Privacy Notice
Effective Date: 30 June 2026
Version: 3.0
This Privacy Notice explains what data we collect when you use webuydata.io, what we do with it, and what choices you have.
Read it alongside our Terms of Service.
1. Who We Are
webuydata.io is operated by Burleywhag Limited, a company registered in England and Wales under company number 17077813, registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
Burleywhag Limited is the data controller responsible for the personal data we process about you. Because we are established in the UK, UK data protection law (UK GDPR and the Data Protection Act 2018) applies to our processing, in addition to the rights US users have under state privacy laws such as the California Consumer Privacy Act.
We are registered with the UK Information Commissioner's Office (ICO) under registration number ZC125602.
Privacy and data requests: privacy@webuydata.io
2. The Data We Collect
- Account data: your email address, your sign-in method (password or Google), your US state, and your month and year of birth.
- Chat data: the chat history you provide, either by uploading an export file or by using our Chrome extension. The extension reads your conversation history from ChatGPT (OpenAI), Claude (Anthropic), and Gemini (Google) from your own logged-in session on those sites, at your request, and sends it to us. It collects the same conversation data that those services' privacy export files contain.
- Technical data: IP address, device and browser information, and basic usage analytics.
- Communications: any emails you send us.
3. How We Handle Your Chat Data (Scrubbing and Retention)
When you provide chat data, we remove personal identifiers, including names, organisations, locations, email addresses, phone numbers, and similar details, using automated scrubbing.
We keep the scrubbed conversation text and metadata, to build anonymised research datasets about how people use AI assistants and to apply new analyses over time, until you ask us to delete it.
Scrubbing removes identifiers that software can detect, but not every detail. Your contribution may still contain personal or sensitive information, so it remains personal information under California law.
Each conversation records which provider it came from (ChatGPT, Claude, or Gemini).
4. How We Separate and Protect Your Data
We hold your data in three separate stores and control access to each:
- Identity store: your real identity, such as your email and login. It contains no conversation text and no demographics.
- Mapping store: the link between your identity and a random contributor ID. This link is separately protected. We use it only to act on your requests, such as deletion, and access to it is restricted and logged.
- Research store: your scrubbed conversation text, keyed to your contributor ID, together with your demographics (gender, month and year of birth, US state) and the provider. It contains no direct identity.
Our analysts and classifiers work only in the research store, on data keyed to a contributor ID rather than your identity.
We build aggregate datasets by combining many contributors' data into statistics and datasets that cannot be linked back to you. Once aggregate datasets are built, we cannot remove your data from them.
We protect against re-identification by:
- storing your month and year of birth rather than a full date, and deriving age ranges for any downstream or saleable use;
- holding location no finer than US state;
- suppressing or generalising rare demographic combinations in any output.
5. Sensitive Information in Your Chats
Your chats may contain sensitive information, for example about health, finances, or personal life. At signup you are asked for explicit consent to retain this information, as required by Article 9(2)(a) UK GDPR. You can withdraw it at any time by asking us to delete your contribution. Without this consent you cannot use the Service.
6. How We Use Your Data
- To run your account and compensate you.
- To scrub and retain your contribution, and to classify and analyse it, including by applying new analyses in the future.
- To build aggregate data products that we provide to our business and research customers.
- To send you essential service emails.
- To secure the Service and detect fraud and abuse.
- To comply with our legal obligations.
Our legal bases (UK GDPR)
For users protected by UK or EU law, we rely on:
- Your consent (Article 6(1)(a)) to retain your contribution, to classify and analyse it now and in the future, and to build aggregate data from it. You can withdraw consent at any time by requesting deletion.
- Your explicit consent (Article 9(2)(a)) for any special category data in your contribution, as described in Section 5.
- Performance of a contract (Article 6(1)(b)) to run your account and compensate you.
- Our legitimate interests (Article 6(1)(f)) to keep the Service secure and prevent fraud, where this is not overridden by your rights.
- Legal obligation (Article 6(1)(c)) where the law requires us to process data.
7. Who We Share Data With
We share personal information with service providers who may only use it to provide their service to us, for example hosting, database and authentication, email, and gift card fulfilment.
We share aggregate data with our business and research customers. This is not personal information and cannot identify you.
We may also share data with authorities where legally required, and with a successor entity if we sell or restructure our business.
We do not sell or share your individual personal information (your raw chat data, your account data, or your scrubbed contribution in the research store).
8. Your Privacy Rights
If you are a California resident, you have rights under the CCPA/CPRA. You can know what personal information we hold and how we use it, delete it, correct inaccurate information, opt out of any sale or sharing of your personal information, and limit the use of sensitive personal information.
If you are protected by UK or EU law, you also have the right to access your data, ask us to correct or delete it, restrict or object to certain processing, receive a copy in a portable format, and withdraw your consent at any time (withdrawal does not affect processing that was lawful before you withdrew).
To exercise any of these, email privacy@webuydata.io. We will verify your request and respond within the time the law allows. We will not discriminate against you for exercising your rights. If you are in the UK or EU, you can also complain to the ICO (ico.org.uk) or your local data protection authority.
On selling and sharing: at present we do not sell or share your individual personal information. We only sell and share aggregate data, which is not personal information.
On deletion: when you ask us to delete your data, we resolve your contributor ID through the mapping store and delete your scrubbed contribution from the research store, along with the identity and mapping records linked to you. Once aggregate datasets are built, we cannot remove your data from them. You keep any gift cards already paid to you.
9. Notice of Financial Incentive
We provide you a gift card in exchange for uploading your data. Under California law this is a "financial incentive," and we are required to describe it here.
- What the incentive is. A gift card for each valid upload. The current amount and any limits are shown in the Service before you upload.
- What data it relates to. The chat data you provide, and the scrubbed contribution we retain from it.
- How you join and how you withdraw. You join by signing up. You can withdraw at any time by closing your account and requesting deletion (Section 8).
- How we value the data. We make a good-faith estimate of the value of your data based on what we pay to acquire and process comparable data. The gift card reflects that value.
Participation is voluntary.
10. How Long We Keep Your Data
- Raw chat data: held only as long as needed to scrub it, then deleted.
- Scrubbed contribution (research store): retained so we can operate and develop our data products, including future analysis. Deleted within 30 days of a verified deletion request.
- Account data: kept while your account is active; deleted within 30 days of account closure (except records we must keep by law).
- Aggregate data: kept indefinitely. Not personal information and cannot be linked back to you.
- Communications and records: kept as long as needed to handle disputes and meet legal obligations.
11. International Transfers
Where we transfer personal data out of the UK, we use a legally recognized safeguard such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
12. Security
We use reasonable technical and organizational measures to protect your data.
13. Children
The Service is not for anyone under 18. You must confirm you are 18 or over to sign up. If we discover we have collected data from someone under 18, we will delete it and close the account.
14. Changes to This Notice
We may update this Notice from time to time. If we make material changes, we will tell you by email or through the Service before they take effect.