Privacy Policy

Last updated: 22 February 2025

Open is built on the belief that your letters, your debts, and your financial situation are deeply personal. This policy explains clearly — without legal jargon — what we collect, why we collect it, and how we protect it. If something isn't clear, please contact us.

1. Who We Are

Open (also referred to as "OpenLetter") is a mobile application that helps users understand debt-related correspondence. You scan a letter, we analyse it with AI, and you get a plain-English summary of what it means and what to do. The App is available in the United Kingdom, United States, Australia, and Canada.

2. Information We Collect

We collect only what is necessary to provide the service. Here is everything we collect:

Account information: Your email address when you create an account. Optionally, a display name you choose to add.
Letter images: Photos you take of letters using your camera. These are stored in a private, encrypted storage folder accessible only to you. They are used solely to perform AI analysis.
Extracted letter data: Structured information derived from your scanned letters — such as sender name, reference numbers, amounts owed, deadlines, and AI-generated summaries. This is stored in your private account.
Creditor and financial records: Information you log manually, such as creditor names, payment plans, transaction history, and case notes.
Device and diagnostic data: Basic crash reports and error logs (e.g. device type, OS version, error messages) to help us fix bugs. This data does not identify you personally.

We do not collect: your full legal name, national insurance or social security number, bank account details, payment card information, or your location.

3. How We Use Your Information

To provide the letter scanning and AI analysis service
To store and organise your letters, creditors, and payment records within your private account
To send deadline reminders and notifications you have opted into
To diagnose technical problems and improve App performance
To comply with legal obligations where required

We never use your data to show you advertisements. We never sell your information to third parties — ever.

4. AI Processing of Letter Images

When you scan a letter, the image is transmitted securely to an AI model for analysis. This image is processed transiently — it is used only to generate the letter summary and extract structured data. It is not retained by the AI provider after the analysis is complete.

We use data processing agreements with our AI providers that explicitly prohibit them from training their models on your data or retaining your images.

5. Data Storage and Security

Your data is stored using Supabase, an enterprise-grade cloud database platform. The security measures in place include:

Row-level security: Only your account can read or write your own data — this is enforced at the database level, not just in the application.
Encryption in transit: All data between the App and our servers is encrypted via TLS.
Encryption at rest: Your data is encrypted on disk in Supabase's managed infrastructure.
Private storage buckets: Letter images are stored in private buckets. They are not publicly accessible via any URL — only your authenticated session can retrieve them.
Token-based authentication: Secure JWT sessions with automatic expiry. Your password is never stored in plain text.

6. Data Retention

Your data is retained for as long as your account is active. You are in complete control:

You can delete individual letters, creditor records, or payment history from within the App at any time.
You can delete your entire account from Settings → Delete Account. This permanently and irreversibly deletes all associated data — including all letter records, images, creditor information, and payment history — within 30 days.

Once deletion is requested and confirmed, it cannot be undone and data cannot be recovered.

7. Sharing Your Information

We do not sell, rent, or share your personal information with third parties for their own purposes. Data may be shared only in these limited circumstances:

Service providers: Supabase (database and storage) and our AI provider (letter analysis) process data on our behalf under strict data processing agreements. They have no right to use your data for their own purposes.
Legal requirements: If required by law, a court order, or to protect the safety of our users or the public. We will notify you if legally permitted to do so.

8. Camera Permission

The App requires camera access to scan letters. Camera permission is only requested when you actively choose to scan. Photos are taken, processed for analysis, and stored in your private account. The camera is never accessed in the background.

9. Notifications

If you enable notifications, the App will send you reminders about upcoming letter deadlines and payment plan due dates. You can turn notifications off at any time in the App's Settings or in your device's system settings. We do not send marketing notifications.

10. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you.
Correction: Request that inaccurate data be corrected.
Deletion: Request that your data be deleted. You can do this directly in the App via Settings → Delete Account, or by contacting us.
Portability: Request your data in a structured, machine-readable format.
Objection: Object to certain types of processing where we rely on legitimate interests.
Restriction: Request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, please contact us at privacy@openletter.app. We will respond within 30 days.

If you are in the UK or EU, you also have the right to lodge a complaint with your relevant supervisory authority (e.g. the ICO in the UK).

11. Children's Privacy

Open is not directed at children under the age of 13 (or under 16 in the UK and EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@openletter.app and we will promptly delete it.

12. Third-Party Links

The App includes links to free debt advice services — such as StepChange, Citizens Advice, the NFCC, and others. These are independent organisations with their own privacy policies. We are not responsible for their data practices. We recommend reviewing their policies before providing them with any personal information.

13. International Data Transfers

Our infrastructure providers may store or process data outside your country of residence. Where this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent protections required under applicable data protection law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via the App or by email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Your continued use of the App after a revised policy is posted constitutes your acceptance of the updated terms.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out:

Email: privacy@openletter.app

We aim to respond to all privacy-related enquiries within 5 business days.