Privacy Policy
Last updated: 14 April 2026
1. Who we are
Meet Wendy LTD ("Wendy", "we", "us", "our"), a company registered in England and Wales (company number 17178110), operates the Wendy personal AI assistant service available at app.meetwendy.co.uk and via the Wendy mobile and desktop applications.
We are the data controller for personal data processed under this policy. Our data protection contact is hello@meetwendy.co.uk.
2. What data we collect
Account data
When you create an account, we collect:
- Your email address
- Your name (if provided via Google sign-in)
- Your profile picture URL (if provided via Google sign-in)
- Your account creation date and last sign-in date
Usage data
As you use Wendy, we collect:
- The messages you send to Wendy and the responses Wendy gives you
- Items you save (films, restaurants, books, holidays, and similar)
- Reminders you set and their completion status
- Settings and preferences (morning brief time, language, theme)
- Feature usage patterns (which tools you use, not the content)
- Device type, operating system, and app version
- IP address (for security and fraud prevention, not for advertising)
Google Calendar and Gmail data
If you choose to connect your Google account, we access:
- Google Calendar: your calendar events (title, time, description, attendees) so Wendy can help you manage your schedule and find free time
- Gmail: email subjects and sender details to identify bills, order confirmations, and relevant events. We do not read the full body of emails unless you explicitly share content with Wendy in a conversation
Google OAuth tokens are encrypted with AES-256-GCM before storage. You can disconnect your Google account at any time from Settings.
Payment data
If you subscribe to Wendy Plus or Pro, payment is processed by Stripe. We store only a tokenised reference to your payment method and your Stripe customer ID. We never see or store your full card number, CVV, or expiry date.
AI conversation data
The messages you send to Wendy are processed by Anthropic's API to generate responses. These messages may include personal information you choose to share. See section 6 (who we share data with) for details of how Anthropic handles this data.
Voice data
If you use voice input, your speech is converted to text using a speech processing service and sent to our API to generate a response. Text-to-speech audio is generated by ElevenLabs from the text of Wendy's responses.
3. Why we collect it and our legal basis
| Purpose | Data used | Legal basis (UK GDPR) |
|---|---|---|
| Providing the Wendy service | Account data, conversation data, Google data | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Payment data, email address | Contract performance (Art. 6(1)(b)) |
| Remembering your preferences and personalising your experience | Usage data, preferences, conversation patterns | Legitimate interests (Art. 6(1)(f)) |
| Security, fraud prevention, and service integrity | IP address, device data, account data | Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails (billing confirmations, security alerts) | Email address | Contract performance (Art. 6(1)(b)) |
| Sending product update emails (new features, tips) | Email address | Legitimate interests (Art. 6(1)(f)) with right to opt out |
| Complying with legal obligations (VAT records, GDPR requests) | Account data, billing data | Legal obligation (Art. 6(1)(c)) |
| Improving Wendy with your explicit permission | Anonymised conversation patterns | Consent (Art. 6(1)(a)) |
4. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account, then 30 days |
| Conversation history | Until you delete your account, then 30 days |
| Saved items (films, restaurants, etc.) | Until you delete them or your account |
| Billing records | 7 years (UK tax law requirement) |
| Google OAuth tokens | Until you disconnect Google or delete your account |
| Security audit logs | 12 months |
| Push notification tokens | Until you sign out on the device or delete your account |
5. Cookies and local storage
We use a small number of cookies and browser storage items to make Wendy work. We do not use advertising cookies or tracking cookies, and we do not sell your data to advertisers. Full details are in our Cookie Policy.
6. Who we share data with
We do not sell your data. We share it only with the service providers we need to run Wendy:
| Provider | Purpose | Data transferred | Location |
|---|---|---|---|
| Supabase / AWS | Database, authentication, and file storage | All account and usage data | EU (Frankfurt) |
| Anthropic | AI response generation (Claude API) | Your messages to Wendy and relevant context | USA (Standard Contractual Clauses apply) |
| Google (OAuth) | Calendar and Gmail access | OAuth tokens | USA (Standard Contractual Clauses apply) |
| ElevenLabs | Text-to-speech for Wendy's voice | Text of Wendy's responses | USA (Standard Contractual Clauses apply) |
| Stripe | Payment processing and subscription management | Email address, payment method token | USA / EU (Standard Contractual Clauses apply) |
| Vercel | Web hosting and serverless functions | Request logs (IP, user-agent), processed transiently | EU / USA (Standard Contractual Clauses apply) |
| Railway | API hosting | Request logs, processed transiently | USA (Standard Contractual Clauses apply) |
| Resend | Transactional email delivery | Email address and email content | USA (Standard Contractual Clauses apply) |
We may also disclose data where required by law, court order, or to protect the rights and safety of Wendy, our users, or others.
7. International transfers
Some of our service providers are based outside the UK and European Economic Area, including in the United States. Where we transfer personal data outside the UK, we rely on one of the following safeguards:
- UK adequacy regulations (where applicable)
- UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCCs)
- The provider's participation in an approved certification framework
You can request a copy of the relevant transfer safeguards by emailing hello@meetwendy.co.uk.
8. Your rights under UK GDPR
Under UK data protection law you have the following rights:
Right of access
You can request a copy of all personal data we hold about you. We will respond within one month.
Right to rectification
You can ask us to correct inaccurate data or complete incomplete data.
Right to erasure ("right to be forgotten")
You can ask us to delete your personal data. We will do so within 30 days, except where we are required by law to retain it (such as billing records for 7 years).
Right to data portability
You can ask us to provide your data in a structured, commonly used, machine-readable format (JSON) so you can transfer it to another service.
Right to object
You can object to processing based on legitimate interests at any time. We will stop processing unless we have compelling legitimate grounds that override your rights.
Right to restriction
You can ask us to restrict processing in certain circumstances, for example while we investigate an accuracy dispute.
Right to withdraw consent
Where we rely on consent (for example, for product improvement), you can withdraw it at any time without affecting the lawfulness of earlier processing.
How to exercise your rights
Email hello@meetwendy.co.uk with your request. We may ask you to verify your identity before we act on a request. We respond within one month; where requests are complex or numerous, we may extend this by a further two months and will tell you why.
Right to complain
If you believe we have mishandled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Security
We take security seriously:
- All data is encrypted in transit using TLS 1.2 or higher
- Google OAuth tokens and sensitive credentials are encrypted at rest using AES-256-GCM
- Row-level security (RLS) is enforced on all database tables so users can only access their own data
- We operate an audit log for all sensitive actions (authentication events, data access, changes to integrations)
- We run dependency scans on every code change via our CI pipeline
- We never store card numbers, CVV codes, or other payment credentials
In the event of a data breach that is likely to affect your rights or freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay.
10. Children's data
Wendy is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has created an account, please email hello@meetwendy.co.uk and we will delete the account promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will tell you about material changes by email (if you have an account) and by updating the "Last updated" date at the top of this page. Continued use of Wendy after a material change constitutes acceptance of the updated policy.
12. Contact and DPO details
For any privacy-related questions or to exercise your rights:
- Email: hello@meetwendy.co.uk
- Company: Meet Wendy LTD, a company registered in England and Wales (company number 17178110). Registered office: MEET WENDY LTD, Unit 168041, Courier Point, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FH, UK. Contact: hello@meetwendy.co.uk.
We aim to respond to all privacy enquiries within two business days.
Governing law: This Privacy Policy is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.