A. Introduction and Scope
This Privacy Policy aims to explain how Aspire Beyond 50 collects, uses, processes, and protects personal data. This policy applies to all users of the website and services, covering residents of the UK, EU, and the United States. Aspire Beyond 50 is committed to protecting user privacy and complying with all applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA) and its subsequent amendments, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CTDPA).
This Privacy Policy must be clear, concise, transparent, easy to understand, and accessible. Users should be able to access this policy free of charge.
B. Information We Collect (Categories, Sources, and Purposes)
Categories of Personal Data:
● Information You Provide Directly: Includes contact information (name, email address), account credentials, payment information (processed by third-party payment processors like Stripe; we do not store it directly), user input (text used to generate tweets), and communication data (e.g., support emails).
● Information We Collect Automatically: Includes IP addresses, device information, usage data (e.g., how the service is used, features accessed, interactions with AI), and data collected through cookies and similar technologies.
● Information We Receive from Third Parties: When you choose to create an account or log in using "Google Sign-In," we receive personal data from Google, including your name, email address, and profile picture. We use this information to create and authenticate your account.
Data Sources: Data is collected directly from users, through website interactions, and from third-party service providers (e.g., payment processors, authentication services, analytics tools).
Purposes of Collection:
● To provide and maintain the service (e.g., AI tweet generation, account management).
● To process payments and subscriptions.
● To improve and develop the service (e.g., training AI models using anonymized or de-identified usage data).
● For security, fraud prevention, and to combat abuse.
● To communicate with users (e.g., providing support, sending updates).
● To comply with legal obligations.
UK GDPR and EU GDPR emphasize the principle of data minimization, meaning only personal data that is adequate, relevant, and necessary should be collected. This contrasts with some US laws (like UCPA) that do not restrict data collection, but these laws still require transparency. For AI services, the "purpose" of data collection also includes improving AI models. Therefore, the policy must clearly articulate the reasons for collecting data (especially user input and usage data), explicitly including its use for AI model improvement. This use should be based on legitimate interests or contractual necessity, and users should be informed that their input may contribute to AI learning in an anonymized or de-identified manner. This is a critical point for AI service transparency, as users need to understand that their interactions and content may be used to optimize the AI.
C. How We Use Your Information (Legal Basis for Processing)
Aspire Beyond 50 processes personal information primarily on the following legal bases:
● Contractual Necessity: Processing data to fulfill the service agreement with users, such as managing subscriptions and delivering tweet drafts.
● Legitimate Interests: Processing data for legitimate business interests, such as improving services, preventing fraud, ensuring the security and integrity of our services (e.g., processing IP addresses to prevent abuse), and direct marketing (from which users can opt out).
● Consent: Where required by law (e.g., for the use of certain non-essential cookies, or for processing sensitive data in some US states), we will obtain explicit user consent.
● Legal Obligation: Processing data to comply with legal and regulatory requirements.
D. How We Share Your Information (Third Parties and International Transfers)
We do not sell your personal data. We share your data only with trusted third-party service providers who act as our "data processors" to help us operate and improve our services. These providers are contractually bound to protect your data and may only use it for the specific purposes we have instructed. Details of our key service providers are below:
Service Provider | Purpose | Key Data Processed | Processing Location | Data Transfer Safeguard |
Stripe | Payment Processing | Payment Information, Contact Information | Primarily USA | EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs) |
Resend | Transactional Email Delivery | Email Address, Email Content | USA | EU-U.S. Data Privacy Framework (inc. UK Extension) |
Upstash | Cloud Database & Infrastructure | User-provided Content, Account Info, IP Address Logs | USA | Standard Contractual Clauses (SCCs), Robust Security Measures |
Google | User Authentication (Sign-In) | Name, Email Address, Profile Picture (as data source) | Global | Google's Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) |
Vercel / Supabase | Cloud Hosting & Infrastructure | All service data, including personal data and IP address logs | USA / EU (depending on config) | Standard Contractual Clauses (SCCs), Data Processing Addenda (DPAs) |
International Transfers: As our services and third-party providers are global, your personal data may be transferred to countries outside of your own, including the United States. When we transfer data from the UK/EU to other countries, we ensure appropriate safeguards are in place, such as relying on European Commission adequacy decisions, Standard Contractual Clauses (SCCs), or Data Privacy Framework (DPF) certification, to ensure your data receives the same level of protection as it does within the UK/EU.
E. Data Retention
Retention Period: We will clearly state the retention period for personal data based on the criteria used to determine it (e.g., time needed to provide the service, time needed to fulfill legal/tax obligations, or legally required time).
● Account Data: We retain your account information for as long as your account is active to provide you with services. After you close your account, we will retain some information as required by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.
● IP Address Logs: For security and anti-abuse purposes, we collect and store the IP addresses of users interacting with our service. This data is retained for a maximum of 30 days on a rolling basis, after which it is automatically deleted from our active systems. This retention period is necessary to investigate security incidents and protect the integrity of our platform.
Deletion: Once data is no longer needed, we will securely delete or anonymize it. You may request the deletion of your personal data, including your IP address, by emailing support@aspirebeyond50.uk.
F. Your Rights (UK GDPR, EU GDPR, CCPA, VCDPA, CPA, UCPA, CTDPA)
Aspire Beyond 50 is committed to safeguarding users' rights regarding their personal data. Depending on your jurisdiction, you may have the following key rights:
General Rights (Common Across Jurisdictions):
● Right to Access: The right to know what personal data we have collected and to obtain a copy.
● Right to Rectification: The right to correct inaccurate personal data.
● Right to Erasure: The right to request the deletion of your personal data.
● Right to Data Portability: The right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another data controller.
Specific Jurisdictional Rights and Nuances:
● UK GDPR / EU GDPR: Includes the right to restriction of processing, the right to object to processing (including for direct marketing), and rights related to automated decision-making and profiling. In particular, you have the right to object when we process your data based on "legitimate interests" (e.g., processing your IP address for security purposes). We will stop processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
● CCPA (California): The right to opt out of the sale or sharing of personal information; requires a "Do Not Sell or Share My Personal Information" link. Also includes the right to non-discrimination.
● VCDPA (Virginia): The right to opt out of targeted advertising, the sale of personal data, or profiling. Requires opt-in consent for processing sensitive data.
● CPA (Colorado): The right to opt out of targeted advertising, the sale of personal data, or profiling. Requires the use of a universal opt-out mechanism (e.g., GPC). Requires opt-in consent for processing sensitive data and for "secondary use."
● UCPA (Utah): The right to opt out of the sale of personal data and targeted advertising. Generally adopts an opt-out model, except for children's data.
● CTDPA (Connecticut): The right to opt out of the sale of personal data, targeted advertising, and profiling. Requires opt-in consent for processing sensitive data. Specific provisions for minors' data (under 16).
Exercising Rights: This policy will provide clear instructions on how users can exercise their rights, including contact information and identity verification procedures.
Response Time: This policy will state typical response times (e.g., 45 days, extendable to 90 days, as per some US laws).
G. Data Security Measures
Aspire Beyond 50 will implement reasonable administrative, technical, and physical security safeguards to protect personal data from unauthorized access, disclosure, alteration, or destruction. However, users should understand that no security system is impenetrable, and transmitting data over the internet carries inherent risks.
H. Children's Privacy (COPPA Applicability Note)
Aspire Beyond 50's service is explicitly aimed at users aged 50 and above. Our service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. In the US, the Children's Online Privacy Protection Act (COPPA) applies to websites that may be accessed by children. COPPA applies not only to websites "directed at" children but also to general audience websites that have "actual knowledge" of collecting data from children under 13. Even unintentional non-compliance can lead to severe penalties. Therefore, we explicitly state that if we discover we have inadvertently collected such information, we will take immediate steps to delete it.
I. Policy Changes and Contact Information
Updates: Aspire Beyond 50 will notify users of any changes to the Privacy Policy by posting updated versions on the website or via email.
Contact: Users with any privacy-related questions or wishing to exercise their rights can contact Aspire Beyond 50 at support@aspirebeyond50.uk.
Complaints: Users have the right to lodge a complaint with the relevant supervisory authority (e.g., the UK Information Commissioner's Office (ICO), local EU data protection authorities, or US State Attorneys General).