Legal

Privacy policy

Last updated: 2026-05-27 · Effective: 2026-05-27
This is the privacy policy for the Trend Co-Pilot closed beta. A formal v1.0 will ship with our public launch — we'll email account holders before any material change.

On this page

Overview

Trend Co-Pilot is a SaaS platform for publishers. To run the service, we process two kinds of data: the content you generate (trends, prompts, articles, images) and the personal data tied to your account (email, profile, login activity).

This page explains, in plain English, what we collect, why we collect it, how long we keep it, who else touches it, and the rights you have over it. If anything here is unclear, write to us at privacy@trend-copilot.com.

Data we collect

Account data

  • Email address
  • Hashed password (bcrypt — we never see the plaintext)
  • Two-factor authentication settings and recovery codes
  • Publisher profile: organisation name, role, site URL, country

Usage data

  • Articles you generate, including their drafts and revisions
  • Publisher sites you connect (WordPress endpoints, credentials stored encrypted)
  • Persona configurations: tone, voice, structure, category mappings
  • Login activity (timestamps, IP at login)

Content data

  • Trends you view, bookmark, or discard
  • Prompts sent to LLM providers on your behalf
  • Generated articles, stored in our database
  • Images you generate or upload, stored on our server filesystem

Technical data

  • IP address at signup and at session creation
  • Session cookie identifier
  • Basic browser metadata (user agent, language)

What we do not collect

  • Payment card data — beta uses manual invoicing, no card on file
  • Reader data on your published WordPress posts — we never see your audience
  • Biometric data
  • Precise geolocation beyond country-level IP inference

How we use it

  • Running the service. Authentication, article generation, publishing to your WordPress sites.
  • Improving generation quality. Anonymised, aggregated patterns help us tune prompts and surface failure modes. We do not train models on your articles.
  • Security. Rate-limiting, abuse detection, audit logs, fraud signals.
  • Legal compliance. Responding to lawful requests and meeting our statutory obligations.

Third-party processors

The service depends on the following providers. Prompts and outputs transit these vendors under their own privacy terms.

LLM APIs

  • Anthropic (Claude) — primary generation
  • Google (Gemini)
  • OpenAI
  • Groq

Image generation

  • NVIDIA build.nvidia.com
  • Pollinations
  • Cloudflare Workers AI
  • Hugging Face Inference
  • Together AI
  • Google Imagen

Image search

  • Wikipedia (REST API)
  • Pexels
  • Pixabay
  • Unsplash
  • Google Custom Search

News grounding

  • trafilatura, fetching publicly accessible news URLs at generation time

Email

  • Gmail SMTP — used for one-time passwords, invites, and password resets

Hosting

  • Self-managed VPS on Hostinger. The database lives on the same server. No third-party cloud database is used during the closed beta.

Cookies

  • tcp_session — httpOnly JWT containing your session identifier. Required to be signed in.
  • tcp_csrf — non-httpOnly CSRF double-submit token. Required for state-changing requests.

We do not use analytics or advertising cookies during the closed beta.

Data retention

  • Account data: kept while your account is active, plus 90 days after deletion to honour reversal requests.
  • Generated articles: kept indefinitely unless you delete them yourself or request bulk deletion.
  • Audit and security logs: 12 months.
  • Email delivery logs (SMTP): 30 days.

You can request earlier deletion at any time by writing to privacy@trend-copilot.com.

Your rights

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Edit your profile directly, or email us for fields you cannot edit yourself.
  • Deletion. Request that we delete your account and associated data.
  • Portability. Export your articles in a machine-readable format.
  • Object to processing. Ask us to stop processing your data for a specific purpose.

If you reside in the EU, UK, or EEA, you have the rights set out in Articles 15–22 of the GDPR. You also have the right to lodge a complaint with your national data protection authority.

International transfers

Several of our processors (Anthropic, OpenAI, Google) are headquartered in the United States. When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as the legal basis. We do not transfer data to jurisdictions without an adequate legal framework.

Children

The service is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has registered, contact us and we will close the account.

Changes to this policy

We email all account holders at least 14 days before any material change to this policy takes effect. Non-material changes (typos, clarifications, contact details) may be made without notice and are reflected in the "Last updated" date above.

Contact