Privacy Policy
Last updated: April 28, 2026
This Privacy Policy explains how Alphacore("we", "us") collects, uses, shares, and protects personal data when you use Quilpen (the "Service"). We are the data controller for personal data processed through the Service.
1. What we collect
You give us
- Account data: name, email, hashed password, and (if you sign in with Google) Google account ID + profile photo URL.
- Project content: manuscripts, chapter outlines, sources you upload, citations, and any text you generate or edit through the Service.
- Billing data: handled by our payment processor (Paddle); we receive only a customer ID, subscription status, the last four digits of the card, country, and invoice metadata. We never see your full card number.
Collected automatically
- Usage data: AI-operation logs (which feature, how many credits, model used, token counts), error logs, request paths, timestamps.
- Device data: IP address (truncated for analytics), browser type, OS, screen size, and a session cookie used to keep you signed in.
2. Why we use it (legal bases under GDPR)
- To provide the Service — performance of the contract you have with us (Art. 6(1)(b) GDPR).
- To process payments and send transactional email — performance of contract.
- To secure the Service, prevent abuse, and debug issues — legitimate interest (Art. 6(1)(f)).
- To improve the Service in aggregate (anonymised metrics) — legitimate interest.
- To comply with legal obligations (tax, accounting, lawful requests) — legal obligation (Art. 6(1)(c)).
We do not use your project content to train AI models, and we do not sell personal data to third parties.
3. How AI processing works
When you trigger an AI operation (e.g. drafting a section, generating an abstract), the relevant excerpt of your project — and only that excerpt — is sent over TLS to Anthropic's API. Anthropic processes the request to return a completion and does not retain the data for model training under the API terms applicable to us. See Anthropic's privacy policy.
4. Subprocessors
We share personal data only with the following subprocessors, each bound by a data processing agreement and appropriate transfer safeguards (Standard Contractual Clauses where applicable):
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | Large language model inference (Claude) for AI writing assistance | United States |
| Paddle.com Market Limited | Payment processing as Merchant of Record (subscriptions, taxes, invoicing) | United Kingdom |
| Railway Corp. | Application and database hosting | United States |
| Resend, Inc. | Transactional email delivery (sign-in, billing, account) | United States |
| Google LLC | Optional Google sign-in (OAuth) and image generation for non-academic projects | United States |
| Kroki | Server-side rendering of charts, diagrams, and equations (no PII sent) | European Union |
5. International transfers
Some subprocessors (Anthropic, Railway, Resend, Google) are based in the United States. Where we transfer personal data outside the EEA / United Kingdom, we rely on the European Commission's Standard Contractual Clauses (and equivalent UK IDTA) as the transfer mechanism, supplemented by encryption in transit and at rest.
6. How long we keep data
- Account & project content: for as long as your account is active. Deleted immediately on account deletion request, except backups (purged within 30 days).
- Billing records: retained for the period required by tax law (typically 5–10 years).
- Server & AI-operation logs: 90 days, then deleted or anonymised.
7. Your rights
Under GDPR, KVKK (Türkiye), and similar laws, you have the right to:
- access the personal data we hold about you,
- correct inaccurate data,
- delete your data (the "right to be forgotten"),
- restrict or object to processing,
- receive your data in a portable, machine-readable format,
- withdraw consent (where consent is the legal basis),
- lodge a complaint with your supervisory authority (in the EU/UK) or the Personal Data Protection Authority of Türkiye (KVKK Kurumu).
To exercise any right, email privacy@quilpen.com. We respond within 30 days.
8. Cookies
We use a single first-party session cookie to keep you signed in. We do not use third-party advertising or analytics cookies. The Paddle checkout iframe sets cookies necessary for payment fraud-prevention; see Paddle's cookie policy.
9. Security
We protect personal data with TLS 1.2+ in transit, encryption at rest in the database, role-based access control for engineering, and regular dependency patching. No system is 100% secure; we will notify affected users without undue delay if a breach affects their personal data.
10. Children
The Service is not directed to children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes
We will post material updates here and notify active users at least 14 days before they take effect.
12. Contact
For privacy questions or to exercise your rights, email privacy@quilpen.com. The data controller is Alphacore, İstanbul, Türkiye.