Skip to content

Legal

Privacy Policy

How we handle your data under GDPR + CCPA. Plain English first; the legal references are at the bottom.

Last updated: May 5, 2026

1. Who runs GOAT Writer

GOAT Writer is operated as a Kleingewerbe (small sole proprietorship under § 1 GewO) by Roua Alturk, Bremer Strasse 30, 65824 Schwalbach am Taunus, Germany. Roua Alturk is the “controller” of your personal data within the meaning of Art. 4(7) GDPR. You can reach us at support@goatwriter.io or +49 178 559 1950.

We are below the EU GDPR threshold that requires a designated Data Protection Officer (DPO). The contact above is the right route for every privacy question, deletion request, or DSAR.

2. What we collect, why, and on what legal basis

We try to collect the minimum required to run the service. Categories:

  • Account & auth. Email, hashed password (bcrypt), name, optional Google OAuth profile id, login timestamps. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Billing. Stripe customer id, plan, last four card digits, billing address. We never see or store full card numbers — Stripe handles them. Legal basis: contract + legal obligation (Art. 6(1)(b) and (c)).
  • Content you create. Articles, prompts, voice samples, uploaded PDFs, sites, keywords. Legal basis: contract.
  • Telemetry & security logs. IP address, user agent, timestamps, error traces. Retention 14 days. Legal basis: legitimate interest (Art. 6(1)(f)) — running and securing the service.
  • Usage analytics (only if you accept the analytics cookies). Aggregate page views, feature use. Legal basis: consent (Art. 6(1)(a)).

3. Sub-processors

We share your data with the following processors strictly to provide the service. Each is bound by a Data Processing Agreement (DPA) and, for transfers to the United States, by Standard Contractual Clauses (SCCs) under Art. 46 GDPR plus the EU–US Data Privacy Framework where the processor is certified.

  • Vercel Inc. (US) — hosting + edge network.
  • MongoDB Atlas (Cluster region: EU) — application database.
  • Anthropic PBC (US) — Claude API for article generation, humanization, scoring. Anthropic does not train on customer API content.
  • OpenAI, L.L.C. (US) — Whisper API for voice transcription, DALL·E 3 for inline images. OpenAI does not train on API content.
  • Google LLC (US) — Gemini API for research + competitor analysis.
  • Stripe Payments Europe Ltd. (Ireland) — billing.
  • Resend, Inc. (US) — transactional email.
  • Serper.dev (US) — SERP data lookups.
  • Pexels GmbH (Germany) — stock image search.

We will update this list before adding any new sub-processor. If you have an active subscription you can email us to subscribe to changes.

4. Your rights (EEA, UK, Switzerland)

Under GDPR you have the right to:

  • Access your data (Art. 15)
  • Have inaccurate data corrected (Art. 16)
  • Have your data erased / “right to be forgotten” (Art. 17)
  • Restrict processing (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interest at any time (Art. 21)
  • Withdraw consent at any time without affecting prior processing
  • Lodge a complaint with your local supervisory authority. Our lead authority is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit.

To exercise any right, email support@goatwriter.io. We respond within 30 days (Art. 12(3)).

5. Your rights (California — CCPA / CPRA)

California residents have the right to know, delete, correct, and opt out of the “sale” or “sharing” of their personal information. We do not sell or share personal informationfor cross-context behavioral advertising. To exercise CCPA rights, email support@goatwriter.io with the subject “CCPA Request”.

6. Retention

  • Account data: while your account is active, plus 30 days after deletion to handle billing reconciliations.
  • Articles + uploaded content: deleted immediately on your action; soft-deleted from backups within 30 days.
  • Server error logs: 14 days, then auto-purged.
  • Invoices / billing records: retained 10 years to satisfy German commercial bookkeeping rules (§ 257 HGB, § 147 AO).

7. International transfers

Some sub-processors above are based in the United States. We rely on the EU–US Data Privacy Framework for processors certified under it (Anthropic, OpenAI, Google, Vercel) and on Standard Contractual Clauses (SCCs) under Art. 46 GDPR otherwise.

8. AI model training

We do not train AI models on your articles, prompts, voice samples, or uploaded PDFs. Anthropic and OpenAI confirm in their API terms that customer content is not used to train their public models.

9. Cookies + tracking

See our Cookie Policy for the full breakdown and the consent banner you can re-open at any time.

10. Security

Passwords are bcrypt-hashed. Connected CMS credentials (WordPress Application Passwords, Ghost API keys, Shopify tokens, Webflow access tokens, Contentful management tokens) are encrypted at rest with AES-256-GCM. All traffic is TLS 1.2+ only. Security headers (CSP, HSTS, X-Frame-Options DENY, no MIME sniffing) are enforced site-wide.

11. Children

GOAT Writer is not directed to anyone under 16. If you believe a child has created an account, email us and we will delete it.

12. Changes to this policy

We will post changes to this page with a new “Last updated” date and, for material changes, email registered users at least 14 days in advance.