Privacy Policy

Last updated: 11 May 2026

Who we are and who controls your data

This Privacy Policy explains how Bhavesh Prabhakar handles personal data in connection with the Tolstoy Compose website, writing application, account, billing, support, export, Teams, and installed-app features.

Tolstoy Compose is operated by Bhavesh Prabhakar, an individual based in England (“we”, “us”, “our”). For privacy questions, legal notices, account support, billing support, or requests about your personal data, contact [email protected].

For the website, accounts, billing, support, security, device authorisation, Teams administration, and service operations, we act as controller of the personal data we decide to collect and use. Where a business, institution, or team uses Compose, that organisation may have its own obligations to its members, staff, students, clients, or users.

No data protection officer is currently appointed. We will keep our ICO data protection fee position under review and will maintain any required registration or fee payment where applicable.

What Compose is

Compose is a local-first writing workspace. The core drafting workflow stores document content, local versions, review state, recovery data, citations, metadata, and view state in browser or device storage by default.

You can create, open, edit, save, restore, version, review, duplicate, close, delete, and export local documents without creating an account. Account services are used for paid access, billing, device authorisation, Teams administration, support, and related service features.

At launch, Compose does not use advertising networks, behavioural profiling, social media pixels, heatmaps, session-recording tools, third-party analytics platforms, or AI model providers for document generation, review, training, or profiling.

Personal data we process

Depending on how you use Compose, we may process:

Account data, such as email address, account identifiers, profile details you provide, authentication tokens or session identifiers where needed to keep you signed in, authentication state, and sign-in events.
Workspace and Teams data, such as workspace name, role, membership, invitations, invited email addresses, seat status, seat limits, pending invites, and team administration activity.
Billing data, such as Stripe customer, checkout session, billing portal, subscription, invoice, payment, renewal, cancellation, refund, plan, tax, seat quantity, billing status, entitlement source, refund-window, transition-preview, and webhook status information.
Device and security data, such as device identifiers used for paid-device limits, IP address, user agent, request identifiers, Cloudflare request metadata, rate-limit records, security logs, operational diagnostics, and session state.
Support data, such as your name, email address, subject, message, plan, workspace role, billing context, locale, page, platform, IP address, and user agent when you contact support.
Local app data, such as document workspace snapshots, recovery entries, local versions, citation and review state, preferences, language choice, appearance settings, sidebar/view state, local clipboard history, table presets, offline cache, app installation state, and document data stored in browser storage on your device.

Document content and exports

Your document content is local by default. Opening, editing, local saving, local recovery, local versions, citations, review state, DOCX generation, PDF preparation, and local exports are designed to run in the browser or on your device.

For paid PDF and DOCX exports, Compose may contact our server to check whether your account, plan, workspace, and device are authorised. That authorisation request is not intended to upload the contents of the document being exported.

If you deliberately send document content to us, for example by pasting it into a support message, attaching it to an email, or asking us to investigate a document-specific issue, we will process it for that support purpose. Do not send confidential or client material to support unless you are authorised to do so.

Browser storage and security audit

Our launch storage audit found that the current app build uses IndexedDB databases for local workspace snapshots, document recovery entries, and local version history. It uses localStorage for preferences, language choice, appearance state, workspace selection, current device identifiers, account or session state where needed to keep you signed in, pending checkout intent, local fallbacks for documents, recovery, and versions, local clipboard history, and some UI state. It uses sessionStorage for temporary update and reload state.

The app service worker uses browser cache storage for the app shell and static assets so the app can load reliably. The launch service worker is designed not to cache same-origin API responses, including account, billing, support, and readiness endpoints.

The website and app source packages we reviewed do not include Google Analytics, advertising pixels, heatmaps, session-recording tools, PostHog, Mixpanel, Amplitude, Plausible, Segment, Sentry, LogRocket, FullStory, Hotjar, Microsoft Clarity, or equivalent third-party analytics/tracking SDKs. If those tools are introduced later, this policy and the Cookies Policy must be updated before launch or release.

Security and privacy safeguards

Compose uses a local-first design so ordinary drafting, local recovery, local versions, review state, citations, and exports are handled in the browser or on your device where possible. Paid features may contact our service to check account, plan, workspace, and device authorisation, but that check is not intended to upload the document being exported.

The website and app are served over HTTPS. We use access controls, provider security features, rate limiting, operational logging, and Cloudflare infrastructure protections to help run the service safely. We do not currently use advertising networks, behavioural profiling, social media pixels, heatmaps, session-recording tools, or third-party analytics SDKs.

No internet service, browser storage system, local device, or third-party integration can be guaranteed to be completely secure. You are responsible for keeping your device, browser profile, email account, passwords, passkeys, connected-service accounts, and exported files secure.

Checkout, billing, and subscription lifecycle

When you start checkout, manage billing, change seats, accept a Teams invite, or request support for billing, we may create or receive records about the selected plan, seat quantity, checkout intent, Stripe customer or subscription identifiers, billing portal return status, renewal dates, refund eligibility, cancellation state, payment state, and whether a subscription is active, incomplete, past due, unpaid, paused, cancelled, or suspended.

Stripe controls payment-card entry and payment processing on Stripe-controlled pages. We do not intend to receive or store full card numbers.

Legal, checkout, support, and notification surfaces

Privacy information should be available wherever Compose collects or uses personal data in a way that materially affects the user, including the website pricing area, app account panel, checkout continuation flow, Stripe billing portal handoff, support form, Teams invitation flow, transactional emails, order confirmations, renewal reminders, cancellation notices, refund communications, and account or billing status screens.

Those surfaces may show shorter summaries of this policy. If a short notice conflicts with this policy, this policy applies unless the notice gives you a clearer or more specific right that we are legally able to give.

Authentication emails, support replies, Teams invite emails, Stripe emails, order-confirmation emails, renewal reminders, renewal cooling-off notices, cancellation confirmations, and refund communications may include personal data needed to provide the service, identify the relevant account or workspace, comply with law, or help you understand your rights and next steps.

Support, diagnostics, and rate limits

When you contact support from the app, support submissions may include the message you send, account email, plan, workspace role, billing issue code, refund eligibility context, locale, page, platform, IP address, and user agent so that we can investigate the request. Support form abuse may be rate-limited using Cloudflare infrastructure.

Operational logs are intended to be limited to technical metadata such as request identifiers, method, path, Cloudflare request identifiers, timestamps, and sanitised diagnostic details. They should not intentionally include payment-card details, document contents, authentication secrets, webhook secrets, or provider secret keys.

Purposes and lawful bases

We process personal data for the following purposes and lawful bases:

To provide accounts, authentication, paid features, Teams, exports, and support: performance of a contract or steps requested before entering a contract.
To process payments, invoices, refunds, taxes, subscription status, renewals, cancellations, plan changes, Teams seat changes, billing previews, and accounting records: contract, legal obligation, and legitimate interests in operating a paid service.
To secure the service, prevent abuse, enforce rate limits, diagnose incidents, protect accounts, and maintain service reliability: legitimate interests in security and service integrity.
To respond to support requests and service communications: contract and legitimate interests in customer support.
To comply with legal, tax, consumer-law, regulatory, accounting, or dispute-resolution obligations: legal obligation and legitimate interests.
To store local app data needed for the app to work at your request: contract and legitimate interests in providing a reliable local-first app.

Where we rely on legitimate interests, those interests are the operation, security, administration, improvement, and protection of Tolstoy Compose and the prevention of fraud, abuse, and misuse. We do not use legitimate interests for advertising profiling.

We use service providers to operate Compose. Current providers include:

Cloudflare for hosting, security, caching, and serverless functions.
Supabase for authentication, account, workspace, device, and service database features.
Stripe for checkout, payment processing, subscriptions, billing portal, invoices, tax, refunds, and billing webhooks.
Resend for support and transactional email delivery.

Where a provider processes personal data for us, we rely on the provider’s contractual terms, data processing terms, or data protection addendum as appropriate. Where a provider independently controls payment, fraud-prevention, compliance, or infrastructure data, that provider may also have its own privacy terms.

We may also disclose information if required by law, to protect rights and security, to investigate abuse, to resolve disputes, to obtain professional advice, or in connection with a future business transfer. We do not sell personal data.

International transfers

Some providers or infrastructure may process personal data outside the UK, including in the EEA, the United States, or other countries where provider infrastructure or support operations are located. Where restricted international transfers occur, we rely on UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, provider data processing terms, transfer risk assessments, or another lawful safeguard or exception as applicable.

You can contact us for more information about the transfer safeguards used for your personal data. We may redact commercially confidential or security-sensitive information from copies of safeguards where lawful.

Retention

We keep personal data only for as long as needed for the relevant purpose. Account, workspace, entitlement, and support records are usually kept while your account or support matter is active and for a reasonable period afterwards. Billing, invoice, tax, refund, cancellation, subscription, and dispute records may be kept for the periods required by law and accounting practice. Security, rate-limit, and diagnostic records are kept for shorter operational periods unless needed to investigate abuse, incidents, or legal claims.

Local browser/device data remains on your device until you delete it, clear browser storage, uninstall the app, reset the app, or your browser removes it. We cannot recover local-only documents if they are deleted from your device and were not exported or backed up by you.

Your rights

Depending on where you live and the lawful basis for processing, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You can contact us at [email protected] to make a request.

Your right to object is brought to your attention separately: where we rely on legitimate interests, you can object to that processing. We will consider the objection and stop the relevant processing unless we have compelling legitimate grounds to continue or need the data for legal claims.

You also have the right to complain to the UK Information Commissioner’s Office if you are unhappy with how your personal data is handled. We ask that you contact us first so we can try to resolve the issue.

Data protection complaints

If you raise a data protection complaint, we will review it through an internal complaints process, use the contact details you provide to respond, and keep records needed to handle the complaint, demonstrate compliance, and protect legal rights. We will not treat you unfairly for raising a genuine privacy concern.

You can complain to the UK Information Commissioner’s Office. We ask that you contact us first where practical so we can try to resolve the issue.

Children

Compose is intended for adults and professional, academic, business, and authoring use. It is not directed at children.

Changes

We may update this policy as Compose changes or as legal requirements develop. The latest version will be published on this website. If we introduce materially different processing, non-essential tracking, or cloud document-content processing, we will update the relevant notices before using those features.