Privacy Policy

• Audit intake data: business name, business type, headcount, role and task descriptions, pain points, your email address. Provided by you when you submit an intake form.
• Payment data: processed entirely by Stripe. We never see or store your card number. We store a Stripe customer ID and subscription/payment IDs to manage billing.
• Audit output: the analysis we generate, tied to the intake you submitted.
• Communication content: anything you send us via the contact form or email replies.
• Technical data: IP address (for rate limiting and abuse prevention), basic browser info (for compatibility). We use Google Analytics 4 to understand aggregate site usage (pages visited, traffic sources, device type) — no individual identification, no cross-site tracking, no advertising. We do not use marketing pixels, retargeting, or session-replay tools.

• To generate your audit (intake → AI analysis → delivery)
• To deliver the audit and any follow-up subscription content (Pulse)
• To process payments through Stripe
• To respond to your contact form messages or email replies
• To improve the service (anonymized, aggregated learnings — no individual business data is used to improve the model or shared)
• To prevent abuse (rate limiting, spam filtering)

• Stripe — payment processing
• Resend — transactional email delivery (audit delivery, receipts, monthly Pulse digests)
• Anthropic — AI processing. Your intake data is sent to Anthropic's API to generate the audit. Per Anthropic's terms, customer API data is not used for training.
• Google Analytics 4 — aggregate site usage measurement; data is processed by Google under their privacy terms. We do not use Google Analytics for advertising or remarketing.
• Supabase — database hosting. Your data is stored in Supabase's US-West infrastructure.
• Vercel — application hosting and CDN
• Upstash QStash — message queue for async processing (audit generation, scheduled emails)

We do not sell your data. We do not share it with advertisers or marketing networks. We do not use your audit content to train AI models.

We retain your intake and audit data so you can re-access your audit indefinitely via your audit URL. If you want your data permanently deleted, contact us through our contact form and we'll do it within 30 days. Stripe-related records are retained as required by financial regulations (typically 7 years).

• You can request a copy of all data we hold about you
• You can request correction of inaccurate data
• You can request permanent deletion (subject to financial record retention)
• You can opt out of any non-transactional email (transactional emails — audit delivery, payment receipts, subscription notices — are required to operate the service)

For any of these, use our contact form. We respond within one business day.

• All data in transit is TLS-encrypted
• Database access is restricted via row-level security and service-role authentication
• API keys are managed in environment variables, never in source code
• Payment data never touches our servers (handled entirely by Stripe)

The cookies we set are limited to:

• Google Analytics 4 (_ga, _ga_*) — aggregate site usage measurement. We do not use these for advertising.
• Referral attribution (delegate_ref) — set when a visitor arrives via a partner referral link, persists 30 days, used to credit the referring partner if the visitor purchases. HttpOnly, SameSite=Lax.
• Admin authentication — HTTP basic-auth credentials for the internal /admin dashboard. Set only when an authorized operator visits admin pages; not used for any public-facing functionality.

We do not use marketing, advertising, retargeting, session-replay, or cross-site tracking cookies.

Delegate is for businesses, not individuals. We don't knowingly collect data from anyone under 18.

If we make material changes, we'll notify you by email at the address you used to purchase. The "effective date" at the top will reflect the most recent revision.

Questions, requests, or concerns? Use our contact form. We respond within one business day.