How it worksPricingFree tools
Start creating

Privacy Policy

Last updated: March 2026

This policy describes how Pressmark (“we,” “us,” “our”) collects, uses, and protects your personal information when you use our website at getpressmark.com and our application at app.getpressmark.com (together, the “Service”).

The short version: We collect what we need to run the Service. Your content is yours. We send it to AI providers to power our features — they don’t train on it. We don’t sell your data. We don’t run ads. You can delete your account and your data goes with it.

Contents

  1. Information We Collect
  2. How We Use Your Information
  3. AI Processing and Sub-Processors
  4. How We Share Your Information
  5. Cookies and Tracking Technologies
  6. Data Retention
  7. Data Security
  8. Your Privacy Rights
  9. International Data Transfers
  10. Children’s Privacy
  11. Changes to This Policy
  12. Contact Us
  13. Additional Disclosures for California Residents
  14. Additional Disclosures for European Residents

1. Information We Collect

Information You Provide

When you create an account and use Pressmark, you may provide:

  • Account information: Your name, email address, and profile details. Passwords are handled entirely by our authentication provider (Clerk) — we never see or store your password.
  • Payment information: If you subscribe to a paid plan, your payment card details are collected and processed entirely by Stripe. We receive your subscription status and billing history but never see or store your card number.
  • Writing profiles: Writing samples you provide for voice analysis. We analyze these to create a structured profile of your writing style (tone, vocabulary patterns, stylistic tendencies). The original samples and the resulting profile are stored in your account.
  • Research documents: Articles, reports, URLs, and other content you upload as research material for newsletter creation.
  • Newsletter content: The newsletters you create using the Service, including drafts, section configurations, and template selections.
  • Audience and industry profiles: Descriptions you provide about your target audience and industry, and AI-generated profiles based on those descriptions.
  • Conversations with Pressy: Your messages to Pressy (our AI co-editor), Pressy’s responses, and the results of any tools Pressy uses on your behalf during your conversation.
  • Preferences and settings: Your AI model preferences, display settings, and other configuration choices.

Information We Collect Automatically

When you use the Service, we automatically collect:

  • Usage data: Which features you use, credit consumption, AI operations performed, and general interaction patterns. We track this to provide the Service and monitor credit usage — not for advertising.
  • Security logs: IP addresses, timestamps, and request metadata logged for security monitoring and fraud prevention. IP addresses associated with security events are stored in our security event log.
  • Device and browser information: Basic technical information transmitted by your browser (user agent, screen resolution) to ensure the Service displays correctly.

Information From Anonymous Visitors

If you use our free tools on getpressmark.com without an account:

  • Hashed IP addresses: We use a one-way hash of your IP address combined with the current date to enforce daily usage limits. We never store your raw IP address for anonymous tool usage. The hash changes daily and cannot be reversed to identify you.
  • Email address: If you subscribe to our marketing list, we collect your email address via Resend.

2. How We Use Your Information

We use your information for these purposes:

  • Providing the Service: Processing your content through AI to generate newsletters, create voice profiles, analyze research, and power Pressy’s co-editing features.
  • Account management: Creating and maintaining your account, processing payments, tracking credit usage, and communicating with you about your account.
  • Security and abuse prevention: Detecting and preventing fraud, unauthorized access, and violations of our Terms of Service. This includes logging IP addresses for security events and monitoring AI usage patterns.
  • Service improvement: Understanding how features are used to improve the Service. We use aggregated, non-identifying usage patterns — not your content — for this purpose.
  • Communications: Sending transactional emails (account notifications, billing confirmations) and, if you’ve subscribed, marketing emails about Pressmark. You can unsubscribe from marketing emails at any time.
  • Legal compliance: Responding to legal requests, enforcing our terms, and complying with applicable law.

We do not use your information for advertising, profiling for third-party marketing, or any purpose unrelated to providing and improving the Service.

3. AI Processing and Sub-Processors

This is the section most people care about, so we’ll be specific.

How Your Content Reaches AI Providers

When you use Pressmark’s AI features — generating newsletters, analyzing voice, creating profiles, or chatting with Pressy — your content is sent to third-party AI providers through their commercial APIs. This is how the AI features work; there is no way to provide them without transmitting your content to these providers.

We use three AI providers:

  • Anthropic (Claude models) — our primary AI engine
  • Google (Gemini Flash) — used for real-time AI co-editing and multimodal content processing
  • OpenAI (GPT models) — supplementary, used for specific tasks

What We Send

Depending on the feature, we may send your voice profile data, research documents, newsletter drafts, audience descriptions, industry context, and conversation history to one or more of these providers as context for AI generation.

What They Do With It

None of these providers train their AI models on your data. All three contractually commit to not using data submitted through their paid commercial APIs for model training. Pressmark exclusively uses paid commercial API tiers — never free tiers, which may have different data practices.

They retain it temporarily for safety monitoring. AI providers briefly retain API data to detect misuse (such as attempts to generate harmful content). Retention periods differ:

  • Anthropic: 7 days, then automatically deleted
  • OpenAI: 30 days, then automatically deleted
  • Google (Gemini): 55 days, then automatically deleted

One provider may use anonymized data. OpenAI’s Data Processing Addendum permits them to process information derived from your data that has been fully de-identified, anonymized, and aggregated — such that it no longer constitutes personal data and cannot identify you or Pressmark — to improve their systems and services. Your raw content, identifiable information, and anything traceable to you is not used this way.

Safety exceptions apply. If content is flagged by a provider’s automated safety classifiers as potentially violating their usage policies, it may be retained longer for investigation — up to 2 years in Anthropic’s case, with safety classification scores retained up to 7 years. Data deletion timelines may also be suspended by legal processes (such as litigation holds) outside of Pressmark’s or its providers’ direct control.

All Sub-Processors

For a complete list of all service providers that process your data, including their specific roles, data categories, and DPA status, see our Sub-Processor List.

4. How We Share Your Information

We share your personal information only in these circumstances:

  • With sub-processors: As described above and in our Sub-Processor List, to operate the Service. Each sub-processor operates under a Data Processing Agreement that restricts them to processing your data solely on our instructions.
  • To comply with law: When required by law, regulation, legal process, or enforceable governmental request.
  • To protect rights and safety: To enforce our Terms of Service, protect the rights, property, or safety of Pressmark, our users, or the public.
  • With your consent: When you explicitly direct us to share information with a third party.
  • In a business transfer: If Pressmark is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not disclose your information to data brokers.

5. Cookies and Tracking Technologies

Pressmark uses a minimal set of cookies, all of which are strictly necessary for the Service to function. We do not use cookies for advertising, tracking, or analytics. For full details, see our Cookie Policy.

Current cookies:

CookieSet ByPurposeClassification
__sessionClerkShort-lived authentication tokenStrictly necessary
__clientClerkAuthentication session managementStrictly necessary
__stripe_midStripeFraud prevention device identifierStrictly necessary
__stripe_sidStripePayment session identifierStrictly necessary

Because all cookies are strictly necessary for authentication and payment security, no consent banner is required and no cookies are placed for tracking purposes.

Analytics: We use Plausible Analytics for our marketing site, which operates without cookies and does not collect personal data.

Global Privacy Control: We detect and honor Global Privacy Control (GPC) signals. When we receive a GPC signal, we treat it as a valid opt-out request. Because we do not sell or share personal information, honoring GPC does not change our data processing — but we recognize and respect the signal.

6. Data Retention

We retain your information only as long as necessary for the purposes described in this policy. Here are our specific retention periods:

Data CategoryRetention PeriodReason
Account and content data (profiles, newsletters, research, templates, audiences, industries)Duration of your account + 30 days after deletionProviding the Service; 30-day grace period for accidental deletion
AI conversation history (Pressy chats)90 days of inactivity, then auto-purgedService continuity across sessions; data minimization
Usage and security logs (including IP addresses)12 monthsSecurity monitoring; abuse prevention
Billing recordsUp to 7 years (held primarily by Stripe)Tax and legal compliance obligations
Privacy request records24 monthsLegal compliance (CCPA §999.317(b))
AI provider logs7–55 days (varies by provider)Provider safety monitoring; see Section 3
Marketing email recordsUntil you unsubscribe + suppression list maintained indefinitelyCAN-SPAM compliance requires honoring opt-outs permanently

7. Data Security

We implement technical and organizational measures to protect your information:

  • Encryption at rest: Your data is stored in an encrypted database using industry-standard encryption (AES-256).
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, enforced via HSTS headers.
  • Access isolation: Database-level access controls ensure each user can only access their own data. No user can view, modify, or delete another user’s content.
  • Authentication security: Passwords and credentials are managed entirely by Clerk, a dedicated authentication provider. We never see, store, or process your password.
  • Payment security: Payment card data is processed entirely by Stripe, which is PCI-DSS compliant. We never see or store your card number.
  • Content Security Policy: We enforce browser-level security headers to prevent cross-site scripting and other injection attacks.
  • Monitoring: We log security events (with IP addresses) to detect unauthorized access attempts.

No system is perfectly secure. If we discover a security breach that affects your personal information, we will notify you and relevant authorities in accordance with applicable law. See our Data Storage Policy for more details.

8. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate information.
  • Deletion: Request that we delete your personal information. When you delete your account, we initiate a cascade deletion across all systems — see our Data Storage Policy for the specific timeline.
  • Portability: Request your data in a structured, commonly used format. This includes your writing samples, newsletter content, research documents, profiles, and conversation history. Note: AI-derived data (such as the structured analysis within voice profiles) may not be portable, as it constitutes our proprietary analytical output rather than data you provided.
  • Opt-out of sale/sharing: We do not sell or share your personal information for advertising. If this changes, we will provide an opt-out mechanism.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

How to exercise your rights: Email privacy@getpressmark.com. We will verify your identity and respond within 30 days (or sooner if required by your jurisdiction). If we need more time for complex requests, we will let you know within the initial response period.

Authorized agents: If you designate an authorized agent to submit requests on your behalf, we will require verification of the agent’s authorization and your identity before processing the request.

For jurisdiction-specific rights, see Section 13 (California) and Section 14 (European residents).

9. International Data Transfers

Pressmark is based in the United States, and all our infrastructure is located in the United States. If you are located outside the US, your data will be transferred to and processed in the US.

For EU/EEA/UK residents: We transfer your data to the US under the EU-US Data Privacy Framework (and the UK Extension), for which Pressmark is self-certified. We also maintain Standard Contractual Clauses (SCCs) as a supplementary transfer mechanism. All our sub-processors include SCCs in their Data Processing Agreements.

Our EU Representative: As required by GDPR Article 27, we have appointed an EU Representative to serve as your local point of contact for privacy matters. Their contact details are provided in Section 14.

10. Children’s Privacy

Pressmark is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@getpressmark.com.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the “Last updated” date at the top. We encourage you to review this policy periodically.

Previous versions of this policy are available upon request.

12. Contact Us

For privacy questions, data requests, or concerns:

Email: privacy@getpressmark.com
Website: getpressmark.com/legal/privacy

For our EU Representative contact details, see Section 14.

13. Additional Disclosures for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of Personal Information We Collect

CCPA CategoryExamples from PressmarkCollectedSource
A. IdentifiersName, email address, IP address, Clerk user IDYesYou; automatic collection
B. Customer RecordsBilling information, subscription statusYesYou; Stripe
D. Commercial InformationSubscription tier, credit usage, purchase historyYesYou; automatic collection
F. Internet/Network ActivityUsage logs, AI conversation history, feature interactionsYesAutomatic collection
G. GeolocationApproximate location derived from IP address (coarse, not precise)YesAutomatic collection
I. Professional InformationIndustry and audience profiles, when derived from professional contextYesYou
K. InferencesWriting voice profiles (AI-analyzed behavioral data derived from your writing samples), user preference patternsYesDerived from your content

We do not collect biometric information (Category E), sensory data (Category H), education information (Category C), or protected classification characteristics (Category C).

Purpose for Collection

Each category above is collected for the purposes described in Section 2: providing the Service, account management, security, service improvement, communications, and legal compliance.

Disclosure, Sale, and Sharing

We disclose personal information to our sub-processors as described in Section 4 and our Sub-Processor List. All sub-processor disclosures are for business purposes under written agreements that restrict the providers to processing data solely on our instructions.

We do not sell personal information. We do not disclose personal information for cross-context behavioral advertising. Sending your data to AI providers for processing is classified as a service provider disclosure, not a “sale” or “sharing” under the CCPA.

Your California Rights

In addition to the rights in Section 8, California residents have the right to:

  • Know: Request the specific categories and pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom information is shared.
  • Delete: Request deletion of personal information, subject to certain legal exceptions (such as Stripe’s retention of billing records for tax compliance).
  • Opt-out of sale/sharing: We do not sell or share personal information. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link.
  • Limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond providing the Service.
  • Non-discrimination: We will not deny you the Service, charge different prices, or provide a different quality of service for exercising your rights.

Retention periods for each category are specified in Section 6.

Verification: We will verify your identity before processing a request by confirming your email address associated with your Pressmark account.

Response timeline: We will confirm receipt within 10 business days and respond substantively within 45 days. If we need additional time, we will notify you within the initial 45-day period and may take up to 90 days total.

Financial Incentives

Our free tier (50 credits per month at no cost) is a standard freemium offering — not a financial incentive in exchange for personal information. All subscription tiers collect the same categories of personal information. Exercising your deletion rights does not affect your tier eligibility.

14. Additional Disclosures for European Residents

If you are a resident of the European Economic Area (EEA), the United Kingdom, or Switzerland, this section provides additional information required by the General Data Protection Regulation (GDPR) and UK GDPR.

Data Controller

Pressmark is the data controller for your personal information. Our contact details are in Section 12.

EU Representative

As required by GDPR Article 27, we have appointed an EU Representative:

[EU Representative name and contact details to be inserted upon appointment]

Lawful Basis for Processing

Processing ActivityLawful BasisExplanation
Providing the Service (AI processing, content generation, account features)Contract performance (Art. 6(1)(b))You sign up to have your content processed by AI — this is the core service we promise.
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f))Protecting the Service and our users from unauthorized access and abuse. Recital 49 recognizes network security as a legitimate interest.
Marketing emailsConsent (Art. 6(1)(a))We only send marketing emails if you explicitly subscribe. You can withdraw consent at any time by unsubscribing.
Billing and tax complianceLegal obligation (Art. 6(1)(c))Retaining billing records as required by tax law.

Your European Rights

In addition to the rights in Section 8, European residents have the right to:

  • Restrict processing: Request that we limit how we use your data in certain circumstances.
  • Object to processing: Object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds.
  • Withdraw consent: Where processing is based on consent (marketing emails), you can withdraw at any time.
  • Lodge a complaint: You have the right to lodge a complaint with your local Data Protection Authority.

Automated Decision-Making and Profiling

Pressmark creates writing voice profiles by analyzing your writing samples. These profiles are used to style AI-generated newsletter content to match your voice. This does not constitute automated decision-making under GDPR Article 22 because: (a) the profiles style creative output rather than producing legal or similarly significant effects on you, (b) you voluntarily submit writing samples for this express purpose, and (c) you can review, modify, or delete your voice profile at any time.

Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment for our AI processing workflow, evaluating the risks to your rights and freedoms from sending your content to third-party AI providers. We concluded that our contractual, technical, and organizational safeguards — including DPAs with all providers, no-training commitments, limited retention periods, and encryption — adequately mitigate these risks.

International Transfers

Your data is transferred to the United States under the EU-US Data Privacy Framework. All our sub-processors maintain Standard Contractual Clauses (SCCs) as a supplementary safeguard. For details, see Section 9.