Legal · Version 1.0

Privacy Notice

How Wren collects, uses and protects your personal data under UK GDPR, including exactly how the AI tools handle what you type.

Effective 1 January 2026

01

About this notice

This notice tells you how Wren collects, uses and protects personal data. We are the data controller for the personal data you provide when you use planwithwren.com.

The data controller is Wren Ltd, registered in England and Wales. You can reach our data protection contact at hello@planwithwren.com.

02

What data we collect

  • Account information: your name, email address, and password hash. Optionally a phone number, company name and professional membership number if you provide them.
  • Site searches and saved boundaries: the addresses you look up and the polygons you draw on the map. Used to deliver the service and to help you continue where you left off.
  • Drafted documents: planning statements, design and access statements and other documents we prepare for your application.
  • Payment metadata: transaction IDs and the last four digits of your card. Full card details are handled by Stripe and never touch our servers.
  • Support communications: emails, contact form submissions, and any other messages you send us.
  • Technical data: IP address, user agent, and session cookies required to keep you logged in.
03

Legal bases

Under UK GDPR Article 6 we rely on the following bases:

  • Contract performance, to deliver the service you have asked us to deliver, including preparing and submitting your planning application.
  • Legitimate interests, for service quality, security, fraud prevention, and aggregate analytics. We balance these interests against your privacy rights and only proceed where the impact on you is minimal.
  • Consent, for marketing communications. You can withdraw consent at any time from the email footer or by emailing us.
  • Legal obligation, to keep financial records for the period required by HMRC and to comply with court orders or regulatory requests.
04

AI processing

When you use Ask Wren or generate a draft document, the text you input is sent to Anthropic's Claude API for inference under their commercial terms. We have a data processing agreement with Anthropic that prohibits the use of your inputs and outputs to train their models.

Anthropic retains inputs and outputs for a limited period for abuse monitoring and operational support, after which they are deleted in line with Anthropic's published retention policy. We do not send personally identifying details into prompts where they are not required for the task.

If you would prefer not to have your inputs processed by a third-party AI provider, you can avoid using Ask Wren and the AI drafting tools. Manual planning consultancy is available on request via hello@planwithwren.com.

05

Who else processes your data

We use the following processors to deliver the service:

  • Anthropic, AI inference for Ask Wren and document drafting.
  • Supabase, database hosting and authentication.
  • Stripe, payments and card processing.
  • Resend, transactional email delivery.
  • Cloudflare, content delivery and inbound email routing.
  • Vercel, application hosting and edge delivery.

Each of these processors operates under a data processing agreement with us and is contractually limited to processing your data only as instructed.

06

International transfers

The UK and the EU benefit from a mutual adequacy decision, so transfers between them are not restricted. Some of our processors are based in the United States, including Anthropic, Stripe, Vercel and Cloudflare. Transfers to the US take place under the International Data Transfer Agreement or Standard Contractual Clauses approved by the Information Commissioner's Office, with additional safeguards where necessary.

07

Retention

  • Account data: kept while your account is active. After closure, we retain financial records for six years to meet HMRC requirements.
  • Ask Wren and chat queries: ninety days, after which they are deleted from our active systems.
  • Drafted documents: retained indefinitely while your account is active so you can return to past applications.
  • Server logs: retained for ninety days for security and operational diagnostics.
08

Your rights

Under UK GDPR you have the following rights:

  • Access to the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure of your data where the legal basis no longer applies.
  • Restriction of processing in certain circumstances.
  • Data portability for data you provided to us.
  • Objection to processing based on legitimate interests.
  • Withdrawal of consent for marketing communications.

To exercise any of these rights, email hello@planwithwren.com. We will respond within one month and may ask you to verify your identity before acting on the request.

09

Complaints to the ICO

If you believe we have mishandled your personal data, you can complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113. We are registered with the ICO; our registration number is published in our footer once the registration is finalised.

10

Cookies

We use a single essential session cookie to keep you logged in. We do not use third-party tracking cookies, advertising cookies, or marketing pixels.

Analytics, where used, are server-side and aggregate. We do not build behavioural profiles of individual users.

11

Changes to this notice

We may update this notice from time to time. Material changes will be communicated by email at least thirty days before they take effect. The effective date at the top of this page tells you when the current version came into force.

12

Contact

Privacy questions, subject access requests, and complaints: hello@planwithwren.com.