Words Left

Privacy Policy

Last updated: March 2026

What we collect

  • Encrypted message content (unreadable by us — client-side AES-256-GCM)
  • Sender and recipient email addresses (server-side encrypted — needed for safety checks and delivery)
  • Social profile URLs you provide (for activity monitoring)
  • Timer settings, delivery preferences, and message lifecycle timestamps (phase transition records used for safety verification — contains no personal information or message content)
  • IP addresses (for rate limiting only, deleted after 24 hours)

What we cannot access

  • Your message content (encrypted client-side, we never have the key)
  • Your passphrase or edit code (stored as one-way hashes)
  • Links you include in your message

How we use your data

Email addresses are used solely to operate the platform: sending safety check emails, consent requests, and delivering messages. We do not sell, share, or use your data for any other purpose.

Email delivery is provided on a best-effort basis. We are not responsible for emails blocked by spam filters, ISP restrictions, or third-party email service outages. Users should ensure recipients are aware they may receive correspondence from Words Left.

Data retention

Messages are stored until delivered and opened, or until deleted by the sender. If all recipients decline (or none have consented) and 1 year has passed since message creation, the message and all associated data are automatically and permanently deleted.

Cookies

We use only essential cookies required for the site to function. No analytics, no tracking, no third-party cookies.

Legal basis for processing

Under the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:

  • Consent — When you voluntarily create a message and provide email addresses for delivery
  • Legitimate interest — To operate and maintain the platform, including safety checks and delivery mechanisms
  • Legal obligation — To comply with applicable laws and respond to lawful requests from authorities

Your rights

Under GDPR, CCPA, and similar data protection regulations worldwide, you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you
  • Right to rectification — Request correction of inaccurate personal data
  • Right to erasure — Request deletion of your personal data (you can do this directly using your edit code)
  • Right to data portability — Receive your data in a structured, machine-readable format
  • Right to restriction — Request limitation of processing of your personal data
  • Right to object — Object to the processing of your personal data
  • Right to withdraw consent — Withdraw your consent at any time by deleting your message
  • Right to lodge a complaint — File a complaint with a supervisory authority in your jurisdiction

To exercise any of these rights, contact us at wordsleft@protonmail.com. We will respond within 30 days.

International data transfers

Words Left is a globally accessible service. Your data may be processed in the United States through our infrastructure providers (Vercel and Supabase). These transfers are conducted in compliance with applicable data protection laws, including the use of standard contractual clauses where required. All message content remains end-to-end encrypted regardless of where it is stored or processed.

Children's privacy

Words Left is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). Users must be at least 18 years old to use the platform. If we become aware that we have collected data from a child under 13, we will delete it promptly.

California privacy rights

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

  • Right to know — What personal information we collect and how it is used
  • Right to delete — Request deletion of your personal information
  • Right to opt-out of sale — We do not sell your personal information to any third party
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights

Turkey — KVKK rights

If you are located in Turkey, the Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu — KVKK, Law No. 6698) grants you the following rights under Article 11:

  • Right to learn — Whether your personal data is being processed
  • Right to access — Request information about processed data and its purposes
  • Right to know recipients — Learn to which third parties your data has been transferred domestically or abroad
  • Right to rectification — Request correction of incomplete or inaccurate data
  • Right to erasure — Request deletion or destruction of your personal data
  • Right to object — Object to outcomes arising from automated processing of your data that produce adverse results
  • Right to compensation — Claim damages if your data is processed in violation of the law

Data controller: Words Left (wordsleft@protonmail.com). We process personal data on the basis of explicit consent (KVKK Art. 5) and legitimate interest necessary to operate the platform. International data transfers to the United States (Vercel, Supabase) are conducted in compliance with KVKK Article 9.

To exercise your KVKK rights, contact us at wordsleft@protonmail.com. You may also file a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) at kvkk.gov.tr.

Data breach notification

In the event of a data breach that may affect your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in compliance with GDPR and applicable state laws. Due to end-to-end encryption, a server breach would not expose message content — only encrypted data and metadata would be at risk.

Data controller

Words Left is operated by an individual data controller. For the purposes of GDPR and applicable data protection laws, the data controller is:

Words Left
Contact: wordsleft@protonmail.com

If you are located in the EU/EEA and wish to lodge a complaint with a supervisory authority, you may contact your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.

Contact

For privacy-related inquiries, data protection requests, or to exercise your rights: wordsleft@protonmail.com

We will respond within 30 days.