Wren Privacy Policy
Last updated: 2026-06-23 Version: 1.25
Wren ("the app") is a personal podcast app that turns saved articles into spoken audio digests. This policy explains what data we collect, why, and how it's handled.
What we collect
| Data | Why we collect it |
|---|---|
| Email address and (optionally) name | Account creation and authentication |
| Device fingerprint signals (browser / OS / IP characteristics) | Fraud prevention during sign-in, handled by our authentication provider; never used for advertising |
| Saved articles (title, URL, body text) — including PDFs and video transcripts you save | To generate your personalized podcast script. A PDF you save is read for its text; for a video you save, the video's existing transcript/captions are captured and used as the article text |
| Article images, and text recovered from them | To include visual references in your podcast transcript, and to recover meaningful text that appears inside images (infographics, slides, screenshots, scanned PDF pages) so it can be part of your podcast. Recovering this text sends the image (or scanned-PDF page) to our AI provider for transcription — see Third-party services |
| Podcast preferences (day of week, episode length, voice) | To generate and deliver your podcast on your schedule |
| Voice selection | To generate your audio podcast using your preferred voice (Kokoro or OpenAI, depending on your selection) |
| Tone preference (Pro) and topic category selection (Pro) | To customize how your podcast script is written and how it's organized — used only to parameterize your own generation, never shared with third parties |
| Device token | To send the push notifications you've enabled — for example when your podcast is ready, a day-before reminder for your next episode, or when you reach your monthly limit |
| Ingest email address | To let you forward articles to your queue via email |
| Usage analytics (app launches, article saves, playback activity, sign-in and account-deletion events) — and aggregate, cookieless page-view stats for the marketing site | To understand how the app is used and improve the product |
| Waitlist signup details (name, email, optional favorite podcast) | To contact you when a spot in the private beta becomes available |
| Subscription state (plan, period dates, source — web vs. Apple) | To know whether to give you Pro features. Card and bank details are held only by Stripe or Apple, never by Wren |
| Notification preferences (per-type toggles, quiet hours window) | To respect your choices about which notifications to send and when |
| Article capture method (Share Extension, Chrome extension, Chrome PDF, saved video, email, backend) and capture outcome (the site's domain, the content type, and whether capture succeeded or failed) | Diagnostic only — helps us prioritize fixes when content extraction fails for a specific publisher. These diagnostics record the site's domain (hostname only) and never the page's body content |
| Onboarding completion timestamps (when you finish first-run onboarding, and if you upgrade to Pro, when you finish the Pro-only mini-flow) | To remember that you've already completed onboarding so we don't ask you again on another device or after a re-install |
| Episode completion timestamp (when you've finished listening to an episode, either by reaching 90% played or by tapping "Mark as played") | To show you which episodes you've already heard in your History list |
| Email preferences (whether an email address has opted out of marketing email), keyed by email address | To honor your unsubscribe choice across the emails we send |
How we use your data
Your data is used solely to provide the Wren service to you:
- Articles you save are summarized into a podcast script using AI (Anthropic Claude)
- Text that appears inside images you save — including scanned PDF pages that have no selectable text — is recovered using AI (Anthropic Claude's vision capability) so it can be included in your podcast. We skip images that are clearly not content (logos, icons, avatars, tracking pixels) before sending anything, and we cap how many images per saved item are processed
- For a video you save, we capture the video's existing transcript/captions — in your browser when you save from the video page, or by fetching the publicly available transcript when you save a link — and use that text as the article. We do not download, process, or store the video or its audio
- The generated script is stored on our servers so you can listen in the app
- Your podcast script is converted to audio using one of two text-to-speech engines, chosen by your selected voice:
- Kokoro voices (Free tier): Your script text is sent in chapter-sized segments to a self-hosted Kokoro-82M model running on Modal Labs serverless GPU infrastructure, which returns audio. Modal does not receive your account identity (no email, name, or auth token) — only the script text and a voice id.
- OpenAI voices (Pro tier): Your script text is sent to OpenAI's text-to-speech API (tts-1) for synthesis.
- Fallback: If the Kokoro engine is unavailable when audio is being generated, your podcast falls back to OpenAI tts-1 for that single generation so the podcast still completes. The fallback uses one configured OpenAI voice for the entire podcast — voices are never mixed within a single episode.
- The returned audio is stored on our storage (Cloudflare R2) so you can listen in the app
- Your voice selection is stored to generate audio with your preferred voice
- Your device token is used only to notify you when your podcast is ready or if generation fails
- Account (transactional) email — sign-in links, password resets, account-deletion confirmation, beta invites and access codes, subscription notices — is always sent and is required to use Wren. If we send marketing email (such as a periodic digest or product announcement), every marketing email carries a one-click unsubscribe, and you can manage your marketing preference any time at
wrenpod.com/unsubscribe. A spam complaint or hard bounce automatically opts that address out of marketing email - Usage analytics events (such as app launches, article saves, and playback activity) are collected to help us understand how the app is used and improve the experience. Analytics events do not contain full article text, podcast scripts, or URLs with authentication tokens
Data retention
- Pro-tier-created podcasts: Audio + transcript + source articles are retained for 365 days from creation. After 365 days the full episode (audio, transcript, chapter metadata, and the source articles consumed by it) is deleted; the episode disappears from your history.
- Free-tier-created podcasts: Same data are retained for 90 days from creation, then fully deleted (same scope as Pro deletion above).
- Grandfathering across tier changes: A podcast's retention duration is determined by your tier when it was created and does NOT change if your tier changes later. If you were Pro when a podcast was generated and you later return to Free, that podcast keeps its 365-day retention. Podcasts you create after returning to Free use the 90-day retention.
- Generation limits: Free users can generate up to 2 podcasts per calendar month. Pro users can generate up to 6. Monthly counts reset on the 1st of each month (UTC). Mid-cycle Pro upgrades start the user fresh at 0 of 6.
- Article queue: Free users can save up to 15 articles at a time. Pro users have no queue cap. Articles consumed by a podcast are removed from the active queue.
- iOS Share Extension offline queue: If you share an article to Wren while not signed in (or while your session is expired), the captured content is held in a local container on your iOS device only — it is not transmitted to Wren's servers until the next time you open the Wren app with a valid session. This data never leaves your device until that drain step.
- On-device audio cache: For offline playback, Wren keeps your most recently generated podcast episodes cached on your device (up to the 9 most recent) — on iOS and Android. The cache is stored locally on your device only; no copy is sent to Wren or any third party as part of the caching process. The cache is excluded from device backup (iCloud on iOS; Android Auto Backup and device-to-device transfer on Android). The cache is cleared automatically when you sign out of the app or delete your account, and it can also be cleared manually from Settings → Downloads.
- Subscription records: Stripe and Apple IAP transaction records are retained for as long as your account exists, plus a grace period for billing reconciliation and (if applicable) refunds. Card numbers are never retained by Wren — only the payment processor holds those.
- Notification preferences and re-engagement state: Retained for the lifetime of your account; deleted with your account.
- Previous ingest email token after rotation: If you rotate your ingest email address (e.g., because the old one was exposed), the previous token remains accepted for a 72-hour grace period so any in-flight forwarded emails can still reach your queue. After 72 hours the previous token is purged from our database, and emails sent to the old ingest address are silently dropped.
Waitlist data
If you sign up for the private beta waitlist on wrenpod.com, we collect:
- Email address: required — so we can contact you when a spot becomes available
- Name (optional): to personalise the beta invitation when one is sent
- Listening devices (one or more, required): the set of platforms you plan to listen on (iPhone, iPad, Mac, Apple Watch, Android phone, Android tablet, Wear OS, Web, CarPlay, or Android Auto). Used to prioritise platform-specific beta cohorts and to gauge demand for platforms we haven't built support for yet (e.g., wearables)
- IP address and source: collected automatically for abuse prevention (e.g., rate limiting); not shown outside our internal admin view
- Confirmation token hash and expiry timestamp: transient (cleared after you confirm or after 7 days) — see "Email confirmation" below
- Failed-signup diagnostics: if a waitlist submission is dropped, rejected, or fails to complete (e.g., a failed bot challenge, a delivery error, or a validation error), we record the email address (when present), the reason, the time, and basic request context (IP, browser user-agent, source) in an internal diagnostics table. This lets us see and recover signups that would otherwise be silently lost, and detect abuse. It is visible only in our internal admin view, never shared, and retained on the same schedule as the rest of your waitlist entry
Email confirmation (double opt-in): When you submit the waitlist form, we send one confirmation email to the address you provided. Your waitlist entry is only treated as active once you click the link in that email. The link expires after 7 days. We will not contact you again unless you confirm — and even after confirming, the only email you'll receive is your eventual beta invitation. We store only a salted hash of the confirmation token, never the token itself; the raw token lives only in the email we send you.
Purpose: Waitlist data is used to invite you to the private beta when a spot opens. We do not share waitlist data with third parties. Any non-account email we send carries a one-click unsubscribe (see How we use your data).
Storage: Waitlist entries are stored in the same PostgreSQL database infrastructure as other Wren data (Railway, US region). The waitlist table is isolated from app user data.
Retention: Your waitlist entry is retained until one of the following:
- You accept a beta invitation and convert to a regular Wren account, at which point the waitlist entry is removed
- You email us to request removal (see Contact below); we will delete your entry within 30 days
- We close the private beta, at which point all remaining waitlist entries are deleted
Third-party services
We use the following services to operate Wren:
- Clerk — authentication. Stores your email, optional name, and password hash (for the email + password sign-in method) and issues the session tokens your devices use to talk to Wren. Collects device/bot signals during sign-in for fraud prevention only — never advertising
- Resend — email delivery. Sends authentication emails (sign-in links, password resets, email-change confirmations), the confirmation email you receive after deleting your account, the waitlist confirmation email (double opt-in), and any marketing email we send (e.g., a periodic digest), each carrying a one-click unsubscribe
- Anthropic Claude — AI-powered podcast script generation (your article text is sent to their API for processing). Also used to recover text from images and scanned PDFs you save: the image — or, for a scanned PDF, the document — is sent to their API for transcription. This is the only case where image or document content (not just article text) leaves Wren
- Apple Push Notification service (APNs) — push notification delivery to iOS devices
- Google Firebase (Firebase Cloud Messaging, FCM) — push notification delivery to Android devices. Receives your device's push registration token and the notification content (title and body) when an Android push is sent
- Postmark — inbound email processing
- OpenAI — text-to-speech audio generation for Pro-tier voices and as a fallback when the Kokoro engine is unavailable (your podcast script text is sent to their API for processing)
- Modal Labs — serverless GPU hosting for the self-hosted Kokoro-82M text-to-speech model used by Free-tier voices. Receives only chapter-sized segments of your podcast script text and a voice id; does not receive your account identity, email, or authentication token
- Railway — server hosting
- Cloudflare R2 — image and audio file storage
- Sentry — error tracking and application monitoring (technical error data is sent to their service for debugging)
- Slack — operator escalation channel. Receives Sentry alert notifications for urgent operational events (such as scheduled-job failures) so the operator can respond promptly. Slack receives only the same technical error context that Sentry has — no article content, no podcast script text, no payload data
- Cloudflare Turnstile — a privacy-preserving "are you human?" challenge shown on the waitlist form only when a submission looks suspicious (e.g., automated traffic). Turnstile receives browser challenge signals and your IP address to decide whether to present a challenge; it does not use this for advertising and does not track you across sites
- Vercel — marketing site hosting and privacy-friendly page-view analytics (
wrenpod.com). Vercel Web Analytics does not use cookies or persistent identifiers; visitor IP addresses are hashed and discarded. Page paths, referrer, browser, device type, and country (derived from IP) are collected for aggregate traffic stats only - Stripe — payment processing for Wren Pro subscriptions purchased on the web (
wrenpod.com) and for the $5 first-month promotional offer. Stripe receives your name, email, billing address, and payment method information when you complete a purchase. Wren stores only Stripe customer IDs, charge IDs, plan, and period dates — not card numbers. Stripe's own privacy policy applies to data they hold - Apple App Store / In-App Purchase — payment processing for Wren Pro subscriptions purchased inside the iOS app. Apple receives your payment information directly; Wren receives transaction IDs and entitlement metadata via Apple's App Store Server Notifications. Apple's privacy policy applies to data Apple holds. Apple Family Sharing is intentionally disabled on Wren Pro — Pro entitlement does not propagate to family members
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. Third-party services listed above receive only the data necessary to perform their function.
Data storage and security
- Your data is stored on servers hosted by Railway (US region)
- Authentication tokens are stored securely in your device's Keychain
- All communication between the app and our servers uses HTTPS encryption
- Article content and podcast scripts are retained until you delete your account
- Audio files for Free users are subject to the retention policy described above
- When you delete your account, all of the data Wren itself stores (articles, podcasts, audio files, preferences, and your sign-in identity at our authentication provider) is removed immediately in a single cascade. A nightly reconciliation job audits this and alerts us if any data was missed so we can complete the removal manually. One exception: residual operational records held by our email and error-monitoring processors — delivery and inbound-mail logs at Resend and Postmark, and error reports at Sentry that may reference your account — are not erased by that cascade; they expire on those providers' standard retention schedules instead
Your rights
You can permanently delete your Wren account at any time, directly from the app: open Settings → Delete account and confirm. Deletion is immediate and irreversible — it removes your saved articles, generated podcasts, audio files, voice selection, listening history, and your sign-in identity at our authentication provider in a single cascade. You will receive a confirmation email after deletion completes; it contains no recovery link because there is no recovery path. One caveat: residual operational records at our email and error-monitoring processors (delivery logs at Resend and Postmark, error reports at Sentry) are not part of that immediate cascade — they age out on those providers' standard retention schedules instead.
If you delete your account and later wish to use Wren again, sign in fresh from the welcome screen — you'll be treated as a brand-new account.
If you'd rather have us process the deletion on your behalf, email the address below and we'll handle it within 30 days.
Contact
If you have questions about this privacy policy or your data, contact:
Jason Grant jason@wrenpod.com
Changelog
| Version | Date | Changes |
|---|---|---|
| 1.25 | 2026-06-23 | Spec 056 (Android Phase C — Parity + Polish). Generalized the on-device audio cache disclosure to cover Android (identical to iOS): up to the 9 most recent episodes cached locally for offline playback, excluded from Android Auto Backup and device-to-device transfer, cleared automatically on sign-out and account deletion, and clearable from Settings → Downloads. No new data category and no new third-party processor — Android offline downloads stay entirely on-device. |
| 1.24 | 2026-06-20 | Spec 054 (Android Phase A platform prerequisites). Added Google Firebase (Firebase Cloud Messaging) as a sub-processor for Android push notification delivery — it receives your device push registration token and notification content (title/body) when an Android push is sent. No change for existing iOS users: APNs remains the iOS push provider and the Android push path ships dark (present but unexercised) until an Android client exists. No new data category — the device-token and notification disclosures already covered push. |
| 1.23 | 2026-06-10 | Spec 053 (Auth consolidation, part 2). Removed Supabase as a sub-processor. The "inbound email forwarding via a Supabase Function" entry was stale: inbound mail routes directly to Postmark (verified via DNS — the inbound. subdomain's MX records point at Postmark, and the domain's zone contains no Supabase records at all). Supabase holds no Wren data and the project is being closed. |
| 1.22 | 2026-06-10 | Spec 053 (Auth consolidation). Removed WorkOS as a sub-processor: the migration to Clerk completed (every account verified on Clerk before removal), WorkOS no longer receives or holds any user data, and the vendor account is being closed. Clerk is now the sole authentication provider. No change to what auth data is collected — only that one provider holds it instead of two. |
| 1.21 | 2026-06-09 | Spec 052 (LEGAL-005). Disclosed processor-side residual records (Resend/Postmark delivery logs, Sentry error reports) that expire on provider retention schedules rather than in the immediate deletion cascade. |
| 1.20 | 2026-06-06 | Spec 050 (Auth provider migration). Added Clerk as the authentication sub-processor (stores email, optional name, password hash; issues session tokens; collects device/bot signals for fraud prevention only). WorkOS is marked as being retired: during the migration it still verifies existing passwords so accounts move over without a reset, and is removed entirely once migration completes. No change to what auth data is collected — only which provider holds it. Ships with the migration cutover; remove the WorkOS entry at post-cutover cleanup. |
| 1.19 | 2026-06-03 | Spec 049 (Chrome Extension Capture Enrichment). New data flow: recovering text (OCR) from saved images and scanned PDFs now sends the image — or, for a scanned PDF, the document — to our AI provider (Anthropic) for transcription. This is the first time image/document content (not just article text) leaves Wren. A pre-filter skips obvious non-content images (logos, icons, avatars, tracking pixels) before anything is sent, and a per-item cap bounds how many images/pages are processed. Added PDF text extraction (a saved PDF is read for its text) and video transcript capture (a saved video's existing captions/transcript become the article text; the video itself is never downloaded, processed, or stored). Expanded the capture-method diagnostic to include Chrome-PDF and saved-video methods plus a capture-outcome record (site domain/hostname, content type, success/failure — never body content). No new third-party processor — image/PDF transcription reuses the existing Anthropic relationship. |
| 1.18 | 2026-05-30 | Spec 043 (Notifications Center & Lifecycle Reminders). Expanded the device-token disclosure: push notifications now also cover day-before episode reminders and monthly-limit notices (in addition to "your podcast is ready"). No new third-party processor, no new data category. (Changelog row backfilled in spec 047 — the v1.18 header was bumped in spec 043 without a matching row.) |
| 1.17 | 2026-05-26 | Spec 041 (Reliable & Observable Waitlist Signup). Added Cloudflare Turnstile as a sub-processor — a privacy-preserving challenge shown on the waitlist form only when a submission looks suspicious (receives browser challenge signals + IP for that decision; no advertising, no cross-site tracking). Added a failed-signup diagnostics record (email when present, reason, time, IP, browser user-agent, source) so dropped/failed waitlist submissions are visible and recoverable instead of silently lost; internal-admin-only, never shared, retained on the same schedule as the waitlist entry. |
| 1.16 | 2026-05-24 | Spec 038 (Email Preference & Unsubscribe Center). Added a marketing-email category with one-click unsubscribe (RFC 8058 / bulk-sender) and a self-service preference page (wrenpod.com/unsubscribe). New stored data: an email-preference/suppression record keyed by email address (whether the address has opted out of marketing). A spam complaint or hard bounce auto-opts the address out of marketing. Account (transactional) email is unaffected and cannot be opted out of. Resend now also delivers marketing email. |
| 1.15 | 2026-05-22 | Spec 036 (Player UX Hardening). Added on-device audio cache disclosure: Wren now caches up to the 9 most recent podcast episodes locally on your iOS device for offline playback. The cache is excluded from iCloud backup, cleared automatically on sign-out and account deletion, and can be cleared manually from Settings → Manage downloads. No new third-party processor; no new data collected on Wren's servers. |
| 1.14 | 2026-05-21 | Spec 033 (Marketing Site Refresh). Waitlist form v2: name is now optional; "favorite podcast" field removed; new required "listening devices" multi-select (iPhone, iPad, Mac, Android phone, Android tablet, Web, CarPlay, Android Auto). Added double opt-in (email confirmation) for waitlist signups — entries are only treated as active once you click the link in the confirmation email (7-day expiry). Added the confirmation-token hash and expiry timestamp as transient stored fields; the raw confirmation token is never persisted. Resend now also sends the waitlist confirmation email. |
| 1.13 | 2026-05-20 | Spec 032 (Pre-Waitlist Hardening). Added Slack as a sub-processor for operator-side escalation of urgent Sentry alerts (technical error context only — no user content). Noted that a previous ingest email token is retained for a 72-hour grace period after rotation, then purged. |
| 1.12 | 2026-05-17 | Internal version (no public-facing changes) |
| 1.11 | 2026-05-16 | Spec 029 (Wave 3 — Habits + Commerce). Added Stripe as the payment processor for web subscriptions and the $5 first-month promotional offer; Stripe holds card data, Wren stores only transaction/customer IDs. Added Apple App Store In-App Purchase as the payment processor for iOS-initiated subscriptions; Apple holds card data, Wren stores transaction IDs only. Apple Family Sharing intentionally disabled — Pro entitlement does not propagate to family members. Updated retention policy: per-podcast retention is now determined by your tier when the podcast was created (Free 90 days, Pro 365 days) and is grandfathered across subsequent tier changes; at retention expiry the full episode (audio + transcript + chapter metadata + source articles consumed by it) is deleted. Free article queue cap raised 10 → 15. Added notification preferences (per-type toggles + quiet hours) stored on the user record. Added re-engagement state tracking (last article save, last app open, last re-engagement notification) for inactivity nudges with a 5-day cap. Added iOS Share Extension offline queue (on-device only, drained on next app open with valid session). Added iOS→web handoff token mechanism (short-lived, single-use, signed) for the $5 trial purchase path so the user's iOS-app identity carries to the web checkout without duplicate-account risk. |
| 1.10 | 2026-05-15 | Internal version (no public-facing changes) |
| 1.9 | 2026-05-13 | Migrated authentication from Supabase to WorkOS. Added WorkOS as the authentication sub-processor (stores email, optional name, password hash, and device fingerprint signals via Radar for fraud prevention). Added Resend as the transactional email sub-processor (sign-in links, password resets, email-change confirmations, account-deletion confirmation). Supabase remains as a sub-processor only for inbound email forwarding via a Supabase Function. Documented the new in-app account deletion flow (Settings → Delete account, immediate hard delete with confirmation email and a nightly reconciliation audit). |
| 1.8 | 2026-05-04 | Added Vercel Web Analytics on the marketing site (cookieless, no persistent identifiers); added Vercel as a sub-processor for marketing-site hosting and analytics |
| 1.7 | 2026-05-03 | Re-introduced Kokoro-82M text-to-speech for Free-tier voices, now hosted on Modal Labs serverless GPU. Added Modal Labs as a sub-processor that receives chapter-sized script text and a voice id (no account identity). OpenAI tts-1 remains the engine for Pro voices and is used as the fallback when Kokoro is unavailable; voices are never mixed within a single podcast |
| 1.6 | 2026-04-22 | Switched to OpenAI tts-1 as the sole TTS provider for all users; removed self-hosted Kokoro TTS |
| 1.5 | 2026-04-22 | Added Waitlist data section covering the marketing site signup (name, email, optional favorite podcast) |
| 1.4 | 2026-04-18 | Added usage analytics data collection disclosure; added Sentry as third-party service for error tracking |
| 1.3 | 2026-04-14 | Re-added OpenAI TTS as optional third-party processor for Pro users who select an OpenAI voice; standard Kokoro voices remain self-hosted |
| 1.2 | 2026-04-12 | Removed OpenAI as third-party TTS processor (replaced with self-hosted Kokoro); added Free tier audio retention and deletion policy; added generation limits and article queue limits disclosure; updated voice selection description |
| 1.1 | 2026-04-05 | Added OpenAI as third-party processor for Pro TTS audio; added voice selection data collection; updated Cloudflare R2 description to include audio storage |
| 1.0 | 2026-04-04 | Initial version for private beta launch |