YourWord Customer Privacy Notice

We at YourWord ("YourWord," "we," "us," or "our") are committed to protecting and respecting your privacy. This Privacy Notice explains what personal information we collect from you, or that you provide to us, how it will be processed by us when you use our website, applications, and services (collectively, "Services"), and your rights in relation to your personal information.

Our Services allow users to interact with large language models (LLMs) to perform tasks such as retrieval-augmented generation (RAG) on publicly available books and engage in real-time chat functionalities.

1. Contact Details for Privacy Matters

If you have any questions about this Privacy Notice or our data protection practices, please contact us at:

2. Personal Information We Collect

We collect and process the following types of personal information:

2.1. Information You Provide to Us:

• Account Information: When you create an account, we collect your name, contact details (email address, phone number if provided), account credentials (username, password – which we store in a hashed format), and any profile information you choose to add.
• User Content: This includes any text, prompts, queries, documents or files you upload, or feedback you provide when using our Services. This may include personal information if you input it into the Services (e.g., when interacting with public book content or in chat sessions).
• Communication Information: If you contact us directly (e.g., for customer support, feedback), we collect your name, contact information, and the content of your communications.
• Payment Information: If you subscribe to paid services, we (or our third-party payment processors) collect payment card information and transaction history. YourWord does not typically store full payment card details; these are handled by our secure payment gateway.
• Marketing Preferences: Information about your preferences for receiving marketing communications from us.

2.2. Information We Automatically Collect When You Use Our Services:

• Log Data: Information that your browser or device automatically sends when you use our Services. This includes your Internet Protocol (IP) address, browser type and settings, device information (type, operating system, identifiers), access dates and times, and how you interact with our Services.
• Usage Data: Information about your use of the Services, such as the features you use, the types of content you view or engage with (including interactions with public book materials), queries submitted to the LLM, chat session metadata (duration, frequency), actions you take, error logs, and performance data.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to operate and administer our Services, gather usage data, and improve your experience. For more details, please see our cookies policy.

2.3. Information from Publicly Available Books:

Our Services allow you to interact with publicly available books. The content of these books is processed by our Services to provide RAG capabilities. We do not collect personal information *from* these books unless it is incidentally part of the book's content that you interact with and subsequently becomes part of your User Content or Usage Data.

2.4. Special Category Data:

We do not intentionally collect "special categories of personal data" (as defined under UK GDPR, e.g., information about race, ethnic origin, political opinions, religious beliefs, health, sex life, sexual orientation, trade union membership, genetic or biometric data) unless you voluntarily provide it as part of your User Content. If you provide such information, you are responsible for ensuring you have the necessary rights or consents. Our lawful basis for processing any such inadvertently provided special category data within your User Content would be your explicit action of inputting it and our legitimate interest in operating the service, or where necessary for the establishment, exercise or defence of legal claims. We strongly advise against inputting unnecessary sensitive personal information into the Services.

3. How We Use Your Personal Information and Lawful Bases

We use your personal information for the following purposes, relying on the specified lawful bases under UK GDPR:

• To Provide and Administer Our Services:
  • To create and manage your account, process transactions, and provide you with access to our LLM features, RAG capabilities, and chat functionalities.
  • Lawful Basis: Performance of a contract with you.
• To Improve and Develop Our Services:
  • To understand how users interact with our Services, identify areas for improvement, conduct research, develop new features, and enhance the performance and accuracy of our LLMs. This may involve analysing Usage Data and User Content (often in an aggregated or de-identified form).
  • Model Training:
    • "We may use your data to train and fine-tune language models to improve their capabilities. We will only use your User Content for this purpose with your explicit consent, which you can manage in your account settings, or where we have a legitimate interest and have provided you with a clear opt-out mechanism."
  • Lawful Basis: Legitimate interests (to improve and develop our services, ensuring that our interests are not overridden by your rights and freedoms). For direct use of identifiable User Content for model training, Consent would be a more robust basis.
• To Communicate With You:
  • To send you service-related announcements, security alerts, support messages, and administrative information.
  • Lawful Basis: Performance of a contract; Legitimate interests (to keep you informed).
  • To send you marketing communications about new products, features, or promotions, where you have consented or where permitted by law (e.g., if you are an existing customer for similar services, with an opt-out).
  • Lawful Basis: Consent; Legitimate interests (for existing customers, with an opt-out).
• To Ensure Security and Prevent Misuse:
  • To monitor for and prevent fraudulent activity, unauthorized access, violations of our terms of service, and other misuses of our Services.
  • Lawful Basis: Legitimate interests (to protect our Services, users, and business); Legal obligation (in some cases).
• To Comply with Legal Obligations:
  • To comply with applicable laws, regulations, court orders, or other legal processes (e.g., tax obligations, responding to lawful requests from authorities).
  • Lawful Basis: Legal obligation.
• To Carry Out Business Transfers:
  • In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
  • Lawful Basis: Legitimate interests (to facilitate business transactions).

Where we rely on legitimate interests, we have carried out a balancing test to ensure our legitimate interests are not overridden by your interests or fundamental rights and freedoms.

4. Disclosure of Your Personal Information

We may share your personal information with the following categories of third parties:

• Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, such as cloud hosting providers (e.g., Google Cloud, AWS), payment processors, analytics providers, customer support software providers, email communication providers. These parties are authorised to access, process, or store personal information only as necessary to perform their duties to us and under our instructions.
• Third-Party LLM API Providers If our Services integrate with third-party LLM providers (e.g., OpenAI API, Google API) to deliver certain functionalities, User Content (such as your prompts) may be sent to these providers. Their use of your data will be governed by their respective privacy policies and terms. We select providers with strong data protection commitments. For example,
• Legal Requirements: If required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation or lawful request from public authorities, (ii) protect and defend our rights or property, (iii) prevent or investigate possible wrongdoing in connection with the Services, (iv) protect the personal safety of users of the Services or the public, or (v) protect against legal liability.
• Business Transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, or other similar event, your personal information may be disclosed in the diligence process and transferred to a successor or affiliate as part of that transaction.
• Affiliates: We may share personal information with our affiliates (entities under common control with YourWord), who will use it in a manner consistent with this Privacy Notice.

5. Your Data Protection Rights

Under UK data protection law, you have several rights in relation to your personal information. These include:

• Right of Access: You have the right to ask us for copies of your personal information and information about how it is processed.
• Right to Rectification: You have the right to ask us to correct personal information you think is inaccurate or complete information you think is incomplete.
  • Accuracy of AI Output: Our Services generate responses by predicting likely sequences of text. In some cases, this output may not be factually accurate. If you notice that an output contains factually inaccurate personal information about you and you would like us to correct it, please contact us. Given the technical complexity, we may not always be able to correct the inaccuracy directly within the model's generative process, but we will take steps to address it, which may include deleting the relevant personal information from the output shown to you or others, where feasible.
• Right to Erasure (Right to be Forgotten): You have the right to ask us to delete your personal information in certain circumstances.
• Right to Restriction of Processing: You have the right to ask us to limit how we use your personal information in certain circumstances.
• Right to Object to Processing: You have the right to object to the processing of your personal data where we are relying on legitimate interests as our lawful basis.
• Right to Data Portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in a structured, commonly used, machine-readable format, in certain circumstances.
• Right to Withdraw Consent: Where we rely on your consent as the lawful basis for processing, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us using the details in Section 1. We will respond to your request within one month, as required by law. You are not usually required to pay a fee unless your request is clearly unfounded, repetitive, or excessive.

6. Data Retention

We retain your personal information for as long as your account with YourWord remains active, or as long as necessary to fulfill the purposes outlined in this Privacy Notice, including providing you with our Services.

Upon your request to delete your account, or if your account becomes inactive for a prolonged period, we will take steps to delete or anonymise your personal information within a reasonable timeframe (e.g., 30-90 days), unless:

• We are required by law to retain it for a longer period (e.g., for tax, accounting, or legal compliance purposes, such as retaining transaction data for 6 years plus current).
• There are outstanding issues, claims, or disputes requiring the information to be retained until resolved.
• The information is necessary for our legitimate business interests, such as fraud prevention, security, or to protect our rights (retained only for as long as strictly necessary for these purposes).
• The data is stored in backup archives and is scheduled for deletion according to our backup rotation policies.

Anonymised or aggregated data, which can no longer be used to identify you, may be kept indefinitely for research, statistical analysis, and service improvement purposes.

7. Security of Your Personal Information

We implement appropriate technical and organisational measures to protect your personal information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include data encryption, access controls, and regular security assessments. However, no internet or email transmission is ever fully secure or error-free. While we strive to protect your personal information, we cannot guarantee its absolute security.

8. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries outside of the United Kingdom (UK), including countries that may not have data protection laws equivalent to those in the UK (e.g., the United States, where some of our service providers may be located).

When we transfer your personal information outside the UK, we will ensure that appropriate safeguards are in place to protect your information in accordance with UK GDPR. These safeguards may include:

• Transferring data to countries that the UK government has deemed to provide an adequate level of data protection.
• Implementing Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), along with conducting Transfer Impact Assessments (TIAs) to ensure the protection is practically effective.
• For transfers to the US, we may rely on the UK Extension to the EU-US Data Privacy Framework (when applicable to the recipient) or other valid transfer mechanisms.

For more information on the safeguards we use, please contact us.

9. Children's Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us, and we will take steps to delete such information from our systems. If you are between 13 and 18 years old, you may only use our Services with the permission of your parent or legal guardian.

10. Links to Other Websites

Our Services may contain links to other websites not operated or controlled by us ("Third-Party Sites"). The information that you share with Third-Party Sites will be governed by their specific privacy policies and terms of service, not by this Privacy Notice. We do not endorse or have reviewed these sites and encourage you to review their privacy practices.

11. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. When we do, we will post the updated version on this page and revise the "Last Updated" date. If we make material changes, we will provide more prominent notice, such as by email or through a notification on our Services, prior to the change becoming effective. We encourage you to review this Privacy Notice periodically to stay informed about our data protection practices.

12. How to Complain

If you have any concerns about our use of your personal information, you can make a complaint to us using the contact details in Section 1. We will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal information.

If you are not satisfied with our response, or believe we are not processing your personal information in accordance with the law, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk