whatuserssay
Start trial

Privacy Policy

Last updated: May 6, 2026

1. Who we are

whatuserssay is a service operated by TEXNI VELOCIDAI, SOCIEDAD LIMITADA, a company incorporated under Spanish law. Registered address: Pl. del Dr. Letamendi, 1; 2n floor, 08007 Barcelona, Spain.

For the purposes of EU data protection law, we are the data controller for your account data and the data processor for the content you capture through our service. Contact for privacy matters: privacy@whatuserssay.com

2. What data we collect

Account data

  • Email address, name, and password hash — collected when you sign up.
  • Google or Microsoft OAuth tokens — stored if you connect Gmail or Outlook as an email source. These tokens are used solely to read and sync your emails; they are not used for any other purpose.
  • Workspace name and settings you configure.

Payment data

Payment details (card number, billing address) are entered directly into Stripe’s hosted fields and processed by Stripe. We store only the Stripe customer ID, subscription status, and plan tier. We never see or store your card number.

Captured content

This is the core content the service processes: social mentions from X, Reddit, Hacker News, Product Hunt, and Bluesky, app store reviews, emails forwarded to your capture address, submissions from your in-app feedback widget, and feedback items you paste manually. This content lives in your workspace and is never shared with other customers.

Derived data

We generate pattern clusters, weekly briefings, sentiment scores, and entity extractions from your captured content. These are derived artefacts stored in your workspace alongside the original items.

Usage and diagnostic data

Pages visited and features used, collected by Plausible Analytics (no cookies, no cross-site tracking, data stored in the EU). Error logs and request traces collected by Axiom (see Third-party processors). Neither service links this data to your individual identity.

3. Legal basis for processing (GDPR)

  • Contract performance (Art. 6(1)(b)): processing your account data, captured content, and derived data to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): sending transactional and product emails (digest, billing receipts, security notices), maintaining service security, and diagnosing errors. Our interest in running a reliable service outweighs the minimal privacy impact of these uses.
  • Legal obligation (Art. 6(1)(c)): retaining billing records for the period required under Spanish accounting law.

We do not rely on consent as a legal basis for any ongoing processing. You can stop using the service and delete your workspace at any time without consequence.

4. How we use your data

  • To operate the service: capture, process, cluster, and deliver your feedback intelligence.
  • To send weekly digests, briefing summaries, and transactional emails (billing receipts, trial expiry notices, security alerts).
  • To process payments and manage subscriptions.
  • To detect and fix errors in the service.
  • To enforce the hard usage cap (items per billing cycle).

We do not train AI models on your data. Captured content is sent to Anthropic’s API and Google AI’s API for processing. Both providers’ API terms explicitly prohibit training on customer API data. Your content is not used to improve any AI model.

We do not sell your data or share it with advertisers.

5. How we store your data

Data is stored in Supabase (PostgreSQL) hosted on AWS in the US. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security (RLS) policies enforce that your workspace data is only accessible to authenticated users you have authorised. The service-role key that bypasses RLS is stored only in Vercel environment variables and is never exposed client-side or in logs.

Captured content is vector-embedded for similarity search using Voyage AI. Embeddings are stored in the same database alongside the original content.

6. Third-party processors

We use the following sub-processors. Each receives only the minimum data required for their function.

  • Supabase, Inc. (USA)PostgreSQL database and vector storage. Data is stored on AWS us-east-1.
  • Vercel, Inc. (USA)Hosting, edge functions, and CDN. Processes all HTTP requests.
  • Anthropic, PBC (USA)AI inference for long-form analysis: weekly digests, pattern clustering, briefings, annual reports. Receives captured content via API. Does not train on API data.
  • Google LLC (USA)AI inference for classification tasks (tagging, sentiment, entity extraction) via Gemini 2.5 Flash-Lite API. Receives captured content via API. Does not train on API data. Also provides Gmail OAuth for email source connection.
  • Microsoft Corporation (USA)Provides Microsoft/Outlook OAuth for email source connection.
  • Voyage AI, Inc. (USA)Vector embeddings for semantic similarity and deduplication. Receives item text; returns numeric vectors only.
  • Stripe, Inc. (USA)Payment processing and subscription management. Receives billing data you enter directly into Stripe's hosted checkout.
  • Resend, Inc. (USA)Transactional email delivery. Receives your email address and email content (digests, receipts, alerts).
  • Plausible Analytics OÜ (Estonia / EU)Privacy-preserving website analytics. No cookies. No personal identifiers. Data stored in the EU.
  • Axiom, Inc. (USA)Application logs and request traces for error monitoring. Receives server-side log events; log scrubbing removes secrets and full content before shipping.

All US-based processors have signed Data Processing Agreements and process EU personal data under Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR or equivalent transfer mechanisms.

7. Cookies

  • better_auth.session_tokenSession authentication. Required to use the app. Expires when you close the browser or after 30 days of inactivity.
  • better_auth.csrf_tokenCross-site request forgery protection. Required for any form submission. Session-scoped.
  • wus_intentRemembers your selected plan during onboarding so we can redirect you to the right checkout after you complete setup. Expires after 1 hour.

No advertising cookies. No third-party tracking cookies. Plausible Analytics uses no cookies. Blocking all cookies except the auth session cookie will not break the service.

8. Data retention

  • Captured items and derived data (patterns, briefings, snapshots): retained until you delete your workspace. Soft-deleted items are purged from backups within 90 days.
  • OAuth tokens (Gmail, Outlook): retained while the connection is active. Disconnecting a source removes the token from our database within 24 hours.
  • Account data (email, name): deleted immediately when you delete your account. Logs referencing your user ID are purged within 90 days.
  • Billing records (invoices, payment history): retained for 7 years as required by Spanish accounting law (Ley 22/2003 and RD 1514/2007). These records are Stripe-managed and contain no captured content.
  • Application logs: retained in Axiom for 30 days, then automatically deleted.

9. Your GDPR rights

If you are in the EU/EEA, you have the following rights under GDPR:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): ask us to correct inaccurate personal data.
  • Right to erasure (Art. 17): delete your workspace from Settings → Billing → Delete workspace. This removes all your data from our systems. For account deletion without workspace deletion, contact privacy@whatuserssay.com.
  • Right to restriction (Art. 18): ask us to pause processing your data while a complaint is pending.
  • Right to data portability (Art. 20): download your captured items from Settings → Export data. Exports are provided in JSON format.
  • Right to object (Art. 21): object to processing based on legitimate interests. Contact us at the address below.
  • Right to lodge a complaint: you have the right to complain to the Spanish data protection authority (AEPD — agpd.es) or your local supervisory authority if you believe we have violated your rights.

We respond to all rights requests within 30 days.

10. International data transfers

Our company is based in Spain (EU). Most of our infrastructure providers are US-based. When we transfer your personal data outside the EU/EEA, we do so under the European Commission’s Standard Contractual Clauses (SCCs), which provide equivalent protection to EU data protection law.

All sub-processors listed in Section 6 have signed SCCs or equivalent transfer agreements. You can request copies of these agreements at privacy@whatuserssay.com.

11. Children

The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@whatuserssay.com and we will delete it immediately.

12. Changes to this policy

We will notify you by email at least 30 days before any material changes to this policy take effect. Minor changes (correcting typos, clarifying language) may be made without notice. The current version is always at whatuserssay.com/legal/privacy. The “last updated” date at the top indicates when it was last revised.

13. Contact

For privacy enquiries, rights requests, or data processing agreements:

privacy@whatuserssay.com

TEXNI VELOCIDAI, SOCIEDAD LIMITADA
Pl. del Dr. Letamendi, 1; 2n floor
08007 Barcelona, Spain