Privacy Policy

1. Introduction

Outlain (“we”, “us”, “our”) operates the outlain.ai platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and services.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy legislation worldwide.

2. Data controller

The data controller responsible for your personal data is Outlain. For privacy-related enquiries, contact us at outlain.ai/about/contact.

3. Data we collect

3.1 Data you provide directly

• Account data: name, email address, password (hashed), and organisation name when you sign up
• Payment data: billing information processed by our payment provider. We do not store credit card numbers
• Content data: documents, transcripts, notes, URLs, and other materials you upload to your projects
• Communications: messages you send via chat, the assistant, or support channels

3.2 Data collected automatically

• Usage data: features used, spec generations, exports, and actions taken within the platform - used for billing and to improve the product
• Technical data: IP address, browser type, operating system, device information, and access timestamps from server logs
• Cookies: essential authentication cookies and a consent preference cookie. See our Cookie Policy for details

3.3 Data we do not collect

• We do not use advertising trackers or social media pixels
• We do not sell, rent, or trade your personal data to third parties
• We do not collect sensitive personal data (racial or ethnic origin, political opinions, health data, etc.) unless you voluntarily include it in uploaded content

4. How we use your data

5. AI and automated processing

Outlain uses third-party AI services to process your uploaded content - extracting themes, generating specifications, performing searches, and powering the assistant. Your content is sent to these providers for processing.

• Our AI providers do not use your data to train their models
• Content is processed and discarded - it is not retained by AI providers beyond the short abuse-monitoring window defined in their enterprise API terms
• The current list of AI processors is published on our Subprocessors page. You can also request the list in writing by contacting us

No automated decisions with legal or similarly significant effects are made based solely on automated processing of your personal data.

6. Third-party service providers

We share data with the following categories of providers, solely for the purposes described:

We require all third-party providers to process data in accordance with applicable data protection laws. We do not sell personal data to any third party. The full list of named providers is published on our Subprocessors page, and you can request the list in writing at any time.

7. Data retention

• Account data: retained for as long as your account is active. Deleted within 30 days of account deletion.
• Content data: retained for as long as your account is active. You can delete individual documents, projects, or specs at any time - deletion is permanent.
• Usage records: retained for 12 months for billing reconciliation, then aggregated and anonymised.
• Server logs: retained for 90 days for security and debugging purposes.
• Payment records: retained as required by tax and accounting laws (typically 7 years).

8. Data security

We use reasonable administrative, technical, and physical safeguards to protect your information, including:

• All data is encrypted in transit and at rest
• Passwords are hashed using industry-standard algorithms
• Authentication uses secure session tokens
• Database-level isolation prevents cross-user data access
• Payment data is handled entirely by our payment processor - we never store card details

9. Staff access to your content

Outlain staff may access content you upload and messages you send to our AI features only when strictly necessary, and only for the following purposes:

• Resolving a support request you have submitted
• Investigating or fixing a system fault you are experiencing
• Investigating suspected abuse, fraud, or violations of our terms
• Complying with legal obligations, subpoenas, or regulator requests
• Routine system maintenance where access is unavoidable (e.g. database migrations)

Access is limited to a small number of operators who require it to perform their duties. We do not browse customer content for any other reason, and we do not read your content to improve our own products outside the AI-processing context described in Section 5. The AI processors listed on our Subprocessors page receive content on our behalf, subject to the safeguards in their enterprise API terms, and do not train on that content.

10. International data transfers

Our service providers may process data outside the European Economic Area (EEA) or the United Kingdom. Where data is transferred internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all sub-processors
• Adequacy decisions where applicable

11. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Under GDPR (EU/UK residents)

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: request deletion of your personal data (“right to be forgotten”)
• Right to restriction: restrict processing of your data in certain circumstances
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: where processing is based on consent, withdraw at any time
• Right to lodge a complaint: with your local data protection supervisory authority

Under CCPA/CPRA (California residents)

• Right to know: what personal information is collected, used, and disclosed
• Right to delete: request deletion of personal information
• Right to opt out: of the sale or sharing of personal information. Note: we do not sell personal information.
• Right to non-discrimination: for exercising your privacy rights

How to exercise your rights

To exercise any of these rights, contact us at outlain.ai/about/contact. We will respond within 30 days (GDPR) or 45 days (CCPA). You can also delete your content directly within the platform at any time.

12. Children's privacy

Outlain is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The “last updated” date at the top of this page indicates the most recent revision. Continued use of Outlain after changes constitutes acceptance of the updated policy.

14. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at: