Privacy Policy
Last updated: 23 February 2026
Effective: 23 February 2026
Version 1.0.0
1. Data Controller
The data controller for your personal data is:
Pitchwits Ltd16b Elsham Road, London W14 8HA
United Kingdom
Email: privacy@pitchwits.com
Company number: [registered number]
For data protection enquiries, contact our Data Protection Officer at privacy@pitchwits.com.
2. Personal Data We Collect
2.1 Account data
When you create an account we collect your name, email address, and authentication credentials (or receive them from Google if you use OAuth sign-in).
2.2 Company and application data
Information you provide about your company, technology, team, and financials as part of the grant-writing process. This includes onboarding questionnaire responses, uploaded documents (pitch decks, business plans, technical papers), and any edits you make to AI-generated content.
2.3 AI interaction data
Prompts sent to AI models, AI-generated outputs (draft sections, assessments, document extractions), and your subsequent edits.
2.4 Payment data
Payment processing is handled by Stripe. We do not store your full card details. We receive your Stripe customer ID, subscription status, and transaction records.
2.5 Technical data
IP address, browser type, device information, and usage logs collected automatically when you use the platform.
3. Legal Bases for Processing (GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Providing the platform and AI-assisted grant writing | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| AI model training using your data (RLHF) | Consent (Art. 6(1)(a)) — opt-in only |
| Platform analytics and improvement | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (tax records, GDPR requests) | Legal obligation (Art. 6(1)(c)) |
4. AI Processing
4.1 How we use AI
Pitchwits uses artificial intelligence to generate grant application content, assess draft quality, and extract information from uploaded documents. AI processing is a core part of the service and is necessary to fulfil our contract with you.
4.2 AI sub-processors
Your data is processed by the following AI model providers:
- Anthropic (Claude models) — San Francisco, USA. Used for content generation and quality assessment. Anthropic does not use API inputs/outputs for model training.
- Google (Gemini models) — Mountain View, USA. Used for quality assessment and document extraction. Data sent via the paid API is not used by Google for model training.
Both providers process data under Standard Contractual Clauses (SCCs) and their respective data processing agreements. For full details on how AI is used, see our AI Transparency page.
4.3 Human oversight
All AI-generated content is presented as a draft for your review. No AI output is submitted to funding bodies without human review and explicit approval. You retain full editorial control over all generated content.
5. AI Training Data
5.1 What we may collect for training
With your explicit opt-in consent, we may use anonymised versions of the following to improve our AI models through reinforcement learning from human feedback (RLHF):
- Your questionnaire responses (inputs)
- AI-generated draft content (outputs)
- Your edits to AI-generated content (corrections)
- Document extractions
- Quality assessments
5.2 Anonymisation
Before any data is included in a training dataset, it is anonymised so that it cannot be traced back to you or your company. Company names, personal names, and other identifying information are removed or replaced.
5.3 Opt-in and withdrawal
Training data collection is entirely optional and requires your explicit consent. You can opt in or out at any time via your Privacy Settings. Withdrawing consent removes your data from all future training datasets. Data already included in a completed training run cannot be retroactively removed but will be excluded from all subsequent datasets.
6. Who We Share Your Data With
We share personal data only with:
- AI model providers (Anthropic, Google) — to process your data as described in Section 4
- Stripe — payment processing
- Supabase (AWS eu-west-1) — database hosting and authentication
- Vercel — application hosting
We do not sell your personal data. We may disclose data if required by law, regulation, or court order.
7. International Data Transfers
Your data is stored in the EU (Supabase/AWS eu-west-1). When data is sent to AI providers in the United States, transfers are protected by EU Standard Contractual Clauses (SCCs) and the providers' respective data processing agreements. We only transfer data to countries or organisations that provide adequate protection as required by GDPR Chapter V.
8. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account + 30 days after deletion |
| Grant application content | Duration of account + 90 days |
| Uploaded documents | Duration of account (deleted on account closure) |
| Payment records | 7 years (UK tax obligations) |
| Consent records | Duration of account + 3 years (audit trail) |
| Activity logs | 2 years |
| Anonymised training data | Indefinite (not personal data once anonymised) |
9. Your Rights Under GDPR
You have the right to:
- Access your personal data (Article 15)
- Rectify inaccurate data (Article 16)
- Erase your data / right to be forgotten (Article 17)
- Restrict processing (Article 18)
- Data portability — receive your data in a structured, machine-readable format (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent at any time without affecting the lawfulness of prior processing (Article 7(3))
Self-service
You can exercise many of these rights directly from your Privacy Settings page, where you can:
- Download all your data (data portability)
- Request account deletion (right to erasure)
- Manage training data consent (withdraw consent)
- View your active consents
For any other requests, contact us at privacy@pitchwits.com. We will respond within 30 days as required by GDPR.
Right to lodge a complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.
10. Cookies
We use essential cookies for authentication and session management. For details, see our Cookie Policy.
11. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security policies on all database tables
- Role-based access controls
- Security headers (HSTS, CSP, X-Frame-Options)
- Regular security reviews
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34).
13. Children's Data
Pitchwits is a business-to-business service intended for use by adults. We do not knowingly collect data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us at privacy@pitchwits.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform (via our re-consent mechanism) and, where required, will require your renewed consent before continued use. The "Last updated" date at the top of this page will always reflect the most recent revision.
15. Contact Us
For privacy-related questions or to exercise your data rights:
Data Protection OfficerPitchwits Ltd
16b Elsham Road, London W14 8HA
Email: privacy@pitchwits.com
See also our Terms of Service, Cookie Policy, and AI Transparency page.