Privacy Policy

Last updated: 11 April 2026

1. Who We Are

Data Controller: FatCat Capital Limited (CRO: 806050), Ireland.
Contact: support@secondlayer.app

This Privacy Policy explains how we collect, use, and protect personal data in connection with SecondLayer, in accordance with the General Data Protection Regulation (GDPR) and applicable Irish data protection law.

2. What Data We Collect

• Account data: name and email address, collected via Clerk when you create an account or sign in.
• Document content: text you submit for analysis. This is processed to generate your analysis result and is not permanently stored unless you are a signed-in subscriber.
• Analysis results: stored and linked to your account for signed-in users, allowing you to revisit past analyses.
• Payment data: billing name, email, and address collected at checkout. Card details are processed exclusively by Stripe; we never store card numbers.
• Usage data: pages visited, features used, and quota information for rate limiting purposes.
• Cookies: session cookies (via Clerk) and an anonymous user identifier (sl_anon_id) used for Pay Per Use purchases. Thesl_anon_id cookie has a 30-day expiry.

2a. Password-Protected Documents

If you upload a password-protected PDF, SecondLayer will prompt you to enter the document password. The following applies to any password you provide:

• The password is used solely to decrypt the document on our server for the purpose of text extraction.
• It is held in memory only for the duration of the extraction request and is discarded immediately afterwards.
• It is never written to any log file, database, or storage system.
• It is never transmitted to any third party, including OpenAI or any other AI provider.
• It is never included in, or sent alongside, the document text that is submitted for analysis.
• A maximum of three password attempts is permitted per upload session. After three failed attempts, the session is reset and the document must be re-uploaded.
• We recommend that you use a copy of the document with password protection removed if you are not comfortable entering the password in a web application.

3. How We Use Your Data

• To provide the document analysis service you requested.
• To process payments and issue receipts.
• To send your analysis PDF and payment receipt by email (Pay Per Use purchases).
• To maintain your analysis history and account (signed-in subscribers).
• To enforce usage limits and prevent abuse.
• To improve the service through aggregate, anonymised usage analysis.

We do not sell your data to third parties. We do not use your documents or analysis results to train AI models.

4. Legal Basis for Processing

• Contract performance: processing your document and delivering your analysis is necessary to fulfil the service you purchased.
• Legitimate interests: improving the service, preventing fraud, enforcing usage limits, and maintaining service security.
• Consent: where you have explicitly provided consent, such as accepting these terms before using the service.
• Legal obligation: retaining payment records as required by Irish tax law.

5. Data Retention

• Anonymous PPU analyses: retained for 30 days, then deleted.
• Signed-in user analyses: retained while your account is active. Deleted 90 days after account closure or deletion request.
• Payment records: retained for 7 years in accordance with Irish tax law.
• Account data: deleted promptly on receipt of a valid account closure or deletion request.

6. Your Rights Under GDPR

Under GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restrict processing of your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests.

To exercise any of these rights, contact support@secondlayer.app. We will respond within 30 days.

7. Third-Party Services

• Clerk — authentication and account management.
• Stripe — payment processing. Stripe processes card data under their own PCI-DSS compliant terms.
• Supabase — database storage for analysis results and purchase records. Hosted in an EU region.
• OpenAI — document analysis. Your document content is sent to OpenAI's API for analysis. Under our API agreement, OpenAI does not use API inputs to train its models.
• Resend — transactional email delivery (receipts and analysis PDFs).
• Redis (Railway) — rate limiting and quota tracking.

8. Cookies

We use essential cookies only:

• Authentication session cookies (Clerk) — required for signed-in user sessions.
• Anonymous user ID (sl_anon_id) — a UUID set when an anonymous user makes a Pay Per Use purchase. Expires after 30 days. Required to retrieve your analysis after payment.

We do not use advertising cookies, tracking pixels, or third-party analytics.

9. International Data Transfers

Some of our third-party providers (including OpenAI and Clerk) may process data outside the EEA. Where this occurs, we rely on Standard Contractual Clauses or other appropriate GDPR safeguards to ensure an adequate level of data protection.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be notified by email or by a prominent notice on the site.

11. Contact and Complaints

Data Controller: FatCat Capital Limited
support@secondlayer.app

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Data Protection Commission Ireland: dataprotection.ie