PurposeWrite Publish — Privacy Notice - purposewrite - When Chat Isn’t Enough and Automation Is Too Much

Controller: PMAGI AB (“PurposeWrite Publish”, “we”, “us”, “our”)
Swedish corporate identity number (organisationsnummer): 556874-4592
VAT number: SE556874459201
Registered office: Slumnäsvägen 59, 135 61 Tyresö, Sweden
Privacy contact: info@purposewrite.com
Notice URL: https://purposewrite.com/mcp-privacy
Effective date: 1 May 2026
Last updated: 1 May 2026

This Privacy Notice describes how PurposeWrite Publish collects, uses, shares, and protects personal data when you use the PurposeWrite Publish MCP service, our website, and related features (together, the “Service”). It is written to satisfy our information obligations under Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and Swedish data-protection law.

We have written this Notice in plain language. Where a term has a legal meaning, we use it in that sense. Capitalised terms not defined here have the meaning given in our Terms of Service.

1. Who we are

PMAGI AB is a Swedish limited company (aktiebolag) registered under organisationsnummer 556874-4592, with its registered office at Slumnäsvägen 59, 135 61 Tyresö, Sweden. We operate the Service under the brand “PurposeWrite Publish”, which is part of the “PurposeWrite” family of products. We are the data controller for the personal data we process about you in connection with the Service, except in the limited circumstances described in Section 4.6 (where we act as a processor on your behalf).

We have not appointed a Data Protection Officer because the size, nature, and scope of our processing do not require one under Article 37 GDPR. You can reach our privacy team at info@purposewrite.com for any matter concerning your personal data.

2. Scope

This Notice applies to personal data we process when you:

(a) browse or interact with our website; (b) create or use an Account, including connecting it through ChatGPT; (c) connect a third-party Connected Account such as LinkedIn or your self-hosted WordPress instance; (d) draft, edit, or publish Content through the Service; (e) communicate with us (for example by email or support ticket); or (f) become a paying customer once paid plans are made available.

This Notice does not cover personal data processed by third parties in their own products, including OpenAI (in respect of ChatGPT itself), Zernio (in respect of its own product), LinkedIn, your WordPress host, or any future Third-Party LLM provider. Those parties are independent controllers of the data they hold about you. Section 5 lists who they are; please consult their own privacy notices.

3. The personal data we collect

We try to collect as little personal data as we reasonably can. The categories below describe the types of data we may process. Not all of them apply to every user.

3.1 Account data. Your name and email address (typically obtained from the OAuth identity used to sign up, such as your ChatGPT or Google identity), a display name, time-zone and language preference, and the date you registered.

3.2 Connected Account credentials and metadata. For social platforms (such as LinkedIn), we hold the API reference and account identifier provided to us by our Publishing API Provider (Zernio), which actually stores the OAuth access tokens and refresh tokens. For your self-hosted WordPress instance, we hold the URL of your site and the credential you provided (such as a WordPress Application Password or REST API key) in encrypted form. We never request, see, or store your main password for any Connected Platform.

3.3 Configuration data. Your settings inside the Service (for example default Connected Account, posting preferences, notification settings).

3.4 Content (transient only). When you draft or edit text, attach images, or invoke an AI rewrite operation, the relevant Content is transmitted to us so that we can carry out the action you have requested. We do not retain Content in any persistent store. Content is held in memory only for the time strictly needed to fulfil the request, and then discarded. When in the future we relay Content to a Third-Party LLM, the same applies on our side; the LLM provider’s own retention rules apply on theirs.

3.5 Usage data. Logs and metrics describing how you use the Service, such as which tools you have called, the success or failure of an operation, response times, error codes, and approximate timestamps. We use these for security, abuse prevention, debugging, and to understand how the Service is performing.

3.6 Technical data. IP address, user-agent string, device type and operating system as reported by your browser or client, session identifiers, and the language headers your client sends.

3.7 Communications. When you contact us, we keep the content of your message, your contact details, and any attachments you send.

3.8 Billing data (only when paid plans are introduced). If you become a paying customer, we (or our payment processor on our behalf) will collect billing details such as billing address, VAT number (if any), invoice history, and payment-method tokens. We do not store full card numbers ourselves.

3.9 Cookies and similar technologies. See Section 9.

We do not deliberately collect special categories of personal data within the meaning of Article 9 GDPR (for example data revealing health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or biometric or genetic data). Please do not include such data in your Content. To the extent your Content contains such data, you are responsible for the lawfulness of including it.

4. How we use personal data, and the legal bases we rely on

We process the personal data described above for the purposes set out below. For each purpose, we identify the legal basis on which we rely under Article 6(1) GDPR. Where we rely on legitimate interests, you have the right to object as described in Section 11.

4.1 To provide the Service to you (Article 6(1)(b), performance of a contract or pre-contractual steps). We use your Account data, Connected Account credentials and metadata, configuration data, Content (transiently), and usage data to operate the Service, authenticate you, connect you to the Connected Platforms you have chosen, and execute the actions you initiate (such as posting to LinkedIn or to WordPress).

4.2 To send you service-related communications (Article 6(1)(b)). We send you emails or in-product messages about your Account, security alerts, billing, and material changes to the Service or to these documents.

4.3 To keep the Service secure and prevent abuse (Article 6(1)(f), legitimate interests in protecting the Service, our users, and third parties from harm; in some cases also Article 6(1)(c), legal obligation). We use technical, usage, and Connected Account data to detect, prevent, investigate, and respond to fraud, abuse, security incidents, prompt injection, and breaches of the Terms.

4.4 To improve the Service (Article 6(1)(f), legitimate interests in improving and developing our product). We use aggregated and de-identified usage data, technical data, and metadata about errors and feature usage to improve performance, reliability, and the user experience. We do not use your Content to train any AI model and we do not allow our service providers to train models on your Content where that is contractually controllable.

4.5 To comply with legal obligations (Article 6(1)(c)). We process and retain certain data as required by Swedish accounting law (bokföringslagen), tax law, consumer-protection law, and applicable data-protection law. When paid plans launch, we will retain invoice and accounting records for the period required by Swedish law (currently seven years).

4.6 To process Content as a processor on your behalf (Article 28 GDPR). When you direct us to publish Content to a Connected Platform, or to relay it to a Third-Party LLM in the future, we act as a data processor on your behalf in respect of that Content, on your documented instructions. For Account data and similar information about you, we are the controller.

4.7 To handle legal claims (Article 6(1)(f), legitimate interests in establishing, exercising, or defending legal claims). We may retain and use certain data where necessary to defend ourselves or to enforce our rights.

4.8 To process payments (when paid plans launch) (Article 6(1)(b) and (c)). We use billing data to take payment, issue invoices, account for VAT, and meet related legal obligations.

4.9 To send marketing communications (only with your consent, Article 6(1)(a)). If we ever send marketing emails to you, we will only do so on the basis of your consent or, where applicable, a soft opt-in to similar products under PECR / GDPR rules. You can withdraw your consent at any time by clicking the unsubscribe link in the message or by emailing us.

We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Who we share personal data with

We share personal data only as described below. We do not sell your personal data and we do not “share” it for cross-context behavioural advertising within the meaning of the CCPA.

5.1 OpenAI (operator of ChatGPT). Because PurposeWrite Publish is published in the OpenAI ChatGPT App Directory and is invoked from inside ChatGPT, certain data necessarily flows between OpenAI and us. When you connect or use the Service inside ChatGPT, OpenAI sends us the inputs and instructions necessary to call our tools (which may include the text you want to draft, edit, or publish). We send back only the data needed to fulfil the request. OpenAI’s processing of your prompts and conversations inside ChatGPT itself is governed by OpenAI’s own privacy policy and terms; we are not a controller for that processing.

5.2 Zernio (Publishing API Provider). We use Zernio (https://zernio.com) to handle OAuth connections to social platforms and to deliver Content to those platforms on your behalf. When you link a social Connected Account, the OAuth flow is performed by Zernio and the OAuth tokens are stored by Zernio, not by us. When you publish, we send the Content (and any attached images) and the relevant account reference to Zernio, which then makes the call to the social platform. Zernio acts as our sub-processor for this activity. Zernio’s processing of personal data outside this scope is governed by Zernio’s own privacy policy.

5.3 LinkedIn. When you publish Content to LinkedIn through the Service, the Content (and any attached images) is delivered to LinkedIn through Zernio so it can post on your behalf. We do not send LinkedIn any data beyond what is necessary to perform the requested action. LinkedIn’s processing of your account data, your post, and any associated metadata is governed by the LinkedIn Privacy Policy and the LinkedIn User Agreement.

5.4 Your self-hosted WordPress instance. When you publish to WordPress, we send the Content and any attached images directly to your own WordPress server, using the credentials you have provided. We have no relationship with the operator of the server you have chosen and no visibility into how it processes the data you direct to it.

5.5 Third-Party LLM providers (future). When we begin to call Third-Party LLMs from our backend to support advanced features, we will relay the relevant Content to those providers solely for the purpose of carrying out the operation you have requested. We will publish the list of LLM providers we use in our documentation and update this Notice. We will contractually require those providers not to train on your Content where their terms allow this.

5.6 Hosting and infrastructure providers. Our application and databases are hosted in Sweden (EU) by a third-party hosting provider acting as a data processor on our behalf. We use additional sub-processors for narrow technical purposes such as transactional email delivery and error monitoring. The current list of sub-processors is available on request from info@purposewrite.com.

5.7 Payment processors (future). When paid plans launch, we will use a third-party payment processor (such as Stripe) acting as a separate controller for fraud prevention and as our processor for the payment itself. Card data is handled directly by the processor and is not stored on our systems.

5.8 Professional advisers and authorities. We may share data with our auditors, lawyers, and accountants under duties of confidentiality, and with public authorities where required by law (for example a binding court order, a tax-law obligation, or a request from IMY or another supervisory authority).

5.9 Corporate transactions. If we are involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the counterparty subject to appropriate confidentiality undertakings, and we will inform you in line with applicable law.

6. International transfers

6.1 The primary processing of personal data takes place in Sweden, within the EU/EEA. Our hosting is located in Sweden.

6.2 However, the Service is by its nature connected to third parties that may process personal data outside the EU/EEA. In particular:

(a) OpenAI processes data in the United States and other jurisdictions in connection with ChatGPT. Where OpenAI Ireland Ltd. is your contracting party, the relevant intra-OpenAI transfers are covered by the EU Standard Contractual Clauses and (where the importer is certified) the EU–US Data Privacy Framework.

(b) Zernio may process and store data outside the EU/EEA. Where it does, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum where UK GDPR data is involved, an adequacy decision, or other appropriate safeguards under Article 46 GDPR.

(c) LinkedIn Ireland Unlimited Company is the data controller for European LinkedIn users; certain processing takes place in the United States, with appropriate safeguards under the EU Standard Contractual Clauses and the EU–US Data Privacy Framework.

(d) Your self-hosted WordPress is hosted wherever you have chosen to host it. You decide whether that location is inside or outside the EU/EEA.

(e) Future Third-Party LLM providers may process data in the United States or other countries. Where this is the case we will rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, an adequacy decision, or other appropriate safeguards under Article 46 GDPR.

(f) Some sub-processors for specific operational tasks (such as email delivery or error monitoring) may host or replicate data in non-EEA countries; the same safeguards apply.

6.3 You can request a copy of, or further information about, the safeguards in place by emailing info@purposewrite.com.

7. Data retention

We keep personal data only for as long as we need it for the purposes described above, plus any retention period required by law.

7.1 Account data and Connected Account metadata. We retain these for the lifetime of your Account. If you delete your Account, we delete or anonymise this data within 30 days, except for items we are legally required to keep.

7.2 Connection credentials. For social platforms, the OAuth tokens are held by our Publishing API Provider and are deleted (or instructed to be deleted) when you disconnect the relevant Connected Account, when the token is revoked by the Connected Platform, or when you delete your Account; in each case as soon as reasonably possible and within seven days at the latest. For WordPress, we delete the encrypted credential we hold under the same triggers and within the same window. Where required by a Connected Platform’s policies, we apply shorter platform-specific deadlines (for example, the LinkedIn API requirement to delete certain data within 24 to 48 hours of revocation).

7.3 Content. We do not store Content. Content exists in memory only for the duration of the request and is discarded thereafter.

7.4 Usage and technical data. We retain non-aggregated logs for up to 12 months for security, abuse prevention, and operational reasons, and aggregated or de-identified usage data for longer.

7.5 Communications. We retain support correspondence for as long as needed to handle the matter and for a reasonable period afterwards (typically up to 24 months) so we can respond to follow-ups.

7.6 Billing and accounting records (future). We will retain invoices and accounting records for seven years from the end of the calendar year to which they relate, in accordance with the Swedish Accounting Act (bokföringslagen (1999:1078)).

7.7 Legal-hold data. Where data is reasonably necessary for the establishment, exercise, or defence of legal claims, we may retain it for the applicable limitation period.

8. Security

8.1 We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2 or higher) and at rest, scoped access tokens, role-based access controls, the principle of least privilege for staff, audit logging, monitoring for anomalous behaviour, dependency and vulnerability scanning, and a documented process for handling security incidents.

8.2 Despite these measures, no system is perfectly secure. If we become aware of a personal data breach affecting your data, we will assess and notify you and the supervisory authorities as required by law (in Sweden, the Integrity Protection Authority — Integritetsskyddsmyndigheten, “IMY”).

8.3 You also have a role to play. Keep your Account credentials, your ChatGPT account, and your Connected Accounts secure. Use strong, unique passwords and, where available, multi-factor authentication. Review the OAuth permissions you grant.

9. Cookies and similar technologies

9.1 At launch we use only the minimum cookies and local-storage entries needed to operate the Service: a session cookie to keep you signed in, security tokens to protect against cross-site request forgery, and a preferences entry to remember your language and theme. These are strictly necessary and do not require consent under the Swedish Electronic Communications Act or Article 5(3) of the ePrivacy Directive.

9.2 We do not use marketing or advertising cookies. We do not embed third-party tracking pixels.

9.3 If we add optional analytics or product-improvement cookies in the future, we will ask for your consent through a cookie banner before setting them, and you will be able to manage your choices at any time through a cookie-preferences link.

10. Children

The Service is not directed to children. You must be at least 18 years old to create an Account. We do not knowingly collect personal data from anyone under 16 (or, where lower under local law, the relevant age of digital consent, but in no event below 13). If we become aware that we have collected such data we will delete it. If you believe a child has provided us with personal data, please contact info@purposewrite.com.

11. Your data-protection rights (EU/EEA, UK, Switzerland)

If you are in the EU/EEA, the UK, or Switzerland, the GDPR or UK GDPR gives you a number of rights with respect to your personal data. Subject to legal exceptions, you can:

(a) Access (Art. 15). Ask us for a copy of the personal data we hold about you and information about how we process it.

(b) Rectification (Art. 16). Ask us to correct inaccurate personal data and complete incomplete data.

(c) Erasure (Art. 17). Ask us to delete your personal data when there is no good reason for us to keep processing it.

(d) Restriction (Art. 18). Ask us to suspend processing of your personal data in certain circumstances.

(e) Portability (Art. 20). Ask us to provide your personal data in a structured, commonly used, machine-readable format and, where technically feasible, transmit it to another controller.

(f) Object (Art. 21). Object to processing based on legitimate interests, including profiling. We will stop unless we have compelling legitimate grounds. You can always object to direct marketing.

(g) Withdraw consent (Art. 7(3)). Where we rely on your consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

(h) Lodge a complaint. With your local supervisory authority. In Sweden this is the Integrity Protection Authority (Integritetsskyddsmyndigheten, “IMY”), Box 8114, 104 20 Stockholm, www.imy.se. In the UK, the Information Commissioner’s Office (ICO), www.ico.org.uk. You can also complain to the supervisory authority in the country where you live or work.

To exercise your rights, contact us at info@purposewrite.com. We will respond within one month, although we may extend this period by up to two further months for complex requests, and we will tell you if we do. We may need to verify your identity before responding.

Providing your personal data is generally a contractual requirement. Without it, we cannot operate the Service for you.

12. Notice for California residents (CCPA / CPRA)

If you are a California resident, this section provides additional information required by the CCPA.

12.1 Categories of personal information collected (last 12 months). Identifiers (name, email, account ID, IP address); commercial information (when paid plans launch: subscription history, billing history); internet or other electronic network activity (usage logs, device and browser information); geolocation (coarse, derived from IP); inferences (limited; only basic preference inferences such as default Connected Account); and, as appropriate, contents of communications you send to us. The detail is in Section 3.

12.2 Sources. Directly from you; from OAuth identity providers (such as ChatGPT, LinkedIn, your WordPress instance); automatically from your interaction with the Service; from third-party service providers acting on our behalf.

12.3 Business purposes. As described in Section 4 of this Notice.

12.4 Categories of recipients. As described in Section 5 of this Notice.

12.5 Sale or sharing of personal information. We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioural advertising.

12.6 Sensitive personal information. We do not process sensitive personal information for the purpose of inferring characteristics about you.

12.7 Retention. As described in Section 7 of this Notice.

12.8 Your CCPA rights. California residents have the right to know what personal information we have collected, to request deletion, to correct inaccurate information, to opt out of sale or sharing (although, as stated, we do not sell or share), to limit use of sensitive personal information (we do not use it for inference), and not to be discriminated against for exercising these rights. To exercise any of these rights, contact us at info@purposewrite.com. You may use an authorised agent; we may need verification.

13. Notice for UK residents

13.1 If you are in the United Kingdom, the UK GDPR applies. The rights described in Section 11 apply to you. Your supervisory authority is the Information Commissioner’s Office (ICO).

13.2 Where we transfer personal data out of the UK to a country without a UK adequacy regulation, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus any necessary supplementary measures following a transfer risk assessment.

14. Notice for users in other jurisdictions

If you are located outside the EU/EEA, the UK, Switzerland, and California, you may still have rights under your local data-protection or privacy laws. We will respond to verifiable requests in good faith.

15. Changes to this Privacy Notice

We may update this Notice from time to time. The “Last updated” date at the top reflects the most recent change. If we make material changes we will notify you, for example by email or in-product notice, and where required we will obtain your consent. We encourage you to review the Notice periodically.

16. How to contact us

For any privacy question, request, or concern:

PMAGI AB (“PurposeWrite Publish”) Org. nr 556874-4592 Slumnäsvägen 59, 135 61 Tyresö, Sweden Email: info@purposewrite.com

You can also contact our supervisory authority directly:

Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden www.imy.se