Privacy
Privacy Policy
How Tolstoy Compose handles local-first documents, accounts, billing, Teams, support information, and your privacy choices.
Last updated: 18 June 2026
The short version
Tolstoy Compose is local-first. We do not automatically upload your documents to us just because you write in the app.
Your drafts, notes, sources, review comments, versions and recovery data usually stay in your browser or in files you save. We process account, billing, Team, support and technical information only where those parts of the service need it.
We do not sell your personal data. We do not use advertising cookies. We do not use session replay. We do not use in-app product analytics at launch. We do not train AI systems on your documents. We do not run Tolstoy Compose as a cloud document storage service.
Local-first also means you have to save and back up important work. If your work only exists in browser storage and that storage is cleared, lost or damaged, we may not be able to recover it because we may never have had a copy.
Who we are
Tolstoy Compose is operated by Bhavesh Prabhakar, trading as Tolstoy Compose.
We are based in the United Kingdom. At the date of this policy, Tolstoy Compose is operated as a sole trader business, not as a limited company.
For privacy questions, contact us at:
Email: hello@createdbybhavesh.com
In this policy, “Tolstoy Compose”, “Compose”, “we”, “us” and “our” mean Bhavesh Prabhakar trading as Tolstoy Compose.
We do not have a Data Protection Officer. Privacy requests can be sent to the contact details above.
What stays local
Compose is designed so your writing can stay with you.
When you write in Compose, your work is usually stored in your browser or in files you choose to save or open yourself. That work may include:
- draft text;
- notes in the Shelf;
- sources and citations;
- review comments and suggestions;
- version history;
- recovery entries;
- document settings and appearance choices;
- imported and exported files;
.composefiles you save or open.
We do not automatically upload this document content to us just because you write in Compose.
You may choose to save .compose, DOCX, PDF or other files into your own cloud-synced folder, such as through your operating system, file picker or cloud storage provider. That is your own storage choice. It is not Tolstoy Compose cloud document storage.
Document content may reach us only if you choose to send it, upload it, paste it into a support message, attach it to an email, or use a future feature that clearly tells you it sends content outside your browser.
What we collect
Local document data
Compose may store document content locally in your browser and in files you save. This local data is controlled by your browser, device and backup choices, not by a central Compose document account.
If you clear browser storage, use private browsing, change browser profiles, uninstall the app, reset your device, or rely on browser settings that delete site data, local-only work may be deleted.
Account data
If you create an account, sign in, buy a plan or join a Team, we may process:
- your email address;
- your name, if provided;
- login and session records;
- account identifiers;
- plan status;
- account settings needed to provide the service.
We use this so Compose can recognise your account and give you the right level of access.
Billing data
Paid plans are handled through Stripe.
We may receive or store billing-related records such as:
- Stripe customer and subscription identifiers;
- plan, invoice and payment status;
- subscription quantity for Teams;
- billing portal status;
- tax, accounting and transaction records we need to keep.
Stripe handles payment method collection, payment processing, billing portal access, invoices and tax calculation where configured. We do not intentionally store your full card number in Compose.
Team data
If you use Teams, we may process:
- Team name;
- owner, admin or member roles;
- seat quantity and membership records;
- email addresses for invited or added members;
- Team setup and sign-in email records;
- account status needed to decide whether a Team has access.
Teams manages seats, billing and account access. It does not automatically make your documents cloud-shared with us or with other Team members.
Support data
If you contact us, we may process your email address, message content, troubleshooting details, attachments and any document content you choose to send.
Please do not send document content unless it is needed to solve the support issue. If you do send screenshots, .compose files, DOCX/PDF exports, pasted text or other document material, only send material you are allowed to share with us.
We use support material to understand and respond to your request. We do not use support material to train AI models.
Technical and security data
When you visit the website, use the app, sign in, buy a plan, or call server endpoints, we and our providers may process technical information such as:
- IP address;
- browser and device information;
- request time and URL;
- referrer information;
- server, security and diagnostic logs;
- cookie or session information needed for account, billing or checkout flows.
We use this to run the service, protect accounts, troubleshoot issues, monitor reliability and prevent misuse.
At launch, we do not use in-app product analytics, third-party crash reporting, session replay or advertising pixels. Cloudflare may provide default network, security and traffic information as part of hosting, security and delivery of the service.
Service emails
We may send service emails such as sign-in links, welcome messages, Team setup emails, account notices, billing-related messages and support replies.
We do not treat a service email as proof of paid access by itself. Paid access depends on account and billing records.
Why we use personal data
We use personal data to:
- provide the website and app;
- let you create and use an account;
- connect your account to the correct plan;
- process paid subscriptions through Stripe;
- manage Teams, seats and roles;
- send sign-in, account, support and service emails;
- maintain security and prevent abuse;
- troubleshoot and improve reliability;
- comply with legal, tax, accounting and regulatory duties;
- respond to privacy, support and legal requests.
Our lawful bases
Where UK GDPR applies, we rely on one or more of these lawful bases:
| Purpose | Lawful basis |
|---|---|
| Provide the app, accounts, paid plans and Teams | Contract |
| Process payments, subscriptions and billing records | Contract and legal obligation |
| Keep tax, accounting and business records | Legal obligation |
| Send sign-in, support and service emails | Contract or legitimate interests |
| Protect the service and investigate abuse | Legitimate interests |
| Respond to support and privacy requests | Contract, legitimate interests or legal obligation |
| Use optional analytics, if introduced later | Consent or another lawful basis explained before use |
| Use non-essential cookies or similar technologies, if introduced later | Consent where PECR requires it |
Who helps us provide Compose
We use trusted providers for parts of the service.
| Provider | What they help with |
|---|---|
| Cloudflare | Website and app hosting, serverless functions, security, routing, technical logs, default network analytics and caching |
| Supabase | Authentication, sessions and account-related database records |
| Stripe | Checkout, subscriptions, payment processing, tax calculation where configured, invoices, billing portal and payment status |
| Resend | Transactional and service email delivery |
These providers help us run specific parts of the service. We do not use them to turn Compose into a cloud document custody service.
We may also share information if required by law, to protect rights and safety, to prevent fraud or abuse, or as part of a business transfer or reorganisation.
International processing
We are based in the United Kingdom, but our users and providers may be in other countries. Your personal data may be processed outside the UK.
Our intended launch setup uses EU/Ireland-based regions where available for core provider services, but providers such as Cloudflare, Stripe, Supabase and Resend may process data in other countries through their infrastructure, subprocessors, support operations or legal compliance processes.
Where required, we use appropriate safeguards for international transfers. These may include adequacy regulations, standard contractual clauses, provider data processing terms, or other lawful safeguards.
How long we keep information
We keep information only for as long as we need it for the purposes described in this policy.
| Information | Retention approach |
|---|---|
| Local document content in your browser | Controlled by your browser and device settings, not by us |
.compose files and exports you save |
Controlled by you |
| Account records | Kept while your account is active and for a reasonable period afterwards |
| Billing, invoice, tax and accounting records | Kept as long as needed for legal, tax, accounting, billing and dispute purposes |
| Team membership and role records | Kept while needed to manage the Team and for a reasonable period afterwards |
| Support messages and attachments | Normally kept for up to 12 months after the request is resolved, unless needed longer for legal, billing, security, dispute or business-record reasons |
| Security and technical logs | Kept for a limited period unless needed to investigate abuse, errors, security events or legal issues |
If you request account deletion, we will delete or anonymise account data where reasonably possible, unless we need to keep records for legal, tax, accounting, billing, security, fraud-prevention or dispute reasons.
Security
We use reasonable technical and organisational measures to protect personal data. These include using trusted providers, server-side access controls, payment processing through Stripe, and security measures provided by our hosting and authentication services.
No online service, browser storage system or device is completely secure. You should protect your device, browser profile, email account and saved files, and you should keep backups of important work.
Your choices and rights
You can choose not to create an account, although some features may require one.
You can control local documents by saving, exporting, deleting or backing up your own files. You can also clear browser storage, but doing so may delete local-only work.
You can ask us to delete your account by emailing hello@createdbybhavesh.com.
Where UK GDPR applies, you may have rights to:
- access your personal data;
- correct inaccurate personal data;
- delete personal data;
- restrict or object to certain processing;
- receive certain data in a portable format;
- withdraw consent where processing is based on consent;
- complain to the UK Information Commissioner’s Office.
To exercise a right, contact us using the details above. We may need to verify your identity before responding.
Children and students
Compose may be useful to students and education users, but it is not intended for children under 13.
If you are 13 to 17, you may use Compose only with permission from a parent or guardian, or through an organisation that is responsible for your use. If you believe a child under 13 has provided personal data to us, contact us and we will take appropriate steps.
AI
Tolstoy Compose does not include AI writing, rewriting, summarising, citation-generation or document-analysis features at launch.
We do not use customer documents to train AI models.
If we introduce AI features later, we will update the relevant policies before launch of those features.
Changes to this policy
We may update this policy as the product, providers, law or business changes. If we make material changes, we will take reasonable steps to tell affected users.
Contact
For privacy questions, requests or concerns, contact:
Bhavesh Prabhakar trading as Tolstoy Compose
Email: hello@createdbybhavesh.com