Privacy Policy

1. Introduction

This Privacy Policy describes how Rewright ("we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Rewright website located at https://rewright.app ("the Service"). We are committed to protecting your privacy and handling your data transparently and responsibly.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

The Service is operated from the State of Utah, United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration Data: When you create an account, we collect your username, email address, and password. Your password is never stored in plain text. It is cryptographically hashed using Django's PBKDF2 algorithm with a SHA-256 hash and a unique salt before storage. We cannot retrieve or view your original password.

Google Sign-In Data: If you choose to authenticate using Google Sign-In, we receive your name and email address from Google's OAuth 2.0 service. We do not receive or store your Google password, and we do not access any other Google account data (such as contacts, calendar, or files).

Profile Information: You may optionally provide your first name and last name on your profile page. This information is voluntary and can be updated or removed at any time.

Text Submitted for Processing: When you use the Service to rewrite text, you submit text content to our servers. This text is processed in real time and is not permanently stored in our database. In Deep Rewrite mode, your text is transmitted to third-party AI providers (see Section 5) for processing. Once processing is complete, the text exists only in your browser session. We do not retain, archive, or use your submitted text or the rewritten output for any purpose beyond providing the Service to you in that session.

Voice Calibration Samples: If you use the voice calibration feature, you may provide a sample of your own writing. This sample is transmitted to the third-party AI provider along with your text for processing and is not permanently stored on our servers.

Feedback Submissions: If you submit feedback, bug reports, or feature requests through the Service, we collect the category you select, the message content (up to 2,000 characters), and the timestamp of submission. If you are logged in, your feedback is associated with your user account.

2.2 Information Collected Automatically

Rewrite Metadata (Usage Logs): Each time you perform a rewrite, we log the following metadata: processing mode used (Quick Fix or Deep Rewrite), tone selected, detected input language, input word count, output word count, input character count, and timestamp. For registered users, this metadata is associated with your user account for your personal analytics dashboard. For guest users, we also log the IP address for usage tracking (see Section 2.3). We do not log the actual text content of your submissions or the rewritten output.

IP Addresses: We collect IP addresses for the following purposes: (a) rate limiting to prevent abuse of the Service, which applies to all users and is processed in server memory without permanent storage in the database; (b) guest usage tracking to enforce daily rewrite limits for non-registered users, which is stored in the database alongside the rewrite log entry; and (c) security logging to detect and respond to suspicious activity, which is recorded in server log files. For registered users performing rewrites, IP addresses are not stored in the rewrite log database. Standard web server logs that include IP addresses are subject to automatic rotation and are not retained indefinitely.

Browser Timezone: We detect your browser's timezone (e.g., "America/Denver") using JavaScript and store it in a cookie. This is used to display dates and times in your local timezone throughout the Service. For registered users, your timezone preference is also saved in your account preferences so it persists across sessions.

Session Data: We use Django's server-side session framework to manage your login state and certain temporary data. Session data is stored on our server and is identified by a session cookie in your browser. Session cookies are HTTP-only (not accessible to JavaScript) and are configured with secure flags in production.

Browser Session Storage: The Service uses your browser's sessionStorage (not cookies) to maintain a temporary history of your recent rewrites (up to the 5 most recent) for your convenience. This data is stored entirely in your browser, is not sent to our servers, and is automatically cleared when you close your browser tab.

2.3 Guest User Data

If you use the Service without creating an account (as a "guest"), we collect the following data: your IP address (to enforce daily usage limits and for rate limiting) and rewrite metadata (mode, word counts, language, timestamp). We do not collect your name, email, or any other personally identifying information from guest users. Guest usage data is associated only with your IP address.

3. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: Processing your text submissions, delivering rewritten output, and providing features such as analytics, settings, and session history.

Account Management: Creating and maintaining your account, authenticating your identity, verifying your email address, and processing password resets.

Communication: Sending transactional emails including email verification codes, password reset codes, and email change confirmation codes. We do not send marketing or promotional emails.

Analytics and Improvement: Displaying your personal usage statistics on your analytics dashboard and aggregating anonymized usage data to understand how the Service is used and to identify areas for improvement.

Security and Abuse Prevention: Enforcing rate limits, detecting and preventing abuse, filtering inappropriate content, monitoring for suspicious activity, and protecting the integrity of the Service.

Legal Compliance: Complying with applicable laws, regulations, and legal processes.

4. Information We Do NOT Collect or Do

To be clear about our practices, we want to explicitly state the following:

(a) We do not sell, rent, lease, or trade your personal information to any third party for any purpose.

(b) We do not share your personal information with advertisers or advertising networks.

(c) We do not permanently store the text you submit for rewriting or the rewritten output in our database.

(d) We do not use your submitted text, rewritten output, or writing samples to train, fine-tune, or improve any AI or machine learning models operated by us.

(e) We do not access, read, or review the content of your text submissions except as necessary to provide the Service (i.e., transmitting it to the processing engine).

(f) We do not use third-party advertising cookies or tracking pixels.

(g) We do not build behavioral profiles of users for advertising or cross-service tracking purposes.

5. Third-Party Services and Data Sharing

The Service integrates with certain third-party services that may receive or process your data. We share only the minimum data necessary for each service to perform its function.

5.1 AI Processing Providers

OpenAI: When you use Deep Rewrite mode, your submitted text (and voice calibration sample, if provided) is sent to OpenAI's API for processing. We do not include any personal identifying information (such as your username, email, or IP address) in API requests to OpenAI. OpenAI processes this data in accordance with their own privacy policy and API data usage policies. As of the effective date of this Privacy Policy, OpenAI's API terms state that data submitted through the API is not used to train their models. However, we encourage you to review OpenAI's current policies at https://openai.com/policies for the most up-to-date information.

Anthropic: We may use Anthropic's Claude models as an alternative or additional AI provider for Deep Rewrite processing in the future. If and when we activate Anthropic as a provider, your submitted text will be sent to Anthropic's API for processing under the same conditions described above for OpenAI. We will update this Privacy Policy and notify registered users before activating Anthropic as a provider. Anthropic's privacy policy can be reviewed at https://www.anthropic.com/policies.

5.2 Authentication

Google OAuth 2.0: If you sign in using Google, the authentication process is handled by Google. We receive only your name and email address from Google upon successful authentication. We do not receive your Google password or access any other Google services on your behalf. Google's privacy policy governs their handling of the authentication process.

5.3 Email Delivery

Resend: We use Resend to deliver transactional emails (verification codes, password reset codes). Resend receives the recipient email address, subject line, and email content (which includes the OTP code) necessary to deliver the email. Resend's privacy policy governs their handling of this data.

5.4 Analytics

Google Analytics: We use Google Analytics to collect anonymized data about website traffic, including pages visited, time spent on pages, device type, browser type, approximate geographic location (country/region level), and referral sources. Google Analytics uses cookies to collect this information. Google Analytics does not collect your name, email, or the content of your text submissions. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by using a browser extension that blocks tracking scripts. Google's privacy policy governs their handling of analytics data.

5.5 Hosting and Infrastructure

Railway: The Service is hosted on Railway's cloud infrastructure. Our application code, database (PostgreSQL), and server logs reside on Railway's servers. Railway's terms of service and privacy policy govern their handling of the infrastructure. Railway's servers are located in the United States.

5.6 Domain Registration

Namecheap: Our domain (rewright.app) is registered through Namecheap. Namecheap does not have access to any user data from the Service.

6. Data Storage and Security

6.1 Where Your Data Is Stored

Your account data, preferences, rewrite metadata, and feedback are stored in a PostgreSQL database hosted on Railway's infrastructure in the United States. Server logs are stored on the same infrastructure and are subject to automatic rotation.

6.2 Security Measures

We implement multiple layers of security to protect your data and the integrity of the Service:

(a) Password Security: All passwords are hashed using Django's PBKDF2 algorithm with SHA-256 and a unique random salt. Passwords are never stored or logged in plain text.

(b) Transport Security: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. The .app top-level domain enforces HTTPS by default.

(c) CSRF Protection: All form submissions and API requests are protected against Cross-Site Request Forgery (CSRF) attacks using Django's CSRF middleware with SameSite cookie policy.

(d) Input Sanitization: All user-submitted text undergoes comprehensive sanitization including Unicode normalization, removal of invisible characters, HTML tag stripping, dangerous URI removal, and control character filtering before processing.

(e) Rate Limiting: The Service implements four-tier rate limiting (burst, per-minute, hourly, and daily) to prevent abuse and denial-of-service attacks.

(f) Content Filtering: Automated profanity and inappropriate content filtering is applied to all text submissions.

(g) Security Headers: The Service implements security headers including X-Frame-Options (DENY), X-Content-Type-Options (nosniff), and HTTP Strict Transport Security (HSTS) in production.

(h) Session Security: Session cookies are configured with HttpOnly, Secure, and SameSite attributes in production to prevent session hijacking.

(i) Access Controls: Administrative access to user data is limited to authorized administrators and requires separate authentication.

While we implement these security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.

7. Data Retention

Account Data: Your account information (username, email, name, password hash) is retained for as long as your account remains active. When you delete your account, this data is permanently removed from our database.

Rewrite Metadata: Usage logs (mode, tone, word counts, language, timestamps) are retained for as long as your account is active to provide your analytics dashboard. These logs do not contain your actual text content. Upon account deletion, logs associated with your account are retained in anonymized form (user association is removed) for aggregate analytics.

Guest Usage Data: IP-based guest usage records are retained in the database as part of rewrite logs. These records contain only the IP address, processing metadata, and timestamp.

Email Verification Records: OTP codes and verification status records are retained for as long as the associated account exists. Expired OTP codes are overwritten when new codes are generated.

Feedback: Feedback submissions are retained indefinitely for product improvement purposes, even after account deletion, but will be disassociated from your account upon deletion.

Server Logs: Application, API, and security log files are subject to automatic rotation. Each log file has a maximum size of 5 MB and retains up to 3 backup files, for a maximum of approximately 45 MB of log data at any time.

Submitted Text: The text you submit for rewriting and the rewritten output are not stored in our database. They exist only in server memory during processing and in your browser session until the tab is closed.

8. Your Rights and Choices

You have the following rights regarding your personal data:

Access: You can view your personal data (username, email, name, join date, login history) on your profile page and your usage statistics on your analytics dashboard at any time.

Correction: You can update your name on your profile page and change your email address through the two-step verification process on your profile page.

Deletion: You can delete your account at any time from your profile page. Account deletion permanently removes your personal identifying information from our database. To delete your account, you must type "delete" as a confirmation step to prevent accidental deletion.

Data Portability: You can download your rewritten text in .txt, .docx, or .pdf format after each rewrite session.

Opt-out of Analytics: You can opt out of Google Analytics tracking by using a browser extension that blocks tracking scripts, such as the Google Analytics Opt-out Browser Add-on, uBlock Origin, or similar tools.

Cookie Management: You can manage cookies through your browser settings. Note that disabling session cookies will prevent you from logging into the Service.

If you wish to exercise any data rights not covered above, please contact us at support@rewright.app. We will respond to your request within 30 days.

9. Cookies and Tracking Technologies

The Service uses the following cookies and browser storage mechanisms:

Session Cookie (csrftoken): A security cookie used for CSRF protection. This cookie is essential for the security of form submissions and API requests. It does not track you across websites.

Session Cookie (sessionid): Identifies your login session on our server. This cookie is essential for maintaining your logged-in state. It is HTTP-only (not accessible to JavaScript) and is configured with secure flags in production.

Timezone Cookie (user_timezone): Stores your browser's timezone name (e.g., "America/Denver") so we can display dates and times in your local timezone. This cookie persists for one year and is updated on each visit.

Google Analytics Cookies (_ga, _gid): Used by Google Analytics to distinguish unique visitors and track session activity. These cookies are set by Google's analytics script. You can opt out as described in Section 8.

Browser sessionStorage: Used to store your recent rewrite history (up to 5 entries) in your browser. This is not a cookie. It is not sent to our servers. It is automatically cleared when you close the browser tab.

We do not use any third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.

10. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect, solicit, or maintain personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us at support@rewright.app. Upon verification, we will promptly delete such information from our systems.

Users between the ages of 13 and 18 may use the Service with the consent and supervision of a parent or legal guardian.

11. International Users

The Service is operated from and hosted in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We process data in accordance with this Privacy Policy regardless of where users are located.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or other jurisdictions with data protection laws, you may have additional rights under those laws, including the right to lodge a complaint with your local data protection authority. Please contact us at support@rewright.app to exercise any such rights.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The most current version will always be available at https://rewright.app/privacy/. The "Last updated" date at the top of this Privacy Policy indicates when the most recent changes were made.

If we make material changes to this Privacy Policy, we will notify registered users via email at least 14 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@rewright.app

You may also submit privacy-related inquiries through the feedback feature available within the Service.

We will acknowledge your inquiry within 7 days and aim to provide a substantive response within 30 days.