Privacy Policy

1. What we collect

We collect only the data needed to provide the service. Here is exactly what we store and why.

Account data

• Email address - used as your account identifier and for service communications
• Full name - used to personalise your dashboard and generated outputs
• Job title and industry (optional) - used to give AI-generated outputs more relevant context

Achievement data

• Achievement text you send via WhatsApp or enter through the web portal
• Timestamps and source metadata (whether entered via WhatsApp or web)
• Skills and technology tags automatically identified from your achievement text

Generated outputs

• Summary bullets and LinkedIn posts generated by AI from your achievements
• These are created on-demand at your request and stored so you can access them later

WhatsApp number

• Your phone number, provided when you connect WhatsApp to your account
• Used to receive your messages and send you scheduled prompts

Payment data

• Processed entirely by Stripe. We do not store your card number, CVV, or full card details on our servers
• We store your Stripe customer ID and subscription status to manage your plan

Technical data

• Authentication session tokens (stored in cookies) to keep you signed in
• We do not collect IP addresses, browser fingerprints, or device identifiers for tracking purposes

2. Legal bases for processing

Under the UK GDPR and EU GDPR, we need a lawful basis for each type of data processing. Here are ours:

• Contract performance (Article 6(1)(b)): We process your account data, achievements, generated outputs, and WhatsApp number because it is necessary to provide you with the service you signed up for. This includes AI analysis of your achievements for tagging and follow-up suggestions.
• Contract performance (Article 6(1)(b)): Processing payment data through Stripe is necessary to fulfil your subscription.
• Legitimate interests (Article 6(1)(f)): We send scheduled WhatsApp prompts to help you capture achievements. This is a core feature of the service and you expect it when you connect your WhatsApp number. You can pause prompts or disconnect your WhatsApp number at any time from the Settings page.
• Legitimate interests (Article 6(1)(f)): We may occasionally contact you by email about new features, product updates, or relevant offers. You can opt out of these communications at any time using the unsubscribe link in each email.
• Legitimate interests (Article 6(1)(f)): We process minimal technical data (session cookies) to maintain security and keep you authenticated.

3. How we use your data

• To store, organise, and display your achievements
• To analyse incoming achievements for impact metrics and generate relevant follow-up suggestions
• To automatically tag achievements with relevant skills and technologies
• To generate summary bullets and LinkedIn posts using Anthropic's Claude API when you request them
• To send and receive WhatsApp messages via Twilio, including scheduled prompts and achievement confirmations
• To process subscription payments and manage your billing through Stripe
• To authenticate you and maintain your session
• To send service emails (e.g. trial expiry, payment failures) and occasional product updates. You can opt out of non-essential emails at any time.

4. Third-party data processors

We share your data with the following third-party services, only as necessary to provide the service. Each acts as a data processor on our behalf.

• Supabase (database and authentication) - Stores your account data, achievements, and generated outputs. Our database is hosted in the EU (eu-west-1, Ireland).
• Anthropic (Claude API) (AI processing) - Your achievement text and optional profile context (job title, industry) are sent to Anthropic's API for generating outputs, analysing impact metrics, and identifying skills and technology tags. Anthropic does not use your data to train their models. See Anthropic's privacy policy.
• Twilio (WhatsApp messaging) - Processes your WhatsApp number and message content to deliver and receive messages. See Twilio's privacy policy.
• Stripe (payment processing) - Processes your payment information. We only store your Stripe customer ID and subscription status. See Stripe's privacy policy.
• Vercel (application hosting) - Hosts the web application. Vercel processes requests to serve the site but does not have direct access to your stored data. See Vercel's privacy policy.

We do not sell your data. We do not share your data with advertisers or use it for third-party profiling.

5. International data transfers

Your primary data (account, achievements, generated outputs) is stored in the EU (Ireland) via Supabase. However, some of our third-party processors are based in the United States:

• Anthropic (US) - achievement text is sent to their API for processing
• Twilio (US) - WhatsApp messages are processed through their infrastructure
• Stripe (US) - payment data is processed through their infrastructure
• Vercel (US) - application hosting and request processing

These transfers are protected by appropriate safeguards, including the UK International Data Transfer Agreement (UK IDTA), EU Standard Contractual Clauses (SCCs), and/or the EU-US Data Privacy Framework where applicable. Each processor maintains security standards consistent with UK and EU data protection requirements.

6. Data sharing

Your achievements, generated outputs, and personal data are never:

• Sold to third parties
• Used for advertising or third-party profiling
• Used to train AI models
• Shared with your employer or any other party

Data is only shared with the third-party processors listed above, solely to provide and improve the service. We may disclose your data if required by law, regulation, or legal process (e.g. a court order).

7. Data retention

• Active accounts: Your data is retained for as long as your account is active.
• Cancelled subscriptions: Your account and data remain accessible. You keep access to your stored achievements but cannot generate new outputs without an active subscription.
• Account deletion: When you delete your account from the Settings page, all your data (account details, achievements, generated outputs, WhatsApp number) is permanently deleted from our database. This action is irreversible.
• Stripe records: Stripe retains payment records independently in accordance with financial regulations and their own retention policy.
• Twilio message logs: Twilio may retain message logs independently in accordance with their own retention policy. We do not control Twilio's retention of message content after delivery.

8. AI and automated processing

Summi uses Anthropic's Claude API to process your achievement data in the following ways:

• Impact analysis and follow-ups: When you submit an achievement via WhatsApp or the web portal, it is automatically analysed for impact metrics. If relevant, we may send a follow-up question to help you capture additional context such as numbers, outcomes, or scope.
• Skills and technology tagging: Achievements are automatically tagged with relevant skills and technologies identified from your text.
• Summary bullets and LinkedIn posts: Generated on-demand when you explicitly request them. Your achievement text and optional profile context (job title, industry) are sent to Anthropic's API at the time of generation.

Anthropic does not use data sent via their API to train their models. All generated outputs are suggestions - you choose whether to use, edit, or discard them. No automated decisions with legal or significant effects are made about you based on this processing.

9. Your rights

Under the UK GDPR and EU GDPR, you have the following rights over your personal data:

• Right of access: You can request a copy of all personal data we hold about you. Your achievements and generated outputs are visible in the dashboard at any time.
• Right to rectification: You can correct your account details (name, job title, industry) from the Settings page. You can edit achievement text directly in the dashboard.
• Right to erasure: You can delete individual achievements from the dashboard or delete your entire account and all associated data from the Settings page.
• Right to data portability: You can request a copy of your data in a structured, machine-readable format. Contact us at hello@summi.io to make this request.
• Right to restrict processing: You can ask us to temporarily stop processing your data in certain circumstances.
• Right to object: You can object to processing based on legitimate interests. To stop receiving scheduled WhatsApp prompts, you can pause prompts or disconnect your WhatsApp number from the Settings page. To opt out of product update emails, use the unsubscribe link in any email.
• Right to lodge a complaint: If you are unhappy with how we handle your data, you have the right to complain to your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint. EU residents can contact their national data protection authority.

To exercise any of these rights, email hello@summi.io with "Data request" in the subject line. We will respond within 30 days.

10. Cookies

Strictly necessary cookies

• Authentication session cookies: These keep you signed in while you use the service. They are set when you log in and cleared when you log out or they expire.

Analytics cookies

We may use analytics cookies to understand how visitors use the site and improve the service. If we introduce analytics cookies, we will update this section and ask for your consent before setting them, in line with UK and EU cookie regulations.

We do not use advertising cookies, tracking pixels, or third-party advertising scripts.

11. Security

We take the following measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption in transit)
• Database access is protected by Row Level Security (RLS) policies, ensuring you can only access your own data
• Webhook endpoints (Stripe, Twilio) verify cryptographic signatures before processing any incoming data
• Authentication is handled by Supabase Auth with secure, HttpOnly session cookies
• Service role keys and API credentials are never exposed to the browser
• Database backups are managed by Supabase in accordance with their infrastructure security standards

If we become aware of a data breach that affects your personal data, we will notify you and the relevant supervisory authority as required by law.

12. Children

Summi is designed for working professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us at hello@summi.io and we will delete it promptly.

13. Changes to this policy

We may update this privacy policy from time to time. If we make material changes that affect how your data is processed, we will notify you by email before the changes take effect. The "last updated" date at the top of this page reflects when the policy was most recently revised.

14. Contact

For any questions about this privacy policy or your personal data, contact us at: hello@summi.io

If you are not satisfied with our response, you can contact your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk | Telephone: 0303 123 1113. EU residents can find their national data protection authority at edpb.europa.eu.