Privacy Policy — Wrendle

1. Who we are

Isaflo Ltd (trading as Wrendle) is the data controller for the personal data you provide when using Wrendle. We are registered in England and Wales.

Contact: support@wrendle.com

This policy applies to all services provided at wrendle.com and app.wrendle.com.

2. What data we collect

Account data

Email address (required to create an account)
Name and profile picture (if you sign in with Google, from your Google account)
ADHD self-identification style (collected during onboarding — optional and stored only as a label such as "inattentive")
Subscription plan and billing status

Content you create

Task titles and notes you enter
Category names and settings
Energy level check-ins (low/medium/high — not linked to any medical record)
Focus session durations and completion data
Daily sort session records

Technical data

IP address (used by Supabase for security and rate limiting; not stored long-term by us)
Browser type and device type (from access logs — not stored persistently)
Error reports (via Sentry, with PII stripped before transmission)
Push notification subscription token (if you enable push notifications)

AI usage data

When you use AI features (task breakdown, daily brief, classification), we log the number of tokens used per action for rate limiting purposes. We send task titles and notes to the Anthropic API — this data is covered in section 5.

Analytics

We use Plausible Analytics, a privacy-first analytics service that collects no personal data, uses no cookies, and is GDPR-compliant by design. We track aggregate usage events (e.g. "task created", "upgrade clicked") with no user-level identification.

3. How we use your data

Purpose	Data used	Legal basis (UK GDPR)
Providing the service	Account data, tasks, energy logs	Contract
Processing payments	Email, billing status	Contract
Sending transactional emails	Email address	Contract
AI features (breakdown, brief)	Task titles, notes (to Anthropic)	Contract + Legitimate interest
Error monitoring	Error reports (anonymised)	Legitimate interest
Improving the service	Aggregate analytics only	Legitimate interest
Legal compliance	As required by law	Legal obligation
Fraud prevention	Account + payment data	Legitimate interest

We do not sell your personal data. We do not use your data to train AI models (Anthropic operates under a zero-data-retention policy for API usage).

4. Cookies and tracking

Wrendle uses authentication cookies to keep you logged in. These are strictly necessary for the service to function and do not require consent under UK law.

We use Plausible Analytics which is cookieless and collects no personal data. No advertising or third-party tracking cookies are used.

We do not use Google Analytics, Facebook Pixel, or any other behavioural tracking technology.

5. Third-party services (sub-processors)

We share data with the following trusted services, each bound by appropriate data processing agreements:

Supabase (Supabase Inc.)

Purpose: Database, authentication, and file storage

Data shared: All account and content data

Location: EU (Ireland)

Stripe (Stripe Inc.)

Purpose: Payment processing and subscription management

Data shared: Email, payment method, billing history

Location: EU/US (Standard Contractual Clauses)

Anthropic (Anthropic PBC)

Purpose: AI task breakdown, daily brief, and classification features

Data shared: Task titles and notes (when AI features are used) — zero-data-retention policy; not used for training

Location: US (Standard Contractual Clauses)

Resend (Resend Inc.)

Purpose: Transactional email delivery

Data shared: Email address, email content

Location: US (Standard Contractual Clauses)

Sentry (Functional Software Inc.)

Purpose: Error monitoring and crash reporting

Data shared: Anonymised error reports — PII is stripped before transmission

Location: US (Standard Contractual Clauses)

Plausible Analytics (Plausible Insights OÜ)

Purpose: Privacy-first website analytics

Data shared: No personal data — aggregate page views and events only, no cookies

Location: EU (Germany)

Vercel (Vercel Inc.)

Purpose: Website hosting and edge computing

Data shared: All traffic passes through Vercel infrastructure

Location: EU/US (Standard Contractual Clauses)

6. Data retention

Active accounts: data is retained for as long as your account is active.
Cancelled accounts: data is retained for 90 days after account closure, then permanently deleted.
On request: you can request immediate deletion of your account and all associated data at any time (see section 7).
Billing records: we are required by UK law to retain certain financial records for 7 years regardless of account status.
AI usage logs: rate-limiting records (action type and token count, no content) are retained for 30 days.
Error logs: retained by Sentry for 90 days.

7. Your rights (UK GDPR)

Under UK data protection law, you have the following rights:

Right of access: you can request a copy of all personal data we hold about you.
Right to rectification: you can correct inaccurate data (most data is editable directly in settings).
Right to erasure: you can request deletion of your account and all associated data.
Right to restriction: you can ask us to pause processing your data in certain circumstances.
Right to data portability: you can request your data in a machine-readable format.
Right to object: you can object to processing based on legitimate interests.
Right to withdraw consent: where processing is based on consent, you can withdraw at any time.

To exercise any of these rights, email support@wrendle.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Data security

We take the security of your data seriously. Our technical measures include:

All data encrypted in transit using TLS 1.2+
Database encryption at rest (via Supabase)
Row-level security policies ensuring users can only access their own data
Server-side environment variable isolation (API keys never exposed to the client)
Stripe for payment handling — we never store card numbers
Stripe webhook signature verification to prevent spoofing

No system is perfectly secure. If you discover a potential security vulnerability, please disclose it responsibly to support@wrendle.com before making it public.

9. International data transfers

Some of our sub-processors (listed in section 5) are based in the United States. Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner or the EU Commission.

Supabase stores data in the EU (Ireland). We have configured our Vercel deployment to the London region (lhr1) to minimise latency and data transit.

10. Children

Wrendle is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at support@wrendle.com and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you by email of any material changes at least 14 days before they take effect.

The current version will always be available at wrendle.com/privacy, with the effective date shown at the top.

12. Contact and complaints

Data controller: Isaflo Ltd (trading as Wrendle)

Email: support@wrendle.com

Data protection queries: luke@wrendle.com

Response time: we aim to respond to all privacy enquiries within 5 working days and to fulfil subject access requests within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office:
ico.org.uk/make-a-complaint · 0303 123 1113