Privacy Policy

Last updated: 22 May 2026

1. Who we are

Willston is operated by WESS EUROPE LTD (company number 14016022), a company registered in England and Wales with its registered office at 4 Princes Street, Mayfair, London, England, W1B 2LE.

This Privacy Policy explains what personal data we collect when you use Willston, why we collect it, how we use it, and the rights you have over your information.

2. Information we collect

When you create a Willston account and use the service, we collect the following categories of personal data:

  • Account data — email address, first and last name, date of birth (optional), and your preferred language.
  • Authentication data — either a hashed password (we never store passwords in plain text) or, if you sign in with Google, the unique identifier that Google provides for your account.
  • Story content — the chapters you write, drafts, AI suggestions you generate, and any cover details you set.
  • Uploaded images — photos and illustrations you upload to your gallery, stored on Amazon Web Services (AWS) S3.
  • Session and preference data — your active session, your language choice, and other settings stored in cookies that are essential for the service to work.
  • Technical data — IP address, browser type, device information, and basic usage logs that help us keep the service available and secure.

3. How we use your information

We use your personal data to:

  • Create and maintain your account and let you sign in.
  • Provide the writing editor, store your chapters and gallery images, and let you return to your work over time.
  • Send AI suggestions when you ask for them, by passing the text of the chapter you are working on to OpenAI for processing.
  • Send transactional emails such as email verification and password resets.
  • Keep the service secure, prevent abuse, and diagnose problems.
  • Comply with our legal obligations.

4. Legal basis for processing

Under the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

  • Performance of a contract — to provide the Willston service you signed up for.
  • Legitimate interests — to keep the service secure, monitor errors, and improve the product, balanced against your privacy rights.
  • Consent — where you have explicitly opted in (for example, optional fields such as date of birth).
  • Legal obligation — where we must process data to comply with applicable law.

5. Sharing your information

We never sell your personal data. We share it only with the limited set of trusted processors that help us run Willston:

  • Brevo — sends transactional email (verification, password reset).
  • OpenAI — generates AI writing suggestions when you ask for them. Only the content you choose to send (the relevant chapter text) is shared.
  • Google — only when you choose to sign in with Google. Google shares your email and profile name with us; we do not share anything with Google beyond what is necessary to complete sign-in.
  • Amazon Web Services (AWS) — stores the images you upload to your gallery in S3 buckets we control.
  • Sentry — receives anonymised error reports so we can fix bugs.
  • Cloudflare — provides Turnstile, a privacy-friendly bot-detection service that runs on our sign-in, sign-up, password-reset, and contact forms to block automated abuse.
  • Authorities — where we are legally compelled to disclose information by court order or applicable law.

6. International data transfers

Some of our processors are based outside the UK and EEA (notably in the United States). When personal data leaves the UK or EEA we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or the UK Addendum to ensure your data remains protected.

7. Data retention

We keep your account, story content, and uploaded images for as long as your account is active. You can permanently delete everything yourself at any time via your profile page (Profile → Delete account). When you delete your account we remove your records from our database and the associated images from S3.

Anonymised technical logs and aggregated usage data may be retained for a longer period for security and analytical purposes.

8. Your rights

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete personal data;
  • have your personal data erased;
  • receive a portable copy of your personal data;
  • object to or restrict processing of your personal data;
  • withdraw any consent you have given;
  • lodge a complaint with the UK Information Commissioner's Office (ICO) or the data protection authority of your EU member state.

You can exercise most of these rights directly from the profile page in the app. To exercise the others, contact us at the address below.

9. Children

Willston is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you believe a child has created an account, please contact us so we can remove it.

10. Security

We protect your data with industry-standard measures: passwords are stored as bcrypt-style hashes, all traffic is encrypted in transit with HTTPS, your images are stored in S3 with server-side encryption, and access to our infrastructure is restricted with scoped credentials. No system is perfectly secure, but we work continuously to reduce risk.

11. Contact

For any questions about this Privacy Policy or how we handle your personal data, contact us at legal@willston.com or by post at 4 Princes Street, Mayfair, London, England, W1B 2LE.