Privacy Policy

Last updated: April 30, 2026

What we collect

• Email address. To deliver your report and provide support.
• Conversation transcripts. Your responses during the assessment.
• Generated reports. The shareable, free, and paid reports produced from your assessment.
• Phase label and scores. The psychometric output of your assessment.
• Approximate location. Country only, derived from your IP address, used to display prices in your local currency.
• Payment data. Processed by Stripe. We receive transaction metadata (country, currency, amount); we do not store card numbers or full payment details.

We do not collect IP addresses, device identifiers, or browser fingerprints beyond the session.

Lawful basis

• Contract performance (GDPR Article 6(1)(b), LGPD Article 7(V)) to deliver the report you requested.
• Legitimate interest (GDPR Article 6(1)(f)) to operate and improve the service, prevent fraud, and respond to support requests.

Why we retain data

• Conversation transcripts and reports: retained to deliver your report, regenerate it if email delivery fails, and provide customer support.
• Email address: retained for delivery and support.
• Phase label and scores: retained as part of your record.
• Payment metadata: retained by Stripe per their terms (typically 7 years for tax compliance).

We do not sell your data. We do not use it for advertising. We do not share it with third parties except the sub-processors listed below, who process it only to operate our service.

How we protect it

• Encryption at rest. Email addresses and conversation transcripts are encrypted using AES-256-GCM. Encryption keys are stored separately from the database.
• Encryption in transit. All connections use TLS 1.2 or higher.
• Access control. Only authorized personnel with operational need can access decrypted data, and only via auditable tooling.
• Pseudonymization. Where possible, internal logs and analytics reference assessment IDs, not personal identifiers.

Sub-processors

We use the following sub-processors. Each has signed a Data Processing Agreement under GDPR/LGPD:

• Supabase — database and authentication
• Vercel — hosting and edge delivery
• Stripe — payment processing
• Resend — transactional email
• Anthropic — Claude AI for report generation
• OpenAI — GPT for report generation
• Google — Gemini for auxiliary AI tasks
• Namecheap — email mailbox hosting

Conversation content is processed by Anthropic, OpenAI, and Google under their enterprise data terms, which prohibit them from using your content to train their models.

Your rights

Under GDPR (EU), LGPD (Brazil), and PIPEDA (Canada), you have the right to:

• Access. Request a copy of your data.
• Correction. Request correction of inaccurate data.
• Deletion. Request deletion of your data ("right to erasure").
• Portability. Receive your data in a machine-readable format.
• Objection. Object to processing based on legitimate interest.
• Withdraw consent. Where processing is based on consent, you may withdraw it at any time.

To exercise any right, email contact@readsyou.com. We respond within 30 days.

Data breaches

If we discover a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours, in accordance with GDPR Article 33-34, LGPD Article 48, and applicable PIPEDA requirements.

Children

ReadsYou is intended for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has used the service, email contact@readsyou.com and we will delete the data.

International transfers

Your data may be processed in jurisdictions other than your own (United States, European Union, Brazil, Canada) by us and our sub-processors. Transfers rely on Standard Contractual Clauses where applicable.

Changes to this policy

We will post material changes here and notify users by email when required by law. Continued use after a change constitutes acceptance.

Contact

ReadsYou · contact@readsyou.com

For data protection inquiries, use the same address with subject line "Data Protection Request".