| Effective Date: January 31, 2026 | Contact: [email protected]
SueLetter Privacy Policy
Plain English Summary (for everyone, even a 12-year-old): When you use SueLetter to write a demand letter, we need some information from you — like your name and what your dispute is about. This page explains exactly what we collect, why we need it, and how we keep it safe. We never sell your information to anyone. Ever.
1. SueLetter Privacy Policy – Who We Are & What This Covers
SueLetter (“we,” “us,” “our”) is an AI-powered demand letter generator available at sueletter.com. We help individuals, small businesses, and legal professionals create professional, legally-grounded demand letters without needing to hire a lawyer.
This Privacy Policy applies to:
- The SueLetter website and all its pages
- The demand letter generator tool (embedded app at app.sueletter.com)
- Any emails or communications we send you
- Your account (if you create one)
This policy does NOT cover: Third-party websites we link to. Those sites have their own privacy policies.
We comply with the following data protection laws:
- 🇪🇺 GDPR — General Data Protection Regulation (European Union)
- 🇺🇸 CCPA — California Consumer Privacy Act
- 🇺🇸 COPPA — Children’s Online Privacy Protection Act
- 🇬🇧 UK GDPR — United Kingdom data protection law
- 🇨🇦 PIPEDA — Canada’s Personal Information Protection and Electronic Documents Act
- 🇦🇺 Privacy Act 1988 — Australia
2. What Information We Collect
2.1 Information You Give Us Directly
When you use our demand letter generator, you provide:
- Your personal details: Full name, mailing address, email address, phone number
- Recipient details: The name, company, and address of the person or business you’re writing to
- Your dispute: Description of what happened, amounts of money involved, dates, and what resolution you want
- Evidence: Any documents or files you upload (receipts, contracts, photos, emails)
- Account information: If you sign up, we store your email address and login info (via Google or Microsoft)
- Payment info: Only if you upgrade to Pro — billing name and address. We never store your credit card number. That is handled by Stripe (a trusted payment processor).
2.2 Information Collected Automatically
Like every website, our server automatically records:
- Your IP address (this tells us roughly what country or city you’re in)
- What browser you use (Chrome, Safari, Firefox, etc.)
- What pages you visited and when
- How long you stayed on each page
We use Google Analytics to understand how visitors use our site. This data is anonymized — we cannot identify you personally from it.
2.3 Information from Third Parties
- If you log in with Google or Microsoft, we receive your name and email from them
- If you pay for Pro, Stripe tells us the payment was successful (but not your card details)
3. Why We Use Your Information
| What We Do With It | Legal Basis (GDPR) | Data Involved |
|---|---|---|
| Generate your demand letter | Contract Performance | Your form data |
| Send the letter by email | Contract + Consent | Your email, letter text |
| Manage your account | Contract Performance | Email, name |
| Process your payment | Contract + Legal Obligation | Billing info |
| Improve our tool | Legitimate Interest | Anonymized usage |
| Prevent fraud | Legitimate Interest | IP address, behavior |
| Comply with the law | Legal Obligation | Whatever is required |
We do NOT use your data for: advertising targeting, selling to data brokers, training AI models, or sharing with unrelated businesses.
4. Who We Share Your Data With
We work with a small number of trusted technology partners. Here is everyone who may see your data and why:
| Partner | What They See | Why | Their Privacy Policy |
|---|---|---|---|
| Groq API | Your form data | AI letter generation | groq.com/privacy |
| Auth0 | Email, name | Secure login (SSO) | auth0.com/privacy |
| Stripe | Billing info | Payment processing | stripe.com/privacy |
| Resend | Email, letter text | Email delivery | resend.com |
| MongoDB Atlas | Encrypted user data | Database storage | mongodb.com |
| Vercel | Server logs | Website hosting | vercel.com |
| Google Analytics | Anonymized usage | Website analytics | google.com |
What We NEVER Do: We never sell your personal information. We never share your letter content with other users. We never store your payment card details.
5. How Long We Keep Your Data
- Generated letters: Stored for 12 months in your account history, then auto-deleted
- Account data: Kept while your account is active; deleted within 30 days of account deletion request
- Payment records: 7 years (required by US tax law)
- Server logs: Automatically deleted after 30 days
- Analytics data: 26 months (Google Analytics standard)
6. Your Legal Rights
If you are in the United States (CCPA — California)
California residents have the right to:
- Know what personal information we collect and why
- Request deletion of your personal information
- Opt out of the sale of personal information (we don’t sell it, but you have this right)
- Non-discrimination for exercising your rights
Other US states with privacy rights: Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA). SueLetter honors these rights for all US residents.
If you are in the EU or UK (GDPR / UK GDPR)
You have the right to:
- Access — Get a copy of all data we hold about you
- Correction — Fix any incorrect information
- Erasure (“Right to be Forgotten”) — Ask us to delete your data
- Restriction — Limit how we use your data
- Portability — Receive your data in a machine-readable format
- Object — Opt out of processing based on legitimate interest
- Withdraw Consent — At any time, for consent-based processing
How to Exercise Your Rights
Email us at: [email protected] with the subject line “Privacy Request.” We will respond within 30 days. No fees. No runaround.
7. How We Protect Your Data
- ✅ HTTPS encryption on all pages (TLS 1.2+)
- ✅ Encrypted storage in MongoDB Atlas (AES-256)
- ✅ No direct database access from the frontend — all requests go through secure serverless functions
- ✅ API keys stored securely in server environment variables (never in browser code)
- ✅ Payment data handled exclusively by Stripe (PCI DSS Level 1 compliant)
- ✅ Login secured by Auth0 (SOC 2 Type II certified)
Despite these measures, no system is 100% secure. If you suspect unauthorized access to your account, contact us immediately at [email protected].
8. Children’s Privacy (COPPA)
SueLetter is not intended for children under 13 years old. We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately and we will delete it promptly.
This complies with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.
9. International Data Transfers
SueLetter is operated from the United States. If you access our service from outside the US (including from the EU or UK), your data will be transferred to and processed in the United States.
We ensure lawful transfers using:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with all third-party processors
- Partners who are Privacy Shield certified or equivalent
10. Cookies & Tracking
We use cookies — small text files stored in your browser. Here is what each type does:
| Cookie Type | Purpose | Can You Turn It Off? |
|---|---|---|
| Essential | Keep you logged in, security | No (needed for site to work) |
| Analytics | Google Analytics usage data | Yes — click “Decline” on cookie banner |
| Preference | Remember your settings | Yes |
We do NOT use advertising or tracking cookies that follow you across other websites.
11. AI Processing & Letter Generation
When you click “Generate My Letter,” your form data is sent securely to the Groq API (powered by Llama AI). Here is what you need to know:
- Data is encrypted in transit (HTTPS)
- Groq does not permanently store your data — their logs expire after 90 days
- Your data is never used to train AI models
- Processing may occur on servers in the United States
- The AI generates letter text only — it does not provide legal advice
Important Reminder: The letters generated by SueLetter are AI-written documents. They are not legal advice, and SueLetter is not your lawyer. For complex legal situations, please consult a licensed attorney in your jurisdiction.
12. Policy Updates
We may update this policy from time to time. When we make significant changes, we will:
- Update the “Last Updated” date at the top of this page
- Post a notice on our website homepage
- Send an email to registered users (for major changes)
Continued use of SueLetter after changes are posted means you accept the updated policy.
13. Contact Us — Privacy Questions
Got a question, correction request, or want to delete your data? We make it easy.
- 📧 Email: [email protected]
- 🌐 Website: sueletter.com/contact-us
- ⏱ Response time: Within 30 days (usually much faster)
If you are in the EU and believe we have violated your GDPR rights, you have the right to lodge a complaint with your national Data Protection Authority (DPA). In the US, you may contact the Federal Trade Commission (FTC) at ftc.gov.
14. Frequently Asked Questions About Privacy on SueLetter
Q: Does SueLetter store my demand letter content?
A: Only if you have a registered account. Free users’ letter data is processed to generate the letter, then discarded within 24 hours. Account holders can see their letter history for up to 12 months, after which it is auto-deleted.
Q: Is my dispute information shared with anyone?
A: Your dispute details are sent to the Groq API (AI model) to generate your letter, and to Resend (if you choose email delivery). They are never shared with other SueLetter users, advertisers, or data brokers. See Section 4 for the full partner list.
Q: Does SueLetter use my data to train its AI?
A: No. Your form data is never used to train AI models — not ours, not Groq’s. Groq’s logs expire after 90 days per their policy.
Q: I am in the EU. Who is the data controller?
A: SueLetter (operated from the United States) is the data controller for your personal data. We comply with GDPR Chapter V for international data transfers using Standard Contractual Clauses (SCCs). Contact us at [email protected] for any GDPR rights request.
Q: What happens to my data if I delete my account?
A: Account data is deleted within 30 days of your deletion request. Payment records are retained for 7 years as required by US tax law. Server logs are deleted after 30 days.
Q: Does SueLetter honor the Global Privacy Control (GPC) signal?
A: Yes, for California users. If your browser sends a GPC signal, we treat it as a request to opt out of the sale or sharing of your personal data under CPRA. We are working to extend GPC recognition to other US state laws.
Q: Can I use SueLetter from Germany, France, or Spain?
A: Yes. SueLetter is available globally. For EU users, we apply GDPR protections by default, including consent-first cookie handling, Standard Contractual Clauses for data transfers, and your full suite of GDPR rights as described in Section 6.
Legal Disclaimer: SueLetter is an AI-powered educational tool. It does not provide legal advice, legal representation, or establish an attorney-client relationship. Generated demand letters are for informational and self-help purposes only. Laws vary by jurisdiction. For advice specific to your legal situation, consult a licensed attorney in your state or country. Using this tool does not guarantee any legal outcome.