Controller: Essy is operated by David Hailes, based in the United Kingdom. For the purposes of UK and EU data protection law, David Hailes (trading as Essy) is the data controller responsible for your personal data.

Contact Information:
Email: privacy@essy.app
For data protection queries, rights requests, or privacy concerns, please contact us at the email above.

By using Essy, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide to us when you:

• Register for an account (email address, name)
• Subscribe to our Pro plan (payment information via Stripe)
• Contact us for support

2.2 Essay Content

We store the content you create in Essy, including:

• Essay titles and requirements
• Essay structures and section content
• Notes and planning information

Important: Your essay content is private and belongs to you. We do not share, sell, or use your essay content for any purpose other than providing our service to you.

2.3 AI Usage Data

When you use AI-powered features (Pro plan only), we process:

• Assignment requirements (for analysis and personalisation)
• Essay titles and types (for generating suggestions)
• Usage statistics (to enforce daily limits and monitor costs)

AI processing is performed by Anthropic (Claude AI). We send only the necessary context to generate helpful guidance. Your full essay content is never sent to AI services.

2.4 Automatically Collected Information

We automatically collect certain information when you use Essy:

• Log data (IP address, browser type, pages visited) - automatically deleted or anonymized after 90 days, except where required for security investigations
• Device information (operating system, device type)
• Usage patterns (features used, time spent)

2.5 Data Collection Summary

For transparency, here's a quick overview of what data we collect and how we handle it:

2.6 Data Processors and Subprocessors

We work with trusted third-party service providers who process personal data on our behalf as data processors (also called "subprocessors" under GDPR). Each provider processes data strictly under our instructions and in accordance with this Privacy Policy and data protection law.

Our current data processors include:

• Clerk: User authentication and account management
• Stripe: Payment processing and subscription management
• Supabase: Database storage for essays and user data
• Anthropic: AI-powered feature processing (Pro plan only)
• Resend: Transactional email delivery (welcome emails, notifications)
• Upstash: Rate limiting and performance optimization

We maintain a current list of subprocessors and will notify users of any changes to this list. You can request an up-to-date list at any time by contacting privacy@essy.app.

3. How We Use Your Information

3.1 Purposes

We use your information to:

• Provide, operate, and maintain our service
• Process your subscription and payments
• Generate AI-powered guidance and suggestions (Pro plan)
• Improve and personalise your experience
• Send you important updates about your account or service
• Respond to your support requests
• Monitor usage to prevent abuse and enforce limits
• Comply with legal obligations

3.2 Legal Basis for Processing (GDPR)

Under UK and EU data protection law, we process your personal data under the following legal bases:

• Contractual necessity: To perform our contract with you (e.g., providing account access, essay storage, AI services, processing subscriptions)
• Legal obligation: To comply with legal requirements (e.g., financial record-keeping for HMRC, fraud prevention, responding to lawful requests)
• Legitimate interests: For our legitimate interests in operating and improving the Service, preventing abuse, and maintaining security (balanced against your rights and interests)
• Consent: Where applicable, with your explicit consent (e.g., optional marketing communications, cookies for non-essential purposes)

AI Processing Clarification: Processing for AI-powered features (available on Pro plan) is necessary for the performance of our contract with you when you choose to use these tools. This isnot based on consent, but on contractual necessity. You can control this processing by choosing whether or not to use AI features—AI processing only occurs when you actively request it (e.g., clicking "Analyse with AI" or "Generate AI Questions").

3.3 Lawful Basis Summary

For transparency and audit purposes, here's a quick reference table showing how we process your data:

You have the right to object to processing based on legitimate interests. Contact us at privacy@essy.app to exercise this right.

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored securely using:

• Supabase: Essay content and user data (encrypted at rest)
• Clerk: Authentication and user management (SOC 2 Type II compliant)
• Stripe: Payment information (PCI DSS compliant)

4.2 Security Measures

We implement industry-standard security measures:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for stored data
• Row-level security policies in our database
• Regular security audits and updates
• Rate limiting to prevent abuse

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

4.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we are committed to transparency and compliance with UK GDPR requirements:

• We will notify the relevant supervisory authority (Information Commissioner's Office) within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms
• We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Notifications will include the nature of the breach, likely consequences, and measures we are taking to address it
• We maintain incident response procedures and conduct regular security reviews to minimize breach risks

If you suspect unauthorized access to your account or have security concerns, please contact us immediately at privacy@essy.app.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share limited data with trusted third parties who help us provide our service:

• Clerk: User authentication and management
• Stripe: Payment processing
• Anthropic: AI-powered features (essay requirements and titles only, not full content)
• Supabase: Database and storage for essays and user data
• Resend: Transactional email delivery (account verification, welcome emails, notification emails). Only your email address and necessary message metadata are shared.
• Upstash: Rate limiting and performance optimization

These providers are contractually obligated to protect your data and use it only for the purposes we specify. They act as data processors on our behalf under GDPR.

5.2 We Do NOT

• Sell your personal information to third parties
• Share your essay content with anyone (except as required by law)
• Use your essays to train AI models
• Share your data for marketing purposes

5.3 Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights, property, or safety, or that of others.

5.4 Third-Party Links

The Service or our transactional emails may contain links to third-party websites or services (such as Stripe checkout pages, support documentation, or educational resources). We are not responsible for the privacy practices or content of those external sites. These third parties have their own privacy policies, and we recommend reviewing their policies before providing any personal information. Links to third-party sites do not imply endorsement or responsibility for their content or practices.

6. Your Data Rights

Under UK and EU data protection law (UK GDPR / EU GDPR), you have the following rights:

• Right of access: Request a copy of your personal data we hold
• Right to rectification: Update or correct inaccurate or incomplete information
• Right to erasure ("right to be forgotten"): Request deletion of your account and personal data (see Account Deletion Process below)
• Right to restrict processing: Request that we limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format or request transfer to another service
• Right to object: Object to certain processing activities, particularly those based on legitimate interests
• Right to withdraw consent: If you have provided consent for optional processing (such as non-essential cookies or marketing communications), you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal
• Rights related to automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects

How to Exercise Your Rights: Contact us at privacy@essy.app to exercise any of these rights. We will respond within 30 days (or as required by applicable law).

Right to Lodge a Complaint: If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority if you are in the EU.

6.1 Account Deletion Process

You can permanently delete your account at any time. To delete your account:

1. Click on your account avatar (top right of the screen)
2. Select "Security" from the dropdown menu
3. Scroll to the "Delete Account" section
4. Click "Delete My Account" and confirm your decision

What gets deleted:

• Your user profile (name, email, username) - deleted immediately
• All your essay content and notes - permanently deleted within 30 days
• Your AI usage history - deleted immediately
• Your authentication credentials - deleted immediately
• Active Pro subscription - automatically cancelled (no refunds for unused time)

What is preserved (anonymous data only):

• Payment records: Anonymised transaction records are retained for 7 years for legal and accounting compliance (HMRC requirements, fraud prevention). These records contain transaction amounts and dates but cannot be linked back to your identity.
• Analytics data: Anonymous cost tracking data (AI token usage, feature usage statistics) is preserved for service optimization and cost management. This data is fully anonymized and cannot identify you.

Important notes:

• Account deletion is permanent and cannot be undone
• We recommend exporting your essays before deletion if you want to keep them
• If you only want to stop your Pro subscription, use "Manage Subscription" instead to keep your account and essays
• We will send a confirmation email to your registered email address when deletion is complete

To exercise other data rights, please contact us at the email address below. We will respond within 30 days.

7. Data Retention

7.1 While Your Account is Active

We retain your information for as long as necessary to provide our service:

• Essay content: Retained indefinitely while your account is active
• Account information: Retained while your account is active
• Usage logs: Retained for 90 days for security and troubleshooting
• Payment records: Retained for 7 years (HMRC legal requirement)
• AI usage history: Retained for current billing period plus 90 days
• Support correspondence: Emails to support@essy.app or privacy@essy.app are retained for up to 12 months for quality assurance and record-keeping, unless earlier deletion is requested

Inactive Accounts: If your account remains inactive (no login or use) for 24 months, we may contact you to confirm whether you wish to keep your account. If we receive no response within 30 days, we reserve the right to delete inactive accounts and their associated data.

7.2 After Account Deletion

When you delete your account (Avatar → Security → Delete Account), we follow this deletion schedule:

• Immediate deletion: User profile, email address, authentication credentials, AI usage history
• Within 30 days: All essay content, notes, and planning data
• Retained anonymously: Payment transaction records (7 years for legal compliance) and anonymous analytics data (indefinitely for cost optimization) - this data cannot be linked back to you

If you only cancel your Pro subscription (Avatar → Manage Subscription → Cancel), your account and all essays remain intact. You simply revert to the Free plan.

7.3 Legal Compliance

We are required by UK law to retain certain financial records for accounting and tax purposes. After account deletion, these records are fully anonymized and stored separately from any identifiable information. This ensures compliance with GDPR right to deletion while meeting our legal obligations.

8. Cookies and Tracking

We use cookies and similar technologies to:

• Essential cookies: Keep you signed in and maintain session security (required for service operation)
• Functional cookies: Remember your preferences and settings
• Analytics: Understand how you use our service and identify areas for improvement
• Performance: Optimize loading times and improve user experience

Cookie Consent: Essential cookies are strictly necessary for the Service to function and do not require consent. Non-essential cookies (such as analytics and performance cookies) are used only with your consent. If you decline non-essential cookies, essential cookies will still function to operate your account securely.

Third-party services we use (such as Clerk for authentication and Stripe for payments) may also set their own cookies. These are covered by their respective privacy policies.

You can control or disable cookies through your browser settings. However, disabling essential cookies will prevent you from using Essy. For more information about managing cookies, visit your browser's help documentation.

9. Children's Privacy

Essy is intended for students aged 16 and older. Users under 16 must have parental or guardian consent to use the Service. We do not knowingly collect personal information from children under 16 without appropriate parental consent.

If you believe we have collected information from a child under 16 without proper consent, please contact us immediately at support@essy.app and we will take steps to delete such information promptly. Parents or guardians may request access to, correction of, or deletion of their child's personal information by contacting us.

10. International Data Transfers

Some of our service providers may process or store data outside the UK or EU (for example, Anthropic's AI services operate in the United States). When your personal data is transferred internationally, we ensure appropriate safeguards are in place to protect your information.

These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the UK or EU regarding data protection standards in the recipient country
• Contractual obligations on third-party providers to maintain appropriate security and privacy standards

We only transfer data internationally where necessary to provide our Service and ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws (UK GDPR, EU GDPR).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our service. Your continued use of Essy after changes constitutes acceptance of the updated policy.

12. Jurisdiction and Complaints

This Privacy Policy and our data processing practices are governed by the laws of England and Wales. We comply with UK GDPR and, where applicable, EU GDPR requirements.

Your Right to Complain: If you have concerns about how we handle your personal data, we encourage you to contact us first at privacy@essy.app so we can work to resolve the issue.

However, you have the right to lodge a complaint directly with the relevant supervisory authority:

• UK users: Information Commissioner's Office (ICO) - ico.org.uk
• EU users: Your local data protection authority (find yours at edpb.europa.eu)

These authorities will investigate your complaint and work with us to resolve any issues with our data processing practices.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: privacy@essy.app

14. Version History

For transparency, we maintain a log of significant updates to this Privacy Policy:

• 2 November 2025: Major update for GDPR compliance and transparency. Added comprehensive data processing tables, legal basis clarification, subprocessor disclosure, data breach notification commitment, and enhanced user rights information.

Future updates will be logged here for transparency. Significant changes will be communicated via email.