Privacy

Privacy policy

Last updated: 2026-06-11

Plain-English summary

Inksong stores the documents you upload and the text you paste, uses them to humanize on your behalf via the Anthropic Claude API, and deletes them on the schedule below. We do not sell your data. We do not use your content to train models. We only share content with the subprocessors listed below, and only as needed to deliver the service.

Who is responsible for your data

Inksong is operated by Epigrams. For the purposes of data protection law, Epigrams is the controller of personal data processed through the service. Contact: privacy@inksong.app.

What we collect

  • Account data: email address, a bcrypt hash of your password, an optional display name, and an API key we generate for you.
  • Content you submit: any text or files you upload for humanization, plus the rewritten output and AI-detection scores we compute for it.
  • Usage data: request timestamps, document counts, word counts, job duration, and approximate token usage — used for rate limits, billing, and debugging.
  • Billing data: plan, billing currency, your Paystack customer code, and the next-renewal date. We do not store your card details — those are held by Paystack.
  • Error and diagnostic data: if a request fails, we capture the error message and stack trace via Sentry. We strip request bodies and known sensitive headers before sending. Stack traces can include incidental data like email addresses.
  • Network metadata: IP address, user-agent, and request path are written to short-lived application logs to detect abuse and debug issues.

Why we use it

We process your data to:

  • provide the service and authenticate you;
  • process the humanization jobs you request;
  • send you transactional email (verification, password reset, receipts);
  • enforce rate limits, prevent abuse, and investigate security incidents;
  • charge for paid plans and handle refunds;
  • comply with legal obligations (tax records, lawful requests).

Legal bases (for users in the UK/EU)

If you're in the UK or EU, we rely on the following legal bases under the UK GDPR / EU GDPR:

  • Contract:to provide the service you've signed up for and to bill you for it.
  • Legitimate interests: to keep the service secure, prevent fraud and abuse, and improve reliability.
  • Legal obligation:to retain records we're required to keep (tax, billing) and to respond to lawful requests.
  • Consent:where required for specific processing — for example, marketing communications you've opted in to.

Subprocessors

We use a small number of third parties to operate the service:

  • Anthropic (Claude API) — performs the humanization. Per Anthropic's published commercial terms, content sent through the API is not used to train their models.
  • Paystack — processes payments. Card details are entered in Paystack's checkout, not on Inksong; we receive a customer code and an event stream, never card numbers.
  • Resend — sends transactional email (verification, password reset, billing receipts) on our behalf.
  • Zoho Mail — hosts our support inboxes. Email you send us is processed by Zoho on our behalf.
  • Sentry — error monitoring. Captures stack traces; document content is not sent.
  • Backblaze B2 — encrypted off-site storage for daily database backups.

Our infrastructure (Postgres, Redis, S3-compatible object storage) is hosted on a VPS we operate ourselves. We'll update this section if that changes.

International data transfers

Some of our subprocessors — Anthropic, Resend, Sentry, and Backblaze — are based in the United States. Paystack is based in Nigeria. If you're located outside the country a subprocessor operates in, your data will cross borders to be processed. Where required by law, we rely on the relevant standard contractual clauses or equivalent safeguards in place with each provider.

How long we keep it

Uploaded files and humanized outputs are deleted from primary storage within 24 hours of upload. Job metadata (status, detection scores, timestamps, token usage) is retained while your account is active so you can review past runs.

Account data is kept until you delete your account. When you delete your account, your data is removed from primary storage within 7 days.

We take daily Postgres backups for disaster recovery. Local backups are pruned after 14 days. Off-site encrypted copies on Backblaze B2 are retained for the same window. Deleted data may therefore persist in backups for up to 14 days after deletion before being purged by retention.

We may retain limited records longer where the law requires it — for example, billing and tax records — or to defend a legal claim.

Cookies and similar technologies

When you sign in, we set a long-lived HttpOnly refresh-token cookie so your session can be re-issued without re-login. We don't set advertising cookies and we don't use cross-site trackers. If we add product analytics in the future, we'll list the provider here and honour browser Do-Not-Track / Global Privacy Control signals where applicable.

Your rights

Depending on where you live, you have some or all of these rights over your personal data: access, correction, deletion, portability, restriction, and objection. You can:

  • Export or delete your data at any time from Account settings.
  • Rotate your API key from the dashboard (settings → API access) if you suspect it's been exposed.
  • Request a copy of what we hold, or correction of any data that's wrong, by emailing privacy@inksong.app. We'll respond within 30 days.
  • Revoke active sessions across devices via “Sign out everywhere” in the dashboard.
  • Lodge a complaint with your local data-protection authority if you believe we've mishandled your data. In Nigeria that's the Nigeria Data Protection Commission (NDPC); in the UK, the ICO; in the EU, your member-state authority.

Children

Inksong is not directed to children under 13 and we do not knowingly collect personal data from anyone under 13. If you believe a child has signed up, contact privacy@inksong.app and we will delete the account.

Security

Traffic between your browser and Inksong is encrypted with HTTPS. Passwords are hashed with bcrypt before storage; we never see your plaintext password after sign-up. API keys are high-entropy random tokens, stored in our database and shown to you on your dashboard; you can rotate them at any time. Database backups are encrypted in transit and at rest on the off-site provider.

No system is perfectly secure. If we discover a breach that affects your data, we'll notify you by email and tell our regulators where the law requires it.

Changes to this policy

We'll update the “last updated” date at the top when this policy changes. Material changes will be notified by email to the address on your account at least 14 days before they take effect.

Contact

Privacy questions, requests, or notices: privacy@inksong.app. General questions: hello@inksong.app.