Privacy Policy

Wordbricks, Inc. (the “Company”) is committed to protecting the privacy and security of its users. This Privacy Policy explains how we collect, use, disclose, entrust, retain, destroy, and safeguard information when you use our Site or Service, and how you may exercise your privacy rights.

For purposes of this Privacy Policy:

“Site” refers to the Company’s website at getgpt.app.
“Service” refers to the Company’s services accessed through the Site, through which users can create custom apps without code.
“We,” “us,” and “our” refer to the Company.
“You” refers to a user of the Site or Service.

“Personal Information” means information relating to an identified or reasonably identifiable individual. Depending on the circumstances, technical identifiers, device information, cookie identifiers, and usage records may constitute Personal Information when they can be linked to an individual.

By accessing or using the Site or Service, you acknowledge that you have read this Privacy Policy. Where applicable law requires consent for a particular processing activity, we will request that consent separately and provide the information required by law.

I. INFORMATION WE COLLECT AND WHY

1. Account and Contact Information

To create and manage an account, we collect your email address. You may also choose to provide your name. Your email address is required to create and administer your account, provide the Service, send service-related notices, respond to inquiries, and protect the security of the Service. Your name is optional and is used to personalize communications and support.

The Company does not collect or retain a separate username or password as part of account registration. Account access is provided through the authentication method made available in the Service.

2. Technical, Usage, Cookie, and Advertising Information

When you access or use the Site or Service, we may automatically collect technical and usage information from your browser, device, cookies, and similar technologies. Depending on how you use the Service, this information may include:

• the referring and exit pages or URLs;
• browser type and version, operating system, platform type, device type, device model, screen or language settings, and network information;
• IP address and an approximate access location derived from the IP address;
• date and time of access;
• pages, screens, functions, or features viewed or used;
• clicks, session duration, interaction records, and aggregated usage statistics;
• cookie identifiers, session status, login status, and saved preferences;
• advertising attribution information, such as campaign source, promotion views or clicks, and conversion information; and
• limited diagnostic information, such as error logs, crash reports, latency data, and network or performance logs.

We do not collect precise GPS location through the Site or Service unless we provide a separate notice and obtain any consent required by applicable law. The term “other information” does not mean an unlimited category; it is limited to technical diagnostic information reasonably necessary to operate, secure, troubleshoot, and improve the Service.

3. Why This Information Is Necessary

| Information Category | Purpose and Necessity |
|---|---|
| Email address and optional name | To create and manage an account, provide the Service, communicate service notices, respond to inquiries, provide support, and personalize communications. |
| Approximate access location derived from IP address | To detect suspicious access, prevent fraud and abuse, apply regional settings, diagnose regional service issues, and comply with applicable legal requirements. |
| Browser, device, operating system, platform, and network information | To ensure compatibility, display the Service correctly, troubleshoot errors, protect account and service security, and optimize performance. |
| Usage statistics and interaction records | To understand how features are used, measure service reliability, plan capacity, identify errors, improve functionality, and develop aggregated service analytics. |
| Advertising attribution and campaign information | To measure the effectiveness of the Company’s promotional campaigns, prevent invalid or fraudulent advertising activity, manage campaign frequency, and, where required, provide advertising or marketing only after obtaining consent. |
| Cookies, session status, login status, and preferences | To maintain sessions, provide seamless access, remember user choices, protect the Service, conduct analytics, and support advertising or marketing functions where permitted. |
| Error logs, crash reports, and other limited diagnostic information | To identify, reproduce, and resolve technical failures, maintain service availability, investigate security events, and improve performance. |

We use each category only to the extent reasonably necessary for the purposes described above and do not intentionally collect more information than is necessary for those purposes.

4. Cookies and Similar Technologies

Cookies are small text files stored on your browser or device. We may use session cookies, which expire when you close your browser, and persistent cookies, which remain until their stated expiration date or until you delete them.

We use essential cookies to provide core functions, maintain sessions, remember settings, and protect the Site and Service. We may also use analytics or advertising cookies to understand use of the Service and measure promotional campaigns. Where required by applicable law, non-essential analytics and advertising cookies will be used only after you have made the applicable choice or provided consent.

You may manage or delete cookies through your browser settings and, where available, the Company’s cookie preference tool. Blocking essential cookies may prevent certain parts of the Site or Service from functioning properly.

5. Information You Provide When Registering or Communicating With Us

You may register for the Service by providing your email address and, optionally, your name. If you contact us for customer support or another inquiry, we collect the information contained in your message and any information reasonably necessary to respond to and resolve the matter.

6. Children’s Privacy

The Site and Service are intended exclusively for persons who are at least 14 years old. Persons under the age of 14 are not permitted to register for, access, or use the Site or Service.

The Company does not conduct routine age-verification checks and generally relies on each user’s representation and responsibility regarding age. By registering for or using the Site or Service, you represent that you are at least 14 years old. Because persons under 14 are not eligible to use the Site or Service, the Company does not offer a parental- or legal-representative-consent process for under-14 users.

If we learn or have reasonable grounds to believe that a person under 14 has registered for or used the Site or Service, we may suspend or terminate the account and will delete the child’s personal information without undue delay, except where retention is required by law. A parent or legal guardian who believes that we have collected information from a child under 14 may contact us at privacy@wordbricks.ai.

II. HOW WE USE, DISCLOSE, AND ENTRUST THE PROCESSING OF INFORMATION

1. How We Use Information

We use information described in this Privacy Policy to:

• create, administer, and provide accounts and the Service;
• authenticate sessions and maintain service continuity;
• communicate service, security, support, and policy notices;
• respond to questions, feedback, and customer-support requests;
• diagnose technical issues and improve service quality, performance, and features;
• measure usage, reliability, and promotional campaign effectiveness;
• prevent, detect, and respond to fraud, abuse, security incidents, and violations of our terms;
• send promotional communications where permitted and provide an opt-out method; and
• comply with legal obligations and protect the rights, property, and safety of the Company, users, and the public.

2. Disclosure to Third Parties

We do not sell or rent Personal Information. We do not disclose Personal Information to third parties for their own marketing purposes without the consent or other legal basis required by applicable law.

We may disclose Personal Information:

• to service providers and processors that perform services for us under our instructions and contractual restrictions;
• when required or permitted by applicable law, legal process, or an enforceable governmental request;
• when reasonably necessary to enforce our terms, investigate potential violations, address fraud or security concerns, or protect rights, property, or safety;
• in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of the Company’s assets, subject to applicable legal requirements; or
• with your consent or at your direction.

3. Entrustment of Personal Information Processing

The Company entrusts certain processing activities to service providers as described below.

| Processor / Entrustee | Entrusted Services | Information That May Be Processed | Retention by Processor |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, hosting, storage, backup, network operation, and infrastructure security | Account information, technical and usage information, support information, and Service data as applicable | For the duration of the service agreement and thereafter only as necessary to complete secure deletion, backup rotation, or legal retention obligations |
| Supabase, Inc. | Database, backend infrastructure, session or authentication support, and related technical operation | Email address, optional name, session tokens, technical and usage information, and Service data as applicable | For the duration of the service agreement and thereafter only as necessary to complete secure deletion, backup rotation, or legal retention obligations |
| SIB INC. US (Brevo) | Delivery of transactional, administrative, support, and, where consented to, marketing emails | Email address, optional name, message content, and marketing consent or delivery records as applicable | For the duration of the service agreement and the retention period applicable to the relevant email or record |

The Company enters into written agreements with processors that restrict processing to the entrusted purposes, require confidentiality and appropriate technical, administrative, and physical safeguards, regulate re-entrustment, and require deletion or return of Personal Information when the entrusted work ends, subject to applicable law. The Company supervises processors through reasonable review, monitoring, and contractual controls. Material additions or changes to processors or entrusted services will be disclosed by updating this Privacy Policy or through another method required by applicable law.

4. Aggregated or De-identified Information

We may use or disclose aggregated or de-identified information that does not reasonably identify an individual for analytics, research, service improvement, security, and business planning. We do not attempt to re-identify information that has been de-identified, except where permitted by law for the purpose of testing whether the de-identification measures are effective.

5. Data Retention

Unless a longer period is required or permitted by applicable law, we retain information according to the following schedule:

| Information or Record | Retention Period |
|---|---|
| Account information, including email address and optional name | Until account deletion or membership withdrawal |
| Inquiry and customer-support records | Five (5) years after the final response is provided |
| Technical and usage information, including approximate access location, device information, usage statistics, and diagnostic logs | Twelve (12) months from collection |
| Advertising attribution and campaign information | Twelve (12) months from collection |
| Session cookies | Until the browser session ends |
| Persistent cookies | Until the stated expiration date or deletion by the user, and no longer than twelve (12) months unless a different period is clearly disclosed |
| Marketing consent and delivery records | Until consent is withdrawn or five (5) years from creation of the relevant record, whichever occurs first |

Withdrawal of marketing consent takes effect for future marketing use without undue delay. We may retain a minimal suppression record, such as an email address and opt-out status, for as long as reasonably necessary to ensure that the opt-out is honored.

Where the Company is legally required to preserve specific records, those records are separated or access-restricted and used only for the legally required purpose. Where applicable to the Company’s transactions with Korean consumers, records may be retained under the Act on the Consumer Protection in Electronic Commerce and its Enforcement Decree as follows:

| Legally Retained Record | Applicable Law | Retention Period |
|---|---|---|
| Records concerning display or advertising | Act on the Consumer Protection in Electronic Commerce and its Enforcement Decree | Six (6) months |
| Records concerning contracts or withdrawal of offers | Act on the Consumer Protection in Electronic Commerce and its Enforcement Decree | Five (5) years |
| Records concerning payment and supply of goods or services | Act on the Consumer Protection in Electronic Commerce and its Enforcement Decree | Five (5) years |
| Records concerning consumer complaints or dispute resolution | Act on the Consumer Protection in Electronic Commerce and its Enforcement Decree | Three (3) years |

If another law applies to a particular record, the Company will identify the applicable law and retention period in this Privacy Policy or in an applicable notice.

6. Destruction of Information

When the applicable retention period expires or the processing purpose is achieved, the Company destroys or de-identifies the information without undue delay, unless continued retention is required by law.

Electronic files are deleted using methods designed to make recovery or reconstruction impracticable. Paper records, if any, are destroyed by shredding, pulverization, or another secure method. Information contained in backups is isolated from ordinary use and deleted in accordance with the Company’s backup-rotation schedule, except where legal retention is required.

III. HOW WE PROTECT INFORMATION

The Company maintains administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, loss, or destruction. These safeguards include, as applicable:

• Internal Management Plan: establishing, implementing, and periodically reviewing an internal privacy and security management plan, including roles, responsibilities, incident response, training, and compliance checks;
• Privacy Governance: designating a Data Protection Officer or responsible personnel and conducting oversight of Personal Information processing;
• Access-Rights Management: applying least-privilege and role-based access, approving access based on job necessity, periodically reviewing access rights, and promptly changing or revoking access when duties change or employment ends;
• Authentication and Administrative Controls: using appropriate authentication controls for systems and administrative accounts and restricting access to authorized personnel;
• Access Logs: creating, retaining, protecting, and periodically reviewing access and activity logs for Personal Information systems for the period required by applicable law and Company policy;
• Encryption and Network Security: using encryption in transit, appropriate encryption or equivalent safeguards for stored information, firewalls, secure communications technology, network segmentation, and other protective controls where appropriate;
• Malware and Vulnerability Protection: using anti-malware measures, security updates, patch management, vulnerability monitoring, and remediation procedures;
• Employee and Contractor Training: providing periodic privacy and security training and requiring confidentiality obligations for personnel who handle Personal Information;
• Physical Security: restricting physical access to offices, systems, media, and data-center facilities through access controls and other safeguards appropriate to the environment;
• Backup, Recovery, and Incident Response: maintaining reasonable backup, recovery, monitoring, and incident-response procedures; and
• Processor Oversight: assessing and monitoring processors and requiring appropriate contractual privacy and security protections.

Account access is protected through the authentication controls made available by the Service. You are responsible for protecting access to your email account, devices, and authentication method, and for logging out or otherwise ending a session when appropriate.

No method of transmission or storage is completely secure. Although the Company uses safeguards designed to protect information, it cannot guarantee absolute security.

IV. YOUR RIGHTS REGARDING PERSONAL INFORMATION

1. Available Rights

Subject to applicable law, you may request access to, correction or updating of, deletion of, or suspension or restriction of processing of your Personal Information. You may also withdraw consent where processing is based on consent.

You may exercise these rights through the “Account” section of the Site, where available, or by contacting privacy@wordbricks.ai. Please describe the right you wish to exercise and the information or account concerned. We will respond without undue delay and within any period required by applicable law.

2. Identity Verification

To protect Personal Information from unauthorized requests, the Company may verify that the requester is the data subject or an authorized representative. Verification may be completed through an authenticated account session, an email verification link, confirmation using information already associated with the account, or other reasonable documentation where necessary.

We will request only the minimum information reasonably necessary for verification. Verification documents, if collected, will be access-restricted and deleted when no longer needed, unless retention is required by law.

3. Exercise Through an Authorized Representative

You may exercise your rights through a legal representative or another person whom you have authorized. The representative must provide a signed power of attorney or other evidence of authority, and the Company may verify the identities of both the data subject and the representative. The Company may refuse to disclose information to a person who cannot establish valid authority.

4. Denial, Limitation, and Appeal

The Company may deny or limit a request only where permitted by applicable law, including where the Company cannot reasonably verify identity or authority, the request would adversely affect the rights of another person, or retention or processing is legally required.

If a request is denied or limited, the Company will provide notice of the decision, the principal reason and legal basis, and available appeal method, unless prohibited by law.

To appeal, send an email to privacy@wordbricks.ai with the subject line “Privacy Request Appeal” and include the original request, the decision being challenged, and the reason you believe the decision should be reconsidered. The Data Protection Officer or another reviewer who was not primarily responsible for the initial decision will conduct a secondary review and notify you of the outcome without undue delay. This appeal process does not limit any right you may have to contact a competent data-protection authority, dispute-resolution body, or court.

5. Marketing Communications

You may withdraw consent to marketing communications at any time by using the unsubscribe instructions in a promotional email, changing the applicable preference in the “Account” section of the Site where available, or contacting privacy@wordbricks.ai.

After you opt out, we may continue to send non-promotional communications that are necessary to administer your account, provide the Service, respond to your requests, address security matters, or notify you of material policy or service changes.

V. LINKS TO OTHER WEBSITES OR APPLICATIONS

The Service may contain links to, or compatibility with, third-party websites or applications. The Company is not responsible for the privacy practices, information, or content of those third parties. This Privacy Policy applies only to information processed by the Company through the Site and Service. We encourage you to review the privacy notices of third-party websites and applications before using them.

VI. CHANGES TO THIS PRIVACY POLICY

The Company may amend this Privacy Policy from time to time. We will notify you of material changes by sending notice to the primary email address associated with your account, by posting a prominent notice on the Site, or by another method required by law. Unless a different period is required by law, material changes will take effect thirty (30) days after notice. Non-material changes or clarifications may take effect when posted.

Where a change requires new or additional consent under applicable law, the Company will obtain that consent before applying the change to the relevant processing activity.

VII. CONTACT US AND DATA PROTECTION OFFICER

For questions about this Privacy Policy, the Company’s privacy practices, a privacy-rights request, or an appeal, please contact:

Data Protection Officer: Sophia Kim, CEO
Email: privacy@wordbricks.ai
Address: 455 Market St Ste 1940, San Francisco, CA 94105, US

Last Updated: March 1, 2026