Privacy Policy

Distill (“we”, “us”, “our”) is an AI-powered newsletter platform that helps professionals create, manage, and send curated newsletters to their audiences. We are incorporated in [State, Country].

We play two distinct roles under data protection law:

• Data controller for information you provide directly to us — your account details, billing information, and how you use our platform.
• Data processor for subscriber data you upload and manage through your workspaces — we process that data solely on your instructions, as the data controller for your subscribers.

Questions about this policy? Contact us at privacy@distill.ink.

We use the information we collect to:

• Provide, operate, and improve the Distill platform
• Process links you submit through Google Gemini to generate newsletter summaries
• Deliver newsletters to your subscribers via Amazon Web Services Simple Email Service (SES)
• Process payments and manage your subscription through Stripe
• Send you transactional emails about your account (receipts, important notices)
• Analyze platform-level usage to improve features and fix bugs
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

Subscriber list data you manage through Distill is processed exclusively on your instructions. We do not use your subscribers’ email addresses or engagement data to market our own products or services.

When you send newsletters through Distill, we include email tracking technology to provide you with engagement analytics. Here is exactly how it works:

As the workspace owner (data controller for your subscribers), you are responsible for informing your subscribers about email tracking in your own privacy disclosures.

We do not sell your personal data to third parties. We share data only as necessary to provide the Distill service with the following sub-processors:

We may also disclose information if required by law, court order, or to protect the rights and safety of Distill and its users.

We retain different categories of data for different periods:

• Account data (profile, settings, workspace content): retained while your account is active, plus 30 days after account deletion to allow for recovery requests.
• Email send logs (delivery receipts, bounce records): 90 days.
• Analytics data (open/click events, engagement metrics): 12 months.
• Database backups: deleted within 30 days after account deletion has been fully processed.

After these periods, data is permanently deleted or anonymized. To request early deletion, contact privacy@distill.ink.

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”): You can ask us to delete your personal data, subject to certain legal exceptions.
• Right to data portability: You can request your data in a structured, machine-readable format.
• Right to restriction of processing: You can ask us to restrict how we use your data in certain circumstances.
• Right to object: You can object to processing of your personal data in certain circumstances, including direct marketing.
• Rights related to automated decision-making: You have the right not to be subject to decisions made solely by automated processing if they significantly affect you.

To exercise any of these rights, email privacy@distill.ink. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to know: You can request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties we share it with.
• Right to delete: You can request that we delete your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information to third parties. If this changes, we will provide a “Do Not Sell My Personal Information” link.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights. You will receive the same quality of service regardless of whether you make a privacy request.

To submit a CCPA request, email privacy@distill.ink.

Distill complies with the CAN-SPAM Act for all emails we send on our own behalf (such as account notices and marketing communications). Our emails:

• Accurately identify the sender
• Use honest and non-deceptive subject lines
• Include our physical mailing address
• Honor unsubscribe requests promptly

If you send newsletters through Distill to your own subscribers, you are the sender under CAN-SPAM and are solely responsible for compliance. Your responsibilities include:

• Including a valid physical postal address in every commercial email
• Using clear and honest subject lines
• Including a working unsubscribe mechanism and honoring opt-outs within 10 business days
• Sending only to subscribers who have given their consent

See our Terms of Service for our full Acceptable Use Policy governing email sends through our platform.

We use a minimal cookie footprint:

• Authentication session cookie: Strictly necessary to keep you logged in. Set by Supabase when you sign in, cleared when you sign out. This cookie is required for the platform to function and does not require your consent under ePrivacy rules.
• Theme preference: Stored in your browser’s localStorage, not a cookie. No data is transmitted to our servers.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

We take reasonable technical and organizational measures to protect your personal information:

• All data is encrypted in transit using TLS (HTTPS)
• Data at rest is encrypted by our database provider (Supabase / PostgreSQL)
• Access to production systems is restricted to authorized personnel
• Passwords are hashed and never stored in plain text
• Row-level security policies enforce data isolation between accounts
• Regular security reviews of our infrastructure and code

Despite these measures, no system connected to the internet can be guaranteed to be 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@distill.ink.

Distill is a B2B platform intended for use by professionals. It is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16.

If you believe that a child under 16 has created an account or provided personal information to us, please contact us at privacy@distill.ink and we will delete that information as quickly as possible.

We may update this Privacy Policy from time to time. When we make material changes — such as collecting new types of data, changing how we use data, or introducing new sharing arrangements — we will:

• Update the “Last updated” date at the top of this page
• Send an email notification to all registered users with an account in good standing

For minor clarifications or corrections that do not materially affect your rights, we may post the updated policy without a separate notification. Continued use of Distill after changes take effect constitutes acceptance of the updated policy.

For all privacy-related inquiries — including requests to exercise your data rights, questions about this policy, or concerns about how we handle your information — please contact:

Note: While we have not designated a formal Data Protection Officer (our processing activities do not require one under GDPR Article 37), we take privacy seriously and will respond promptly to all inquiries.