Wren Privacy Policy
Last updated: 2026-05-17 Version: 1.12
Wren ("the app") is a personal podcast app that turns saved articles into spoken audio digests. This policy explains what data we collect, why, and how it's handled.
What we collect
| Data | Why we collect it |
|---|---|
| Email address and (optionally) name | Account creation and authentication |
| Device fingerprint signals (browser / OS / IP characteristics) | Fraud prevention during sign-in, handled by our authentication provider; never used for advertising |
| Saved articles (title, URL, body text) | To generate your personalized podcast script |
| Article images | To include visual references in your podcast transcript |
| Podcast preferences (day of week, episode length, voice) | To generate and deliver your podcast on your schedule |
| Voice selection | To generate your audio podcast using your preferred voice (Kokoro or OpenAI, depending on your selection) |
| Tone preference (Pro) and topic category selection (Pro) | To customize how your podcast script is written and how it's organized — used only to parameterize your own generation, never shared with third parties |
| Device token | To send push notifications when your podcast is ready |
| Ingest email address | To let you forward articles to your queue via email |
| Usage analytics (app launches, article saves, playback activity, sign-in and account-deletion events) — and aggregate, cookieless page-view stats for the marketing site | To understand how the app is used and improve the product |
| Waitlist signup details (name, email, optional favorite podcast) | To contact you when a spot in the private beta becomes available |
| Subscription state (plan, period dates, source — web vs. Apple) | To know whether to give you Pro features. Card and bank details are held only by Stripe or Apple, never by Wren |
| Notification preferences (per-type toggles, quiet hours window) | To respect your choices about which notifications to send and when |
| Article capture method (Share Extension, Chrome extension, email, backend) | Diagnostic only — helps us prioritize fixes when content extraction fails for a specific publisher |
| Onboarding completion timestamps (when you finish first-run onboarding, and if you upgrade to Pro, when you finish the Pro-only mini-flow) | To remember that you've already completed onboarding so we don't ask you again on another device or after a re-install |
| Episode completion timestamp (when you've finished listening to an episode, either by reaching 90% played or by tapping "Mark as played") | To show you which episodes you've already heard in your History list |
How we use your data
Your data is used solely to provide the Wren service to you:
- Articles you save are summarized into a podcast script using AI (Anthropic Claude)
- The generated script is stored on our servers so you can listen in the app
- Your podcast script is converted to audio using one of two text-to-speech engines, chosen by your selected voice:
- Kokoro voices (Free tier): Your script text is sent in chapter-sized segments to a self-hosted Kokoro-82M model running on Modal Labs serverless GPU infrastructure, which returns audio. Modal does not receive your account identity (no email, name, or auth token) — only the script text and a voice id.
- OpenAI voices (Pro tier): Your script text is sent to OpenAI's text-to-speech API (tts-1) for synthesis.
- Fallback: If the Kokoro engine is unavailable when audio is being generated, your podcast falls back to OpenAI tts-1 for that single generation so the podcast still completes. The fallback uses one configured OpenAI voice for the entire podcast — voices are never mixed within a single episode.
- The returned audio is stored on our storage (Cloudflare R2) so you can listen in the app
- Your voice selection is stored to generate audio with your preferred voice
- Your device token is used only to notify you when your podcast is ready or if generation fails
- Your email is used only for authentication and the occasional transactional message (sign-in link, password reset, account-deletion confirmation) — we do not send marketing emails
- Usage analytics events (such as app launches, article saves, and playback activity) are collected to help us understand how the app is used and improve the experience. Analytics events do not contain full article text, podcast scripts, or URLs with authentication tokens
Data retention
- Pro-tier-created podcasts: Audio + transcript + source articles are retained for 365 days from creation. After 365 days the full episode (audio, transcript, chapter metadata, and the source articles consumed by it) is deleted; the episode disappears from your history.
- Free-tier-created podcasts: Same data are retained for 90 days from creation, then fully deleted (same scope as Pro deletion above).
- Grandfathering across tier changes: A podcast's retention duration is determined by your tier when it was created and does NOT change if your tier changes later. If you were Pro when a podcast was generated and you later return to Free, that podcast keeps its 365-day retention. Podcasts you create after returning to Free use the 90-day retention.
- Generation limits: Free users can generate up to 2 podcasts per calendar month. Pro users can generate up to 6. Monthly counts reset on the 1st of each month (UTC). Mid-cycle Pro upgrades start the user fresh at 0 of 6.
- Article queue: Free users can save up to 15 articles at a time. Pro users have no queue cap. Articles consumed by a podcast are removed from the active queue.
- iOS Share Extension offline queue: If you share an article to Wren while not signed in (or while your session is expired), the captured content is held in a local container on your iOS device only — it is not transmitted to Wren's servers until the next time you open the Wren app with a valid session. This data never leaves your device until that drain step.
- Subscription records: Stripe and Apple IAP transaction records are retained for as long as your account exists, plus a grace period for billing reconciliation and (if applicable) refunds. Card numbers are never retained by Wren — only the payment processor holds those.
- Notification preferences and re-engagement state: Retained for the lifetime of your account; deleted with your account.
Waitlist data
If you sign up for the private beta waitlist on wrenpod.com, we collect:
- Name and email address: required — so we can contact you when a spot becomes available
- Favorite podcast (optional): to help us understand the taste of people who want Wren
- IP address and source: collected automatically for abuse prevention (e.g., rate limiting); not shown outside our internal admin view
Purpose: Waitlist data is used solely to invite you to the private beta when a spot opens. We do not send marketing emails and we do not share waitlist data with third parties.
Storage: Waitlist entries are stored in the same PostgreSQL database infrastructure as other Wren data (Railway, US region). The waitlist table is isolated from app user data.
Retention: Your waitlist entry is retained until one of the following:
- You accept a beta invitation and convert to a regular Wren account, at which point the waitlist entry is removed
- You email us to request removal (see Contact below); we will delete your entry within 30 days
- We close the private beta, at which point all remaining waitlist entries are deleted
Third-party services
We use the following services to operate Wren:
- WorkOS — authentication. Stores your email, optional name, and password hash (for the email + password sign-in method). Issues the session tokens your devices use to talk to Wren. WorkOS's Radar feature collects device fingerprint signals during sign-in (browser, OS, IP characteristics) for fraud prevention only — never advertising
- Resend — transactional email delivery. Sends authentication emails (sign-in links, password resets, email-change confirmations) and the confirmation email you receive after deleting your account
- Supabase — inbound email forwarding. The Wren ingest address (forwarding articles by email) routes through a Supabase Function; Supabase no longer handles authentication
- Anthropic Claude — AI-powered podcast script generation (your article text is sent to their API for processing)
- Apple Push Notification service (APNs) — push notification delivery
- Postmark — inbound email processing
- OpenAI — text-to-speech audio generation for Pro-tier voices and as a fallback when the Kokoro engine is unavailable (your podcast script text is sent to their API for processing)
- Modal Labs — serverless GPU hosting for the self-hosted Kokoro-82M text-to-speech model used by Free-tier voices. Receives only chapter-sized segments of your podcast script text and a voice id; does not receive your account identity, email, or authentication token
- Railway — server hosting
- Cloudflare R2 — image and audio file storage
- Sentry — error tracking and application monitoring (technical error data is sent to their service for debugging)
- Vercel — marketing site hosting and privacy-friendly page-view analytics (
wrenpod.com). Vercel Web Analytics does not use cookies or persistent identifiers; visitor IP addresses are hashed and discarded. Page paths, referrer, browser, device type, and country (derived from IP) are collected for aggregate traffic stats only - Stripe — payment processing for Wren Pro subscriptions purchased on the web (
wrenpod.com) and for the $5 first-month promotional offer. Stripe receives your name, email, billing address, and payment method information when you complete a purchase. Wren stores only Stripe customer IDs, charge IDs, plan, and period dates — not card numbers. Stripe's own privacy policy applies to data they hold - Apple App Store / In-App Purchase — payment processing for Wren Pro subscriptions purchased inside the iOS app. Apple receives your payment information directly; Wren receives transaction IDs and entitlement metadata via Apple's App Store Server Notifications. Apple's privacy policy applies to data Apple holds. Apple Family Sharing is intentionally disabled on Wren Pro — Pro entitlement does not propagate to family members
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. Third-party services listed above receive only the data necessary to perform their function.
Data storage and security
- Your data is stored on servers hosted by Railway (US region)
- Authentication tokens are stored securely in your device's Keychain
- All communication between the app and our servers uses HTTPS encryption
- Article content and podcast scripts are retained until you delete your account
- Audio files for Free users are subject to the retention policy described above
- When you delete your account, all of your data (articles, podcasts, audio files, preferences, and your sign-in identity at our authentication provider) is removed immediately. A nightly reconciliation job audits this and alerts us if any data was missed so we can complete the removal manually
Your rights
You can permanently delete your Wren account at any time, directly from the app: open Settings → Delete account and confirm. Deletion is immediate and irreversible — it removes your saved articles, generated podcasts, audio files, voice selection, listening history, and your sign-in identity at our authentication provider in a single cascade. You will receive a confirmation email after deletion completes; it contains no recovery link because there is no recovery path.
If you delete your account and later wish to use Wren again, sign in fresh from the welcome screen — you'll be treated as a brand-new account.
If you'd rather have us process the deletion on your behalf, email the address below and we'll handle it within 30 days.
Contact
If you have questions about this privacy policy or your data, contact:
Jason Grant jason@wrenpod.com
Changelog
| Version | Date | Changes |
|---|---|---|
| 1.11 | 2026-05-16 | Spec 029 (Wave 3 — Habits + Commerce). Added Stripe as the payment processor for web subscriptions and the $5 first-month promotional offer; Stripe holds card data, Wren stores only transaction/customer IDs. Added Apple App Store In-App Purchase as the payment processor for iOS-initiated subscriptions; Apple holds card data, Wren stores transaction IDs only. Apple Family Sharing intentionally disabled — Pro entitlement does not propagate to family members. Updated retention policy: per-podcast retention is now determined by your tier when the podcast was created (Free 90 days, Pro 365 days) and is grandfathered across subsequent tier changes; at retention expiry the full episode (audio + transcript + chapter metadata + source articles consumed by it) is deleted. Free article queue cap raised 10 → 15. Added notification preferences (per-type toggles + quiet hours) stored on the user record. Added re-engagement state tracking (last article save, last app open, last re-engagement notification) for inactivity nudges with a 5-day cap. Added iOS Share Extension offline queue (on-device only, drained on next app open with valid session). Added iOS→web handoff token mechanism (short-lived, single-use, signed) for the $5 trial purchase path so the user's iOS-app identity carries to the web checkout without duplicate-account risk. |
| 1.10 | 2026-05-15 | Internal version (no public-facing changes) |
| 1.9 | 2026-05-13 | Migrated authentication from Supabase to WorkOS. Added WorkOS as the authentication sub-processor (stores email, optional name, password hash, and device fingerprint signals via Radar for fraud prevention). Added Resend as the transactional email sub-processor (sign-in links, password resets, email-change confirmations, account-deletion confirmation). Supabase remains as a sub-processor only for inbound email forwarding via a Supabase Function. Documented the new in-app account deletion flow (Settings → Delete account, immediate hard delete with confirmation email and a nightly reconciliation audit). |
| 1.8 | 2026-05-04 | Added Vercel Web Analytics on the marketing site (cookieless, no persistent identifiers); added Vercel as a sub-processor for marketing-site hosting and analytics |
| 1.7 | 2026-05-03 | Re-introduced Kokoro-82M text-to-speech for Free-tier voices, now hosted on Modal Labs serverless GPU. Added Modal Labs as a sub-processor that receives chapter-sized script text and a voice id (no account identity). OpenAI tts-1 remains the engine for Pro voices and is used as the fallback when Kokoro is unavailable; voices are never mixed within a single podcast |
| 1.6 | 2026-04-22 | Switched to OpenAI tts-1 as the sole TTS provider for all users; removed self-hosted Kokoro TTS |
| 1.5 | 2026-04-22 | Added Waitlist data section covering the marketing site signup (name, email, optional favorite podcast) |
| 1.4 | 2026-04-18 | Added usage analytics data collection disclosure; added Sentry as third-party service for error tracking |
| 1.3 | 2026-04-14 | Re-added OpenAI TTS as optional third-party processor for Pro users who select an OpenAI voice; standard Kokoro voices remain self-hosted |
| 1.2 | 2026-04-12 | Removed OpenAI as third-party TTS processor (replaced with self-hosted Kokoro); added Free tier audio retention and deletion policy; added generation limits and article queue limits disclosure; updated voice selection description |
| 1.1 | 2026-04-05 | Added OpenAI as third-party processor for Pro TTS audio; added voice selection data collection; updated Cloudflare R2 description to include audio storage |
| 1.0 | 2026-04-04 | Initial version for private beta launch |