Privacy Policy

Last updated: 15 May 2026.

This policy explains what personal data Humanize Me collects, why we collect it, who else processes it on our behalf, how long we keep it, and what rights you have. It is written to be readable in plain English. The legal commitments are real.

Who we are (the data controller)

Humanize Me is operated by a sole trader registered in the Republic of Türkiye, with a place of business in Istanbul. For the purposes of the EU GDPR and the Turkish Personal Data Protection Law (KVKK No. 6698), this operator is the data controller for the personal data described below. Full legal entity details are available on request to support@humanize-me.com.

What data we collect

We collect only what we need to run the service.

• Account data. If you create an account, we store your email address, a securely hashed copy of your password (we never see or store the plaintext), and the timestamps of when you signed up and confirmed your email. Authentication is handled by Supabase Auth on our behalf.
• Billing data. If you subscribe to a paid plan, payment data (card details, billing address, tax identifiers where required) is collected and stored by our payment processor, Paddle.com Market Ltd, acting as Merchant of Record. We receive only the resulting transaction metadata (plan, tier, status, anonymized transaction id) so we can credit your account. We never see or store your card number or full billing address.
• Text you submit for rewriting. The source text you paste in, and the optional voice sample you can provide for style matching, are sent to our AI provider for processing. We do not write this text to a database or persistent log. It exists in memory for the duration of the request and is discarded once the response is returned. We do not use submitted text to train or improve our models.
• Usage metadata. For each rewrite we record: the user id (or, for anonymous users, a derived rate-limit key based on IP), the number of credits used, the rewrite tier (Light, Standard, Strong), a success/failure flag, and the timestamp. We do not record the text itself.
• IP addresses. Your IP address is used to enforce rate limits on anonymous traffic and to detect automated abuse. For IPv6 it is bucketed to a /64 prefix so households share a single limit. IP records are retained on a rolling 24-hour window and then purged.
• Security and audit logs. We log security-relevant events (rewrite attempts that hit credit limits, blocked bot traffic, authentication anomalies, webhook activity) so we can investigate abuse. These logs include the user id where available and an IP address. They are retained for up to 90 days.
• Cookies set by required services. Cloudflare Turnstile, the bot-protection widget on our signup and sign-in pages, sets short-lived cookies on the challenges.cloudflare.com domain to verify you are a human. Supabase Auth sets a session cookie when you sign in so we can keep you signed in. Paddle.com may set cookies during checkout to maintain the checkout session. We do not use advertising cookies, cross-site tracking, fingerprinting, or third-party analytics that track individuals.

Why we use your data and the legal bases under GDPR

• To provide the service you asked for. Processing rewrites, maintaining your account, and granting credits for paid plans. Legal basis: performance of a contract (GDPR Article 6(1)(b)).
• To take payment for paid plans. Forwarding necessary order data to Paddle so they can charge your card and remit VAT/sales tax. Legal basis: performance of a contract and compliance with a legal obligation (GDPR Article 6(1)(b) and (c)).
• To prevent abuse of the free tier and AI cost exhaustion. Rate limiting, bot detection, and security logging. Legal basis: our legitimate interest in keeping the service available for paying customers and within our cost budget (GDPR Article 6(1)(f)).
• To comply with tax, accounting, and legal-process requests. Where required by Turkish or EU law. Legal basis: compliance with a legal obligation (GDPR Article 6(1)(c)).

Third-party processors

We rely on a small number of service providers to run Humanize Me. Each of them processes your data only on our instructions, under a Data Processing Agreement, for the limited purposes described below.

• Paddle.com Market Ltd (United Kingdom, EU representative in Ireland). Payment processing, billing, tax compliance, Merchant of Record. Receives: email, billing details you provide at checkout, card data, transaction metadata. See Paddle's privacy notice.
• Anthropic, PBC (United States). AI model provider running the rewrite. Receives: the text you submit for rewriting and any optional voice sample, for the duration of the API call only. Anthropic's commercial terms state that data submitted via the API is not used to train their models. See Anthropic's privacy notice.
• Supabase, Inc. (United States; data hosted in EU regions where available). Database, authentication, and storage. Receives: account data, usage metadata, audit logs. See Supabase's privacy notice.
• Vercel, Inc. (United States). Hosting and edge delivery of the website and API. Receives: HTTP request metadata (IP, user-agent, URL, status) in standard server logs. See Vercel's privacy notice.
• Cloudflare, Inc. (United States). Bot detection via Turnstile on the signup and sign-in flows. Receives: a short-lived challenge token and the user-agent of the browser solving the challenge. See Cloudflare's privacy notice.

International data transfers

Some of our processors are located in the United States. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Türkiye, we rely on the European Commission's Standard Contractual Clauses and equivalent safeguards offered by the processor. For visitors in Türkiye, transfers comply with KVKK Article 9 by relying on the explicit consent you provide when you sign up or subscribe, or on the contractual necessity of using the service you requested.

Data retention

• Text submitted for rewriting: not stored. Held in memory for the request, then discarded.
• Account data: kept while your account is active. Deleted within 30 days of account deletion request, except where retention is required by tax or accounting law (typically 5 years in Türkiye).
• Billing records: retained by Paddle and by us for as long as Turkish tax law requires (currently 5 years).
• Usage metadata: 12 months, then aggregated and anonymized.
• Anonymous IP rate-limit records: rolling 24 hours, then purged.
• Security and audit logs: up to 90 days.

Your rights

If the GDPR applies to you (you are in the EEA or UK) or the KVKK applies to you (you are in Türkiye), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data, subject to retention obligations described above.
• Receive a portable copy of your account data in a structured, commonly used format.
• Restrict or object to processing based on our legitimate interests.
• Withdraw consent where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Lodge a complaint with a supervisory authority. In Türkiye that is the Kişisel Verileri Koruma Kurumu (KVKK). In the EU, your local Data Protection Authority.

To exercise any of these rights, email support@humanize-me.com. We respond within 30 days. We may ask you to verify ownership of the email address on file before acting on a request.

Children

Humanize Me is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

Security

We use HTTPS with HSTS for all traffic, store passwords only as salted hashes via Supabase Auth, scope database access by row-level security, isolate AI provider keys server-side, and require timing-safe webhook signature verification for billing events. No system is perfectly secure. If we ever become aware of a data breach that affects your personal data, we will notify the relevant supervisory authority and you in accordance with GDPR and KVKK timelines.

Changes to this policy

We may update this policy as the service evolves or as the law changes. Material changes will be announced by email to registered users at least 14 days before they take effect. The version in force on the date you submit a piece of personal data governs that submission.

Contact

For privacy questions, data requests, or to identify the data controller, email support@humanize-me.com or use our contact page.

Last updated: 15 May 2026