Privacy Policy

Last updated: April 20, 2026

InstantSubmit (“we,” “us,” “our”) operates instantsubmit.appand related services (the “Services”). This Privacy Policy explains what we collect, why we collect it, who we share it with, and your rights. By using the Services you accept this policy.

1. Information we collect

Information you provide directly:

  • Account: email address and password (hashed by our auth provider), optional username and avatar.
  • Generation inputs: the chat messages and any files you attach when requesting a presentation or report.
  • Generation outputs: the documents our AI produces on your behalf.
  • Billing: subscription plan, subscription state, and a customer identifier issued by our payment provider. We never see or store your card number.
  • Support communications: messages you send to our support address.

Information we collect automatically:

  • Technical logs: IP address, browser, device type, timestamps. Used for security and debugging, retained for a limited period.
  • Service-essential cookies: a session cookie issued by our auth provider so you stay logged in. We do not run analytics, advertising, or third-party tracking cookies.

2. How we use your information

  • To operate the Services — process your generation requests and deliver files.
  • To bill you and manage your subscription.
  • To send service emails: generation-complete notifications, billing receipts, security alerts, and critical product updates.
  • To provide customer support.
  • To prevent abuse, fraud, and violations of our Terms — including rate-limiting and usage monitoring.
  • To comply with legal obligations.

We do not train AI models on your inputs or outputs. We do not sell your personal data. We do not use your data for advertising.

3. Subprocessors

We rely on a small set of trusted providers to operate the Services. Each is contractually bound to protect your data and process it only on our instructions.

  • Supabase (PostgreSQL, Auth) — stores your account, billing state, and generation records. Hosted in AWS.
  • Cloudflare R2 — stores generated files and any attachments you upload.
  • Dodo Payments — processes subscription billing. PCI DSS compliant; they alone handle your card details.
  • OpenRouter, Anthropic, MiniMax — routing and AI model inference for research and document generation. Inputs and outputs transit these providers to produce your file.
  • Tavily— web search API used by the agent during research. Only the agent’s search queries are sent to Tavily, not your account data.
  • Resend — transactional email delivery (generation-complete notifications, receipts).
  • Vercel — hosting for the web application.

We update this list when we add or change providers. Material changes are communicated via the “Last updated” date above.

4. How long we keep data

  • Account & generations: retained while your account is active.
  • After account deletion: we delete your profile, generation records, and stored files within 30 days. Limited information may be retained longer where required by law (e.g. tax records tied to paid invoices).
  • Billing records: retained for the period required by applicable tax and accounting laws (typically 7 years).
  • Technical logs: retained up to 90 days.

5. Legal basis for processing (GDPR)

If you are in the European Economic Area, UK, or Switzerland, we rely on the following legal bases:

  • Performance of a contract — to provide the Services you signed up for (account, generations, billing).
  • Legitimate interests — to operate, secure, and improve the Services; prevent abuse; and communicate about critical service matters.
  • Legal obligation — to comply with tax, accounting, and other laws.
  • Consent — where required (e.g. optional marketing emails, which you may decline or unsubscribe at any time).

6. Your GDPR rights

If you are covered by the GDPR or UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Request erasure of your data (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Request a copy of your data in a portable format.
  • Lodge a complaint with your local data protection authority — although we ask you to contact us first so we can try to resolve your concern.

You can export and delete your account directly from the billing page (instantsubmit.app/billing) — deletion is immediate and permanent, with subscriptions cancelled automatically. For any other right (rectification, restriction, objection) or if you can no longer sign in, email privacy@instantsubmit.app from the address on your account. We respond within 30 days.

7. California privacy rights (CCPA/CPRA)

If you are a California resident you have the right to:

  • Know what personal information we collect and why.
  • Request access to or a copy of the information we hold about you.
  • Request deletion of your personal information.
  • Correct inaccurate information.
  • Not be discriminated against for exercising these rights.

InstantSubmit does not sell your personal information and does not share it for cross-context behavioural advertising. Deletion and data export are self-serve on the billing page; for anything else, email privacy@instantsubmit.app.

8. International transfers

Our providers may process your data outside your country of residence, including in the United States and other jurisdictions. Where GDPR applies we rely on Standard Contractual Clauses or equivalent safeguards with each subprocessor.

9. Security

We take reasonable technical and organisational measures to protect your data: encrypted storage at rest, HTTPS in transit, short-lived credentials for server-to-server calls, least-privilege database access, and role-separated secrets. No system is perfectly secure; if we become aware of a breach that affects you, we will notify you and applicable regulators without undue delay.

10. Children

The Services are not directed to children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us personal data, email privacy@instantsubmit.app and we will delete it.

11. Marketing communications

By default we only send transactional service emails (generation notifications, billing, security). If we ever send marketing emails, every message includes a one-click unsubscribe link. Opting out of marketing does not stop service emails required to operate your account.

12. Changes to this policy

We may update this policy. The “Last updated” date at the top always reflects the current version. Material changes will be communicated via email or a notice in the app before they take effect.

13. Contact

Privacy questions and data-rights requests: privacy@instantsubmit.app
Everything else: support@instantsubmit.app