Menu Close
Close
Get in touch

Privacy policy

Last updated: 24 May 2026

Rembrandt Editor is a trauma-informed content review service run by Trauma-Informed Content Consulting. This policy explains what data we collect when you use it, what we do with that data and the rights you have over it. It’s written to be readable. If anything is unclear, email us and we’ll explain.

Who we are

Rembrandt Editor is operated by Trauma-Informed Content Consulting, a trading name of Bankside Communications Limited, a limited company registered in England and Wales (company number 14193570), trading as Trauma-Informed Content Consulting. Our registered office is Pearce & Co, Ground Floor, 11 Pierrepont Street, Bath, England, BA1 1LA.

For the purposes of UK GDPR and the Data Protection Act 2018, Bankside Communications Limited is the data controller. 

What data we collect

When you create an account, we collect your email address. That’s how we sign you in (via a magic link sent to your inbox) and how we identify your account.

When you submit content for review, we send the content you paste or upload (including any PDF) and any reviewer notes you provide to our content-review processor (Anthropic — see below). We do not store the content itself in our database. Once the review is generated and returned to your browser, the content is no longer retained on our systems.

When a review completes, we log a small set of metadata to our database: your user ID, the timestamp, the jurisdiction selected, the number of tokens used by the review (a measure of length) and the calculated cost in GBP. We do not store the content of the review or its result. This metadata exists so we can enforce per-user usage limits, monitor the cost of running the service and respond to support questions.

When you upgrade to a paid plan, our payment processor (Stripe — see below) collects the information needed to bill you: your name, billing address and payment card details. You billing address is collected solely for tax compliance under UK GDPR Article 6(1)(c), a legal obligation, and is retained only for the period required by HMRC (six years for VAT records). We do not see or store your card details. Stripe sends us a confirmation that payment succeeded, the amount and a reference number for your subscription. We use that to update your plan in our database.

When you use the service, our hosting provider (Vercel — see below) records standard server logs: IP address, browser type, and the pages or API endpoints requested. These logs are used for security, abuse detection, and diagnosing technical problems.

What we do with your data

We use the data above only to:

  • Provide the content review service you’ve asked for
  • Identify you when you sign in
  • Enforce the usage limits of your plan
  • Bill you (if you’re on a paid plan)
  • Send service emails (sign-in links, billing receipts, occasional product updates if you’ve consented)
  • Monitor the cost and performance of the service
  • Detect and respond to abuse or security incidents
  • Meet our legal obligations (accounting records, responding to lawful requests from authorities)

We do not sell your data. We do not share it with advertisers. We do not use it to train AI models.

Who we share your data with

We use the following processors to operate the service. Each handles only the data necessary for their specific role.

Anthropic, PBC (United States) — Anthropic provides the AI model that generates reviews. Content you submit for review is sent to Anthropic via its API. Under Anthropic’s commercial terms, your content is not used to train Anthropic’s models and is retained by Anthropic for a maximum of 30 days for abuse detection, after which it is deleted. Anthropic’s privacy policy: https://www.anthropic.com/legal/privacy. Data is transferred to the United States under Standard Contractual Clauses.

Supabase, Inc. (United States, with EU hosting) — Supabase provides our database and authentication infrastructure. Your account data and review metadata are stored in Supabase’s EU region (Ireland). Supabase’s privacy policy: https://supabase.com/privacy.

Vercel, Inc. (United States) — Vercel hosts the Rembrandt Editor application and serves it from edge locations close to users. Server logs and function execution records are held by Vercel. Vercel’s privacy policy: https://vercel.com/legal/privacy-policy. Data is transferred to the United States under Standard Contractual Clauses.

Resend, Inc. (United States) — Resend sends the magic-link emails we use to sign you in. Resend processes your email address and the content of those emails. Resend’s privacy policy: https://resend.com/legal/privacy-policy. Data is transferred to the United States under Standard Contractual Clauses.

Stripe, Inc. (United States/Ireland) — When you subscribe to a paid plan, Stripe handles the payment. Stripe collects and stores your billing details and card information directly; we do not see your card details. Stripe’s privacy policy: https://stripe.com/privacy. Stripe’s UK and EU operations are run from Stripe Payments Europe Ltd, based in Ireland.

Cloudflare, Inc. (United States) — Cloudflare provides DNS services and (where enabled) protection against denial-of-service attacks. Cloudflare may briefly process IP addresses and request metadata. Cloudflare’s privacy policy: https://www.cloudflare.com/privacypolicy/.

We will update this list if we add or change processors.

How long we keep your data

  • Account data (email, plan, account creation date): kept while your account is active, and for up to 30 days after you delete it, after which it is permanently removed.
  • Review metadata (user ID, timestamps, token counts, cost): kept for up to 24 months, after which it is anonymised or deleted. Aggregated, non-identifying figures may be retained longer for capacity planning.
  • Content submitted for review: not stored by us. Held by Anthropic for up to 30 days for abuse detection (see above).
  • Billing records (invoices, payment confirmations): retained for 7 years to meet UK tax and accounting requirements (HMRC).
  • Server logs (Vercel, Cloudflare): typically 7-30 days, depending on the provider’s standard retention.

Your rights

Under UK GDPR you have the right to:

  • Know what data we hold about you. Email us and we’ll send you a copy.
  • Correct inaccurate data. Email us with the correction.
  • Delete your data. You can delete your account at any time. We’ll permanently remove your data within 30 days, except where we’re legally required to keep some of it (e.g. billing records).
  • Restrict or object to processing. Email us with the request.
  • Port your data to another service. Email us and we’ll provide an export in a standard format.
  • Withdraw consent for any processing you’ve consented to.
  • Complain to the Information Commissioner’s Office (ICO) if you think we’ve handled your data unlawfully: https://ico.org.uk/concerns/.

To exercise any of these rights, email privacy@rembrandteditor.com. We aim to respond within 14 days.

Cookies and local storage

We use a small number of cookies and local-storage items, all functional:

  • Authentication tokens (set by Supabase): keep you signed in between visits. Cleared when you sign out.
  • Dismissal preferences (set in your browser’s local storage): remember which welcome notices you’ve dismissed so we don’t show them again.

We do not use analytics cookies, advertising cookies, or third-party tracking pixels. There is no cookie banner because we don’t set any cookies that require consent under UK GDPR or the Privacy and Electronic Communications Regulations.

Security

We use HTTPS for all connections to Rembrandt Editor. Authentication is handled via Supabase, which encrypts session tokens. Database access is restricted by Row Level Security — users can only read their own data. Our staff do not have routine access to user accounts or review metadata.

In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours of becoming aware, in line with our legal obligations.

Children

Rembrandt Editor is intended for use by adults working professionally with content. We do not knowingly collect data from children under 18. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy when we change how the service works, add or remove processors, or in response to changes in the law. We’ll update the date at the top of the page. If the changes are material, we’ll email you in advance.

Contact

Questions about this policy, or requests relating to your data:

Email: privacy@rembrandteditor.com Post: Bankside Communications Limited, Pearce & Co, Ground Floor, 11 Pierrepont Street, Bath, England, BA1 1LA

You can also reach us through the Rembrandt Editor feedback form, accessible from the navigation menu when signed in.