Resources

Help and Support
Privacy Policy
Terms of Service
Acceptable Use Policy
Cookie Policy
Subprocessors
Data Processing Addendum

Diglot Privacy Policy

Last updated: 06/05/2026

Diglot OÜ (“Diglot”, “we”, “us”, “our”), a private limited company registered in the Republic of Estonia, runs the Diglot bilingual writing platform at diglot.ai, in our web editor, browser extensions, desktop and mobile apps, and the Authorship Certificate feature (collectively, the “Service”). This Privacy Policy explains what personal data we process, why, on what legal basis, with whom we share it, and what rights you have.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Diglot OÜ is the controller of personal data we collect from individual users. Where Diglot is offered to a school, university, or company under a B2B / education contract, that institution is the controller and Diglot acts as a processor under the terms of our Data Processing Addendum.

1. Quick summary

  • We collect what we need to give you the Service, keep it secure, and run our business — and not more.
  • We do not sell your personal data, and we do not use the substance of your writing to train third-party foundation models.
  • Some processing happens on infrastructure outside the EEA (notably U.S. AI providers). We use standard contractual clauses, the EU-U.S. Data Privacy Framework where available, and additional safeguards.
  • The Authorship Certificate’s keystroke and timing telemetry is opt-in, based on your explicit consent.
  • You can access, export, correct, or delete your data — see Section 8.

2. What we collect and why

CategoryExamplesPurposeLegal basis (GDPR Art. 6 / 9)
Account dataEmail, name, password hash, language preferences, planCreate and manage your account; provide the ServicePerformance of contract (Art. 6(1)(b))
User ContentDrafts, prompts, instructions, files, translations, editsRun the writing assistant and store your workPerformance of contract (Art. 6(1)(b))
Authorship telemetry (opt-in)Keystroke timing, paste events, edit cadence, pause patternsGenerate Authorship Certificates / Proof of ProcessExplicit consent (Art. 6(1)(a) and Art. 9(2)(a))
Usage telemetryFeature usage, button clicks, page views, performance metricsMeasure product quality, find bugs, improve UXLegitimate interest (Art. 6(1)(f)) — with opt-out
Device & log dataIP address, user agent, OS, app version, timestampsSecurity, fraud prevention, abuse mitigationLegitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Billing metadataPlan, transaction IDs, country, billing email — never full card numbersTake payment via our Merchant of Record (Polar.sh); tax compliancePerformance of contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Support communicationsEmails, chat messages, attachmentsResolve your support requestsLegitimate interest (Art. 6(1)(f))
Marketing (where applicable)Newsletter sign-ups, product-update preferencesSend product news you opted in toConsent (Art. 6(1)(a))

We do not intentionally collect special-category data (Art. 9 GDPR) other than the Authorship telemetry described above, which we treat as behavioural-biometric data and process only with your explicit, revocable consent.

3. Generative AI and your User Content

To produce outputs (translations, paraphrases, grammar suggestions, Cowriter responses), we send the relevant portion of your User Content — together with task-specific prompts — to one or more third-party AI providers (currently OpenAI, Anthropic, and Google; see Subprocessors). We use enterprise / API endpoints under contracts that prohibit those providers from using your content to train their general-purpose foundation models. Where available we use EU-region or EU-resident inference endpoints.

We do not sell your User Content. We do not use the substance of your User Content to train third-party foundation models. We may use aggregated, fully de-identified signals (e.g., “users on plan X invoke Cowriter twice per session on average”) to improve our own product and quality.

If we ever introduce optional model fine-tuning on your content for our own product, we will ask for separate, granular consent before any such use.

4. Authorship Certificate / Proof of Process

The Authorship Certificate is off by default. You can turn it on per-document or globally. When on, the editor records technical telemetry such as keystroke timing, paste/insert events, time on document, and edit cadence, signs the resulting log with our key, and stores it alongside your document.

Because this telemetry can in principle be analysed as behavioural biometrics, we treat it under Article 9 GDPR. We rely on your explicit consent (Art. 6(1)(a) + Art. 9(2)(a)). You can:

  • turn the Certificate off at any time in Settings → Privacy → Authorship Certificate;
  • delete previously generated Certificates from each document;
  • request deletion of all stored Certificate logs by emailing legal@diglot.ai.

We do not use Certificate data to make automated decisions that produce legal or similarly significant effects on you, and we do not share Certificate data with academic institutions or any other third party except (a) at your direction (e.g., when you choose to attach a Certificate to a submission) or (b) where required by law.

5. How long we keep data

We keep personal data only as long as we need it. Indicative retention:

DataRetention
Account dataWhile your account is active + up to 12 months for re-activation, then deleted or anonymised
User Content (documents, drafts)Until you delete it, or until 30 days after account closure (the export window — see Section 8)
Authorship telemetry (raw)Up to 12 months from creation, then summarised into a high-level Authorship Report and raw keystroke data is deleted
Authorship Reports (summarised)Up to 5 years (typical academic-integrity audit horizon) or until you delete the related document
Usage telemetryUp to 24 months in identifiable form, then aggregated
Security and audit logsUp to 12 months
Billing records (with Polar)Up to 7 years (tax / accounting law)
Marketing preferencesUntil you opt out

Where law requires longer retention (tax, anti-fraud, dispute resolution), we keep the minimum necessary record for the legally required period and isolate it from production data.

6. Who we share data with

We use a limited number of carefully selected service providers. The full, up-to-date list is published at /subprocessors and includes (without limitation):

  • Polar.sh — Merchant of Record (billing, tax, refunds);
  • Supabase / Hetzner — managed Postgres and hosting in the EU;
  • OpenAI, Anthropic, Google — generative AI inference;
  • Cloudflare — CDN, DDoS protection, WAF;
  • PostHog — product analytics (with IP anonymisation, opt-out supported);
  • Sentry — error monitoring;
  • Resend — transactional email.

We may also disclose personal data:

  • to comply with a binding legal request, court order, or law-enforcement demand we believe is valid;
  • to investigate suspected fraud, abuse of the Service, or threats to the safety of users or the public;
  • in connection with a corporate transaction (merger, acquisition, financing, asset sale) — in which case we will notify you and require the recipient to honour this Privacy Policy.

We do not sell your personal data and we do not “share” it for cross-context behavioural advertising in the sense of the California Consumer Privacy Act (“CCPA / CPRA”).

7. International data transfers

Diglot is operated from the EU. Some of our subprocessors are based in the United States or operate global infrastructure. When personal data leaves the European Economic Area we rely on:

  • the EU-U.S. Data Privacy Framework (where the recipient is certified, e.g., Google, OpenAI);
  • the European Commission’s Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum;
  • supplementary technical measures including TLS 1.2+ in transit, AES-256 at rest, and least-privilege access controls;
  • a documented Transfer Impact Assessment for each cross-border data flow.

You can request a summary of the safeguards by emailing legal@diglot.ai.

8. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct data that is inaccurate or incomplete.
  • Deletion / “right to be forgotten” — ask us to delete your data, subject to lawful retention obligations.
  • Restriction and objection — pause or object to certain processing (in particular processing based on legitimate interest).
  • Portability — receive your User Content (and any Authorship Certificates) in a structured, machine-readable format. After account closure you have 30 days to export your data; afterwards we may delete it (Section 5 / EU Data Act).
  • Withdraw consent — for any processing based on consent (e.g., Authorship telemetry, marketing). Withdrawal does not affect processing that already happened.
  • Lodge a complaint — with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or your local supervisory authority.

For California / U.S. residents, you also have:

  • the right to know, delete, and correct personal data;
  • the right to opt out of “sale” or “sharing” — even though we do not sell or share your data, we honour the Global Privacy Control (GPC) browser signal and provide a “Do Not Sell or Share My Personal Information” link in the website footer;
  • the right to limit use of sensitive personal information — for Authorship telemetry, just turn the feature off in Settings;
  • the right to non-discrimination for exercising any of the above.

For Australian residents, you have rights under the Privacy Act 1988 (as amended in 2024–2026), including the right to know how automated decision-making is used and to seek correction or destruction of your data. You can complain to the Office of the Australian Information Commissioner (oaic.gov.au).

To exercise any of these rights, contact legal@diglot.ai or use the in-app controls in Settings → Privacy. We will respond within 30 days (extendable by a further two months for complex requests, with notice).

9. Children

The Service is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. Where the EU age of digital consent in your country is higher than 13 (it ranges from 13 to 16 across the EEA), you must be at least the local digital-consent age, or have parental consent, to use the Service. If you believe a child under 13 has given us personal data, contact legal@diglot.ai and we will delete it.

For B2B / education customers, the institution is responsible for obtaining any required parental consent under COPPA, FERPA, or local law before students use the Service.

10. EU AI Act transparency

The Service uses generative AI from third-party providers and includes algorithmic features (translation, grammar, paraphrasing, AI-Check, the Authorship Certificate). In line with the EU AI Act:

  • you are always told when content has been AI-generated or modified;
  • the Authorship Certificate is presented as a record of process telemetry, not as an automated determination of authorship — the final assessment is up to a human (you, your teacher, your editor);
  • we do not use the Service to take legally significant or similarly significant decisions about you in a fully automated way (Art. 22 GDPR).

If you have questions about how a particular feature works, contact legal@diglot.ai.

11. Security

We use technical and organisational measures appropriate to the risk, including:

  • TLS 1.2+ in transit and AES-256 at rest;
  • access controls and audit logging on production systems;
  • regular dependency scanning, vulnerability management, and (over time) third-party penetration testing;
  • least-privilege defaults — only a small group of engineers can access production data, and only to operate or repair the Service.

No method of transmission or storage is 100 % secure. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.

12. Cookies and similar technologies

Cookies and similar technologies are described separately in our Cookie Policy. Strictly necessary cookies are loaded by default; analytics and any future marketing cookies are off until you give consent.

13. Changes to this Policy

We may update this Privacy Policy when our practices, the law, or our subprocessors change. If a change is material, we will notify you (in-product or by email) at least 30 days before it takes effect. The “Last updated” date at the top of this page always shows the current version. Earlier versions are available on request.

14. Contact

Diglot OÜ Registered in the Republic of Estonia Privacy & data-protection requests: legal@diglot.ai General support: support@diglot.ai Billing (Merchant of Record): support@polar.sh

Estonian supervisory authority: Andmekaitse Inspektsioon — aki.ee.

Diglot.ai Mark

The bilingual writing tool.
Write in English like a Native!

Company
Features Pricing Company Beta Blog Feedback
Tools
AI Writing Assistant AI Translator Grammar Checker Paraphrasing Tool Plagiarism Checker Authorship Certificate Writing Templates
Topics
AI Cowriter Translator Grammar Paraphrasing Plagiarism Templates Authorship
Use Cases
ESL Writing Tool For Students For Professionals
Resources
Changelog Help and Support Get early access Press kit Privacy Policy Terms of Service Cookie Policy
Social
X (Twitter) LinkedIn Instagram Facebook YouTube Bluesky Telegram
Copyright © Diglot.ai 2024