thirtyseven is a product of [CONTROLLER_NAME] ("we", "us"), based in the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data described in this notice.

Registered address: [CONTROLLER_ADDRESS]. Company number: [COMPANY_NUMBER]. ICO registration: [ICO_REGISTRATION]. You can reach us any time at hello@thirtyseven.ai.

Waitlist (website)

If you submit the waitlist form, we store the email address you provide and the time you submitted it. Nothing else.

App usage (on-device)

The thirtyseven iPad app is local-first. Your canvases, drafts, prompts, and generated outputs live on your device. We do not sync, upload, read, or back up that content.

When you run a node

Running a node sends a request from your device directly to the model provider you chose (for example Anthropic, Google, Recraft, ElevenLabs, or Runway), using your own API key or credits. The request and response pass between your iPad and the provider. We are not in that loop and we do not see the content.

Server logs

Our web and email hosts keep short-lived operational logs (IP address, user-agent, timestamps) for security, abuse prevention, and debugging. These are not used to profile you.

• To email you a TestFlight invite and occasional release notes if you joined the waitlist.
• To reply when you contact us.
• To keep the service secure and the infrastructure healthy.
• To comply with our legal obligations.

Under Article 6 of the UK GDPR, we rely on the following lawful bases:

• Consent — for adding you to the waitlist and sending you marketing emails. You can withdraw consent at any time.
• Legitimate interests — for minimal server logging needed to operate and secure the service. We balance this against your rights; if you object, get in touch.
• Contract — if and when you sign up to a paid plan, to deliver the service you've paid for.
• Legal obligation — where a law requires us to retain or produce information (for example tax records).

We keep the list short and we name them:

• Resend — delivers our transactional and waitlist emails.
• Vercel — hosts this website and its logs.
• Apple — distributes the app via TestFlight and, later, the App Store. Apple's privacy notice applies to anything you do in those surfaces.
• The model providers you choose — Anthropic, Google, Recraft, ElevenLabs, Runway, and similar. You connect to them with your own credentials, so their privacy policies apply to that traffic.

We do not sell your personal data, and we do not share it with advertisers.

Some of the processors above are based outside the United Kingdom, including in the European Economic Area and the United States. Where data is transferred outside the UK, we rely on appropriate safeguards — the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or adequacy decisions — to protect it.

• Waitlist email — until you unsubscribe, or 24 months after your last interaction with us, whichever comes first.
• Email correspondence — up to 24 months after the conversation ends, so we have context if you write back.
• Server logs — typically 30 days, occasionally longer where we are investigating an incident.
• Records we must keep by law (for example tax) — for the period required by that law.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Ask us to correct it if it's wrong.
• Ask us to erase it.
• Restrict or object to how we use it.
• Receive a copy in a portable format.
• Withdraw consent at any time (this doesn't affect what we did before).
• Complain to the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/ — though we'd appreciate the chance to fix things first.

To exercise any of these, email hello@thirtyseven.ai. We aim to respond within one month.

thirtyseven is built for working creatives. It is not aimed at children, and we don't knowingly collect personal data from anyone under 16. If you think a child has signed up, email us and we'll remove their information.

The best security is not collecting data in the first place, which is why the app is local-first. Where we do hold data — your waitlist email, server logs — it travels over TLS, is stored on reputable hosts with encryption at rest, and is accessible only to the small number of people who need it. No system is perfectly secure, but we take it seriously.

We'll update this page when our practices change and revise the effective date at the top. If the change is material and affects you directly (for example a new processor receiving waitlist emails), we'll email waitlisters to let you know.

Questions, corrections, or data requests: hello@thirtyseven.ai. Post: [CONTROLLER_NAME], [CONTROLLER_ADDRESS].