Word.now Privacy Policy

Plain English. We want you to understand exactly what data Word.now collects, why we collect it, and what your rights are. No legalese where plain language works equally well.

Last updated: June 2026

If we make material changes to this policy, we will update the date above and notify registered users by email. Continued use of the Service after a policy update constitutes acceptance of the revised terms.

1. Introduction

Word.now ("we", "us", "our") is an AI-powered email reply generator. The Service is operated from the United Kingdom. This Privacy Policy explains what personal information we collect when you use the Word.now website and Service, why we collect it, how we use it, how long we keep it, and what rights you have.

This policy applies to all users of the Service, whether you access Word.now as a visitor, a free user, or a paying subscriber. It covers data collected through our website, through account registration, through the reply generator tools, and through the reply identity system.

Our core tools (subject line generator, tone checker, etc.) work without any email access. Word.now's Pro plan offers an optional inbox connection feature. If you choose to connect your Gmail or Outlook account, we use read-only OAuth access to analyze your sent emails and generate reply drafts. You can disconnect your account at any time from your account settings. We do not read your emails unless you choose to paste their content into our tool or activate the optional inbox connection.

We are the data controller for the personal information described in this policy. If you have questions, contact us at [email protected].

By using Word.now, you agree to the collection and use of information in accordance with this policy.

2. What data we collect

Account data

When you register for an account, we collect:

  • Your email address. This is used to log you in, send account notifications such as password resets, and contact you about significant policy changes.
  • A hashed version of your password. We use the Werkzeug password hashing library, which applies a secure one-way hash. We never store your password in plain text and we cannot read it.
  • A display name, if you choose to set one. This is optional.
  • Account creation date and last login date.

You do not need to provide your real name to use Word.now. We do not ask for it at registration.

Reply examples (reply identity data)

If you use the reply identity feature, we store the email reply examples you explicitly choose to submit. These are email replies you have written in the past that you paste into the identity builder to teach the AI how you write. We store the text of these examples, linked to your account.

We also derive a numeric style profile from your examples: typical sentence length, common greeting words, common sign-off words, average reply word count, and style scores (formality, warmth, directness). This profile is what the reply generator uses when you enable "use my reply identity."

We do not store the original emails you received that your replies responded to. We only store reply text you explicitly submit.

Business profile data

You may optionally provide professional context to improve the relevance of generated replies. This includes:

  • Job title (optional, up to 150 characters)
  • Company website URL (optional)
  • Industry (optional, selected from a dropdown or entered as free text)
  • A short description of your role and what your company does (optional, up to 2,000 characters)

This information is used solely to make the AI replies more contextually appropriate. It is not shared with third parties and is not used for advertising.

Usage data

We collect usage statistics to understand how the Service is used and to improve it. This includes:

  • Which features are used and how often (for example, how many replies are generated per session)
  • Token counts for each AI generation request (used for cost accounting and tier limits)
  • Browser type, device type, and operating system in aggregate form
  • Referring URL, where available

Usage data is collected anonymously for free tool users. For logged-in users, token usage is linked to your account for the purposes of enforcing usage limits and calculating costs.

Tool input (free tool, no account required)

When you use the free email reply generator without creating an account, the text you enter (your goal, key points, and context) is sent to our AI processing partner to generate your reply. This input content is not stored by Word.now after the reply is returned. We retain only an anonymous count of how many replies were generated.

3. What we do NOT do

This section is important. We want to be explicit about things that might concern you.

Our core tools connect to nothing. Our core tools (subject line generator, tone checker, etc.) work without any email access. Word.now's Pro plan offers an optional inbox connection feature. If you choose to connect your Gmail or Outlook account, we use read-only OAuth access to analyze your sent emails and generate reply drafts. You can disconnect your account at any time from your account settings.
We do not read your emails unless you paste them. The only email content we ever process is text you actively copy and paste into our tools. Nothing happens automatically.
We do not automatically send emails on your behalf. Word.now generates reply text that you review and then send yourself. We have no ability to send email from your account and we never will.
We do not sell your personal data. We do not sell your email address, your reply examples, your usage data, or any other personal information to third parties. Not to advertisers, not to data brokers, not to anyone.
We do not use your reply examples to train AI models. Your saved examples are used only to personalize your own generated replies. We do not share them with AI providers for training purposes.
We do not track you across other websites. We do not use cross-site tracking cookies, advertising pixels, or third-party advertising networks of any kind.

4. How we use your data

The legal basis for processing your data under UK GDPR and EU GDPR is one of: performance of a contract (providing the Service you signed up for), our legitimate interests (improving the Service, preventing abuse), or your consent where we ask for it explicitly.

Generating AI replies

When you use the reply generator, the text you enter is sent to the OpenAI API to produce the generated reply. If you have a reply identity enabled, a summary of your style profile is included in the AI prompt. The original email text you paste is not stored after the reply is returned, unless you are using the batch drafting feature (see below).

Improving your reply identity

When you add reply examples to your identity, we process the text to update your style profile: sentence length, formality score, warmth score, directness score, common greetings, and common sign-off phrases. This processing happens within our own infrastructure. The example text itself is stored linked to your account.

Token usage accounting

We record the number of tokens used in each AI generation request. This is used to enforce your plan's usage limits and to calculate our own API costs. Token counts are aggregated at the account level and visible to you in your dashboard.

Service operation and security

We use your account information to authenticate you, maintain your session, protect against unauthorised access, and send account notifications (password resets, material policy changes, service status alerts). We do not send marketing email without your separate, explicit consent.

Service improvement

We use aggregate, anonymised usage statistics to understand which features are used most, identify parts of the product that are confusing, and prioritize development. This analysis does not involve examining the content of individual users' reply examples or pasted email text.

5. Data storage and security

Account data, reply examples, and usage records are stored in a MySQL database on our production server. We take the following security measures:

  • Passwords are hashed using Werkzeug's generate_password_hash, which applies PBKDF2-SHA256. We cannot recover or read your password.
  • All traffic between your browser and Word.now is encrypted via HTTPS using TLS.
  • Session cookies are signed using a server-side secret key. Session data is not exposed to JavaScript.
  • Access to the production database is restricted to authorised personnel only and is not publicly exposed.
  • We do not store full payment card details. Payments are processed by our payment processor, which handles card data directly.

No security system is impenetrable. If we become aware of a data breach that affects your personal information, we will notify you by email and report to the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware, as required under UK GDPR.

6. AI processing

Word.now uses the OpenAI API to generate email replies. When you request a reply, the following information is sent to OpenAI:

  • The email content you paste or describe (subject line, sender, body text)
  • Your generation parameters (goal, tone, reply length preference)
  • A summary of your reply identity style profile, if you have one enabled

This data is transmitted to OpenAI's servers to generate the reply text. OpenAI's data handling is governed by their API privacy policy, available at openai.com/policies/privacy-policy. OpenAI states that content submitted via the API is not used to train their models by default.

We apply word limits to all inputs before sending them to OpenAI. Free tier users have a lower word limit than premium users. This limits both the data transmitted and our API costs. Text that exceeds the limit is truncated before transmission.

We recommend that you do not paste emails that contain highly sensitive content (legal privilege, medical records, personal financial details about others) into any AI tool, including Word.now. If you need to use the tool for sensitive emails, consider paraphrasing or summarizing the content rather than pasting verbatim text.

7. Your rights (GDPR)

If you are located in the UK, the European Union, or the European Economic Area, you have the following rights under UK GDPR and EU GDPR. These rights apply to personal data we hold about you.

Right of access

You have the right to request a copy of the personal data we hold about you. You can view your account information and all saved reply examples in your account settings at any time. For a full data export, contact us at [email protected]. We will respond within 30 days.

Right to rectification

You have the right to correct inaccurate personal data we hold about you. You can update your email address and business profile from your account settings. For other corrections, contact us and we will update the data within 30 days.

Right to erasure ("right to be forgotten")

You have the right to request deletion of your personal data. You can delete individual reply examples from your account settings at any time. To delete your full account and all associated data, contact us at [email protected]. We will complete the deletion within 30 days. Note that we may retain anonymised, aggregate statistics that cannot be linked back to you after deletion.

Right to restriction of processing

You have the right to ask us to stop processing your personal data in certain circumstances, for example if you contest the accuracy of the data or object to us using it. Contact us at [email protected] to request a restriction.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can request an export of your saved reply examples in plain text format by contacting us. We will provide the export within 30 days.

Right to object

You have the right to object to processing based on our legitimate interests. If you object, we will stop processing unless we have compelling legitimate grounds that override your rights, or if the processing is for legal claims.

Right to lodge a complaint

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. EU users may also contact their national data protection authority.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Cookies and sessions

Word.now uses cookies only where necessary to operate the Service. We do not use advertising cookies, social media tracking pixels, or cross-site tracking cookies of any kind.

Cookie usage on Word.now
Cookie type What it stores Purpose Required
Flask session cookie Signed session identifier. The session stores your user ID and a CSRF token. No personal data is stored in the cookie itself. Keeps you logged in during a browsing session and across browser restarts if you tick "remember me". Yes, for logged-in features
CSRF token A randomly generated token tied to your session. Protects forms against cross-site request forgery attacks. Included in every form submission. Yes

Session cookies are set by Flask using a server-side secret key. The cookie is signed but not encrypted, so the session ID is visible in browser developer tools, but the contents of the session cannot be forged without the server key.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking scripts. If this changes, we will update this policy and obtain your consent before placing any non-essential tracking cookies.

9. Data retention

Account data

Your email address, hashed password, and account settings are retained for as long as your account is active. If you request account deletion, this data is removed within 30 days.

Reply examples and identity profile

Saved reply examples and your derived style profile are retained until you delete them individually or delete your account. There is no automatic expiry. Individual examples can be deleted from your account settings at any time.

Draft request records

Records of batch draft requests, including the email content you submitted and the generated reply, are retained in your account until you delete them individually. You can delete any draft request record from your account dashboard. Deleting a draft request record removes our copy of the email text and the generated reply. It does not affect any emails in your actual inbox, as we have no connection to your inbox.

Usage and token logs

Aggregate token usage counts are retained on your account for billing and usage limit purposes. Anonymised usage statistics (page views, feature usage counts) may be retained indefinitely in aggregate form, but these cannot be linked back to individual accounts after account deletion.

Free tool inputs

Text entered into the free reply generator (without an account) is not retained after the reply is returned. No personal data from free tool sessions is stored beyond an anonymous session count.

10. Third parties

We share data with the following third party in order to provide the Service:

OpenAI (AI processing)

Text you enter into the reply generator is sent to the OpenAI API to generate replies. OpenAI receives the prompt content (your email text and generation parameters) and returns the generated reply. This is the only third party that receives any content you enter into Word.now. OpenAI's privacy policy is at openai.com/policies/privacy-policy.

We do not use any other third-party services that receive personal data. We do not use third-party analytics platforms (such as Google Analytics), advertising networks, or social media SDKs. We do not share data with data brokers or marketing companies.

If we add new third-party services in future that process personal data, we will update this policy before doing so.

11. Children

Word.now is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us at [email protected] and we will delete the account and all associated data promptly.

Users aged 13 to 17 may use the Service only with parental or guardian consent. If you are a parent or guardian and you believe your child has used the Service in a way you have not consented to, contact us and we will assist you.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page.

For material changes (changes that significantly affect how we use your personal data or your rights), we will notify registered users by email at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

For minor changes (correcting typos, clarifying existing practices, adding detail that does not change the substance of what we do), we will update the page without direct email notification.

We encourage you to review this policy periodically to stay informed about how we handle your data.

13. Contact

If you have questions about this privacy policy, want to exercise any of your data rights, or need to report a privacy concern, please contact us:

Email: [email protected]
We aim to respond to all privacy queries within 5 business days. For formal GDPR rights requests, we will respond within 30 days as required by law.