1. Introduction We inform you below about the processing of personal data when using: - our Sharp application; - and, where applicable, our website and help pages. ‘Personal data’ means any information relating to an identified or identifiable natural person (e.g., name, email, advertising identifier, IP address). 1.1. Controller bending words SAS 33 Av. du Maine, 75015 Paris, France Represented by: Leon Mächler and Gustav Grimberg Email: support@bendingwords.com Data Protection Officer (DPO) Leon Mächler – support@bendingwords.com 1.2. Scope, purposes and legal bases Unless otherwise stated, we process your data for the following purposes: - to provide the service (Art. 6(1)(b) GDPR), - to improve security and stability (Art. 6(1)(f) GDPR – legitimate interests), - to comply with legal obligations (Art. 6(1)(c) GDPR), - with your consent where required (Art. 6(1)(a) GDPR). 1.3. Processing outside the EEA Where data is transferred to countries outside the EEA (e.g., the United States), we use the European Commission’s Standard Contractual Clauses (Art. 46 GDPR) and, where appropriate, additional measures (encryption, minimization). 1.4. Retention period We retain data only for as long as necessary for the purposes described, then delete or anonymize it. Technical logs are generally retained for ≤ 14 days, unless a different retention period is required by law. 1.5. Data subject rights You have the rights of access, rectification, erasure, restriction, objection, portability and withdrawal of consent. To exercise these rights: privacy@bendingwords.com. You may also lodge a complaint with a supervisory authority. 1.6. Obligation to provide data Some data is necessary to create and maintain an account and/or provide Sharp. Without this data, using Sharp may be impossible. 1.7. No automated decision-making No fully automated decision-making within the meaning of Art. 22 GDPR is carried out. 1.8. Contacting us If you contact us (email, form), we process the data you provide to respond to your request (Art. 6(1)(f) GDPR). It is deleted when no longer necessary. 2. Categories of data processed - Account & identification: email, hashed password (if applicable), Google login identifiers (see 3.5), internal user ID. - Content: messages/chats you send to the AI (see 4.1). - Technical & usage data: device model, OS, app version, language, time zone, IP addresses (shortened/minimized where possible), diagnostics, crash reports, usage events (e.g., screen open). - Payment data: if you make in-app purchases (IAP), processing is performed by Apple (we do not receive your card data). Important: please do not send sensitive data (health, banking details, physical addresses, third-party identities, etc.) in your messages to the AI. Sharp is not intended to process such data. 3. Processing on the site/app 3.1. Informational use When simply visiting, we process technical data necessary for security and stability (Art. 6(1)(f) GDPR): IP address, date/time, user-agent, pages viewed, status codes, etc. Logs are deleted after at most 14 days. 3.2. Hosting and infrastructure DigitalOcean LLC (EU where possible) – hosting/compute. MongoDB Inc. (MongoDB Atlas) (EU regions where possible) – database. Supabase Inc. – authentication, database and backend services (EU regions where possible). These providers act as processors under our contractual instructions. Legal basis: Art. 6(1)(b) and 6(1)(f) GDPR. Transfers outside the EEA covered by SCCs. 3.3. Account area Creating and managing the account requires certain data (e.g., email). Basis: performance of a contract (Art. 6(1)(b) GDPR). 3.4. Email notifications We may send transactional emails (account creation, security, receipts…). Basis: Art. 6(1)(b)/(f) GDPR. For any marketing (if applicable), we request consent (Art. 6(1)(a) GDPR). Contact: privacy@bendingwords.com. 3.5. Sign in with Google (Single Sign-On) You can sign in with Google. We receive from the provider the information that you are authenticated and the profile data necessary (e.g., email). Basis: consent (Art. 6(1)(a) GDPR) and/or performance of a contract (Art. 6(1)(b)). Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: https://policies.google.com/privacy 3.6. In-app purchases (IAP) – Apple In-app purchases on iOS are processed by Apple Inc. (Apple Media Services). We do not receive your card data. On the app side, we process purchase metadata (subscription status, signed receipts) to provide the purchased functionality (Art. 6(1)(b) GDPR). 4. AI and specific third-party providers 4.1. OpenAI (processing message content) We transmit the content of your messages (after minimization and the exclusion of unnecessary metadata, e.g., no direct IP address) to OpenAI Ireland Ltd to generate AI responses, only under our instructions. OpenAI does not use this data for its own commercial purposes. Data is deleted by OpenAI in accordance with contractual commitments. Basis: performance of a contract (Art. 6(1)(b)) and legitimate interest in providing AI functionality (Art. 6(1)(f)); consent if required. Possible transfers outside the EEA covered by SCCs. 4.2. Supabase Supabase Inc. provides authentication, database and API functionality. Data processed: account identifiers, strictly necessary usage metadata. Basis: Art. 6(1)(b)/(f). Transfers outside the EEA covered by SCCs. 4.3. MongoDB Atlas MongoDB Inc. hosts certain application data. We prefer EU regions. Basis: Art. 6(1)(b)/(f). Transfers outside the EEA covered by SCCs. 4.4. DigitalOcean DigitalOcean LLC hosts our infrastructure (EU where possible). Data: system logs and minimized application data. Basis: Art. 6(1)(b)/(f). Transfers outside the EEA covered by SCCs. We do not use third-party advertising SDKs, marketing tracking pixels, or advertising profiling within Sharp. 5. Security We apply appropriate technical and organizational measures, including TLS encryption in transit, access controls, logging, backups and security reviews. Access to data is limited to authorized personnel subject to confidentiality. 6. Children and minors Sharp is not intended for children under 13. We do not knowingly collect data from persons under 13. 7. Retention & deletion Upon request or account closure, we delete or anonymize your data, except where retention is required (accounting/legal). Precise periods vary by data category and applicable obligations. 8. Data breaches In the event of a personal data breach, we will notify the supervisory authority and, where required, the affected individuals, in accordance with Articles 33 and 34 GDPR. 9. Changes We may update this policy. We will inform you of material changes via in-app notification, email or a note on our site before they take effect. 10. Contact Questions, rights requests, reporting: support@bendingwords.com Postal address: bending words SAS, 33 Av. du Maine, 75015 Paris, France.