Privacy Policy

1. Introduction

Wren (“we,” “our,” or “us”) operates an AI-assisted writing platform that helps founders and executives create LinkedIn content (the “Service”). This Privacy Policy explains what information we collect, how we use and share it, the choices you have, and your rights under applicable privacy laws including the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other US state privacy statutes.

By accessing or using the Service you acknowledge that you have read this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account information. When you create an account we collect your email address and password (hashed and salted before storage). If you sign in with Google, we receive your name and email address from Google's authentication service.
• Waitlist signups. If you join our waitlist we collect your email address, and optionally your professional role and your response to our interest survey question.
• Writing content. Post drafts, ideas, outlines, writing samples, voice-profile documents, style guides, and other context documents you create or upload within Wren.
• Chat messages. Conversations you have with Wren's AI writing agents during a writing session are stored so you can resume sessions.
• Media files. Images or other media you attach to posts are stored in our cloud infrastructure.
• LinkedIn data. If you connect your LinkedIn account, we may collect your LinkedIn profile URL, public profile information, and post performance metrics (impressions, reactions, comments, and reshares). We also store periodic snapshots of your profile analytics (follower count, profile views) to help you track growth. You can provide your LinkedIn profile URL manually without connecting your account.
• Telegram integration. If you connect Telegram, we store your Telegram chat ID and messages you send to Wren via Telegram for the purpose of capturing ideas.
• Settings & preferences. Writing schedule, category distribution targets, notification preferences, RSS feed URLs, and content topic preferences.

2.2 Information Collected Automatically

• Usage data. Pages visited, features used, actions taken within the app, and timestamps of those actions.
• Device & browser data. IP address, browser type and version, operating system, and device identifiers.
• Cookies & similar technologies. See Section 8 below.
• API usage metrics. We log the AI model used, token counts, and the endpoint called for each request to monitor costs and enforce usage limits. These logs do not contain the content of your prompts or responses.

2.3 Information from Third-Party Sources

• RSS feeds. We aggregate publicly available articles from RSS feeds you configure. Article titles, URLs, summaries, and publication dates are stored to power content inspiration features. We do not collect personal data from these feeds.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service. Generate AI-assisted drafts, outlines, critiques, and content suggestions; store and manage your ideas, drafts, and writing sessions.
• Personalize your experience. Build your voice profile, tailor content recommendations, and curate your idea bank.
• Communicate with you. Send product updates, waitlist invitations, writing cadence reminders (via email or Telegram), and respond to support requests.
• Improve the Service. Analyze aggregate usage patterns, diagnose technical issues, and inform product development.
• Ensure security. Detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations. Respond to lawful requests and enforce our Terms of Service.

3.1 Lawful Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following lawful bases under GDPR Article 6:

• Performance of a contract — to provide the Service and fulfill our obligations to you.
• Legitimate interests — to improve the Service, ensure security, and send non-marketing communications, where those interests are not overridden by your rights.
• Consent — where you have opted in to marketing communications or optional data processing (e.g., Telegram integration). You may withdraw consent at any time.
• Legal obligation — where we are required to process data by applicable law.

4. AI Processing & Third-Party Services

The Service relies on third-party providers to function. We share only the minimum data necessary with each provider.

4.1 AI Service Providers

To power text generation (drafts, outlines, critiques, idea scoring) and image generation features, we send your content to third-party AI model providers. The data sent may include your writing content, voice-profile context, chat messages, and image prompts. AI providers process this data as sub-processors on our behalf and may retain inputs and outputs for a limited period for trust and safety purposes.

We require that all AI providers we use do not use your data to train or improve their AI models. We enforce this through our commercial agreements and by selecting API tiers that contractually prohibit training on customer data. The specific AI models and providers we use may change over time as we improve the Service. Our current providers include Anthropic and OpenRouter. Each provider's own privacy policy governs their data handling practices.

4.2 Supabase

We use Supabase for user authentication (including Google OAuth) and as our primary database (PostgreSQL). Your account data, content, and application data are stored in Supabase's infrastructure. Data is encrypted at rest and in transit.

4.3 Railway

Our application is hosted on Railway's cloud infrastructure. Server logs may temporarily contain request metadata (IP addresses, timestamps, and endpoints) for operational purposes.

4.4 LinkedIn

If you connect your LinkedIn account, we access LinkedIn's API to retrieve your profile information and post engagement metrics. We use this data solely to provide analytics and content performance features within the Service. We do not post to LinkedIn on your behalf without your explicit action. Your LinkedIn data is subject to LinkedIn's Privacy Policy. Key commitments regarding your LinkedIn data:

• We do not use LinkedIn member data to train AI models or for any purpose other than providing the Service to you.
• We do not share your LinkedIn data with any third parties beyond what is necessary to operate the Service.
• If you disconnect your LinkedIn account or revoke access, we will delete your LinkedIn-sourced data (engagement metrics and profile snapshots) within a reasonable timeframe. Content you created using the Service (drafts, ideas) is yours and remains in your account.

4.5 Telegram Bot API

If you opt in to the Telegram integration, messages you send to our Telegram bot are relayed through Telegram's Bot API. Telegram's own privacy policy governs the processing of data on their platform. We store only the content necessary to save ideas from your messages.

4.6 Google OAuth

If you choose to sign in with Google, we use Google's OAuth 2.0 service. We receive your name and email address. We do not access your Google contacts, calendar, or other Google data.

5. Data Sharing & Disclosure

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We disclose data only in the following circumstances:

• Service providers. With the third-party providers listed in Section 4, strictly as necessary to operate the Service.
• Legal requirements. When required by law, legal process, or governmental request, or to protect the rights, safety, or property of Wren, our users, or the public.
• Business transfers. In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to a successor entity. We will notify you before your data becomes subject to a different privacy policy.
• With your consent. We may share data for other purposes when you have given us explicit consent to do so.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data & content. Retained for as long as your account is active.
• Chat session history. Retained for the life of the associated writing session and account.
• API usage logs. Retained for a reasonable period for cost monitoring and then aggregated or deleted.
• Server logs. Retained for a limited period (typically no more than 90 days).
• Waitlist data. Retained until you are onboarded or request removal.

When you delete your account, we will delete or anonymize your personal data within a reasonable timeframe, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance). Backups containing your data may persist for a limited period before being overwritten.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS for all connections) and at rest using industry-standard encryption.
• Password hashing using industry-standard algorithms.
• Access controls and the principle of least privilege for internal systems.
• Regular dependency updates and vulnerability monitoring.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities in accordance with applicable law (within 72 hours under GDPR).

8. Cookies & Tracking Technologies

We use essential cookies only — specifically for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be opted out of.

We do not use third-party tracking cookies, advertising cookies, or analytics pixels. We do not engage in cross-site tracking.

We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals. Because we do not engage in tracking or cross-context behavioral advertising, no changes in behavior are necessary when these signals are detected.

9. International Data Transfers

Our Service is operated from the United States. If you are located outside the United States, your data will be transferred to and processed in the United States and potentially other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we and our sub-processors rely on applicable lawful transfer mechanisms, which may include Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. You may contact us for more information about the safeguards in place for international transfers.

10. Your Privacy Rights

10.1 Rights for All Users

Regardless of where you are located, you may:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and all associated data.
• Export your content (drafts, ideas, context documents) upon request.
• Withdraw consent for optional processing at any time (e.g., Telegram integration, marketing emails).

10.2 Additional Rights — EEA, UK & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland you also have the right to:

• Restrict processing of your personal data in certain circumstances.
• Data portability — receive your personal data in a structured, commonly used, machine-readable format.
• Object to processing based on legitimate interests, including profiling.
• Lodge a complaint with your local data protection supervisory authority.

10.3 Additional Rights — California (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the CCPA/CPRA:

• Right to know — request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete — request deletion of your personal information, subject to certain exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — we only use sensitive personal information (account credentials) as necessary to provide the Service.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise any of these rights, contact us at privacy@writewithwren.com. We will respond to verifiable requests in accordance with applicable law — generally within 30 days for GDPR requests and 45 days for CCPA/CPRA requests, with extensions permitted where reasonably necessary. We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive.

10.4 Additional US State Privacy Rights

Residents of other US states with comprehensive privacy laws may have similar rights, including the right to access, correct, delete, and port personal data, and to opt out of targeted advertising and profiling. To exercise these rights, contact us using the information in Section 14.

11. AI-Specific Disclosures

Wren uses artificial intelligence to generate content suggestions, drafts, outlines, critiques, and idea recommendations. Key facts about our AI processing:

• AI-generated outputs are produced by third-party AI models. Your content is processed by these models in real time and is not used for AI model training (see Section 4.1).
• We do not make any fully automated decisions with legal or similarly significant effects on you. All AI outputs are presented as suggestions for your review and approval.
• We use AI to score and prioritize ideas and content (relevance scoring, critic scoring). These scores are advisory and you retain full control over your content.
• We are committed to complying with applicable AI transparency requirements, including the EU AI Act, as they come into effect.

12. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Provide reasonable advance notice via email or an in-app notification before the changes take effect.
• Where required by law, obtain your consent before applying material changes.

We encourage you to review this page periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

• Email: privacy@writewithwren.com
• Mailing address: Wren, Durham, NC, United States

If you are located in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.