Currently in beta — payments are in test mode

Privacy Policy

Last updated: 9 April 2026

1. Introduction

Outlain ("we", "us", "our") operates the outlain.ai platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and services.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy legislation worldwide.

2. Data controller

The data controller responsible for your personal data is Outlain. For privacy-related enquiries, contact us at outlain.ai/about/contact.

3. Data we collect

3.1 Data you provide directly

  • Account data: name, email address, password (hashed), and organisation name when you sign up
  • Payment data: billing information processed by our payment provider. We do not store credit card numbers
  • Content data: documents, transcripts, notes, URLs, and other materials you upload to your projects
  • Communications: messages you send via chat, the assistant, or support channels

3.2 Data collected automatically

  • Usage data: features used, spec generations, exports, and actions taken within the platform — used for billing and to improve the product
  • Technical data: IP address, browser type, operating system, device information, and access timestamps from server logs
  • Cookies: essential authentication cookies and a consent preference cookie. See our Cookie Policy for details

3.3 Data we do not collect

  • We do not use advertising trackers or social media pixels
  • We do not sell, rent, or trade your personal data to third parties
  • We do not collect sensitive personal data (racial or ethnic origin, political opinions, health data, etc.) unless you voluntarily include it in uploaded content

4. How we use your data

Purpose Legal basis (GDPR)
Provide and operate the platform Performance of contract
Process payments and manage subscriptions Performance of contract
Generate specs, themes, and analyses from your uploaded content Performance of contract
Track usage for billing and quota enforcement Legitimate interest
Send transactional emails (confirmation, password reset) Performance of contract
Improve and develop the platform Legitimate interest
Prevent fraud and enforce terms of service Legitimate interest
Comply with legal obligations Legal obligation

5. AI and automated processing

Outlain uses third-party AI services to process your uploaded content — extracting themes, generating specifications, performing searches, and powering the assistant. Your content is sent to these providers for processing.

  • Our AI providers do not use your data to train their models
  • Content is processed and discarded — it is not stored by AI providers beyond the duration of the request
  • Our subprocessor list is available on request

No automated decisions with legal or similarly significant effects are made based solely on automated processing of your personal data.

6. Third-party service providers

We share data with the following categories of providers, solely for the purposes described:

Category Purpose Data shared
Infrastructure provider Database, authentication, storage Account data, content, usage records
Payment processor Billing and subscriptions Email, billing details
AI providers Content analysis and processing Uploaded content (for processing only)
Email delivery provider Transactional emails Email address

We require all third-party providers to process data in accordance with applicable data protection laws. We do not sell personal data to any third party. A full list of named providers is available on request via our Subprocessors page.

7. Data retention

  • Account data: retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Content data: retained for as long as your account is active. You can delete individual documents, projects, or specs at any time — deletion is permanent.
  • Usage records: retained for 12 months for billing reconciliation, then aggregated and anonymised.
  • Server logs: retained for 90 days for security and debugging purposes.
  • Payment records: retained as required by tax and accounting laws (typically 7 years).

8. Data security

We use reasonable administrative, technical, and physical safeguards to protect your information, including:

  • All data is encrypted in transit and at rest
  • Passwords are hashed using industry-standard algorithms
  • Authentication uses secure session tokens
  • Database-level isolation prevents cross-user data access
  • Payment data is handled entirely by our payment processor — we never store card details

9. International data transfers

Our service providers may process data outside the European Economic Area (EEA) or the United Kingdom. Where data is transferred internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with all sub-processors
  • Adequacy decisions where applicable

10. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Under GDPR (EU/UK residents)

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restriction: restrict processing of your data in certain circumstances
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent: where processing is based on consent, withdraw at any time
  • Right to lodge a complaint: with your local data protection supervisory authority

Under CCPA/CPRA (California residents)

  • Right to know: what personal information is collected, used, and disclosed
  • Right to delete: request deletion of personal information
  • Right to opt out: of the sale or sharing of personal information. Note: we do not sell personal information.
  • Right to non-discrimination: for exercising your privacy rights

How to exercise your rights

To exercise any of these rights, contact us at outlain.ai/about/contact. We will respond within 30 days (GDPR) or 45 days (CCPA). You can also delete your content directly within the platform at any time.

11. Children's privacy

Outlain is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "last updated" date at the top of this page indicates the most recent revision. Continued use of Outlain after changes constitutes acceptance of the updated policy.

13. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Outlain
Privacy enquiries: outlain.ai/about/contact

Sign in

Don't have an account?

Create account

At least 6 characters

Already have an account?

We use essential cookies to keep you logged in and functional cookies to remember your preferences. No tracking, no ads. Read our Cookie Policy