Privacy Policy
Last updated: 2026-05-10
Pending external review. This is the working draft until counsel signs off. Changes will be flagged in the changelog.
What we collect
- Account data from GitHub OAuth: id, username, display name, email, avatar.
- Usage data: which pages you visit, which CTAs you click, scroll depth, tool runs you submit, MCP/ACP calls you make.
- Wallet + billing: top-up amounts, debits per call. Stripe handles card data — we never see it.
- Logs: AI Gateway request metadata (model, tokens, latency, cost). Prompt/response payloads are retained for 30 days for debugging then aggregated and deleted.
Analytics & tracking vendors
We route every analytics event through one in-house tracker (src/lib/analytics) that fans out to the vendors below. Each vendor self-disables when its API key isn't configured, so the list reflects what's actually live, not what's in the codebase.
- Google Analytics 4 (legitimate-interest, first-party): page views, CTA clicks, scroll depth, lead conversions. Property
G-4K24EGQ0S8. - Google Tag Manager (legitimate-interest, first-party): only when configured; lets us add ad-platform tags without redeploys.
- Cloudflare Web Analytics (legitimate-interest, first-party, cookieless): aggregate page-view stats from the edge.
- Meta Pixel (consent-gated): only fires after you click Accept on the cookie banner. Used for retargeting and conversion attribution. Standard event vocabulary (
PageView,Lead). - LinkedIn Insight Tag (consent-gated): only fires after Accept. Used for B2B conversion attribution.
We honor the Global Privacy Control (GPC) header — if your browser sends it, every tracker above is suppressed, no exceptions. Older Do Not Track (DNT) signals suppress the consent-gated ad pixels but leave first-party analytics on.
Where it's stored
- Cloudflare D1 (SQLite at the edge), R2 (object storage), KV (cache), Workers Analytics Engine.
- Stripe (payment).
- Resend (transactional email).
- LLM providers when you call models through the gateway: Anthropic, OpenAI, Google, DeepSeek, Groq, Mistral. Each provider has its own retention policy — we route through Cloudflare AI Gateway, which adds a passthrough log on our side.
Who we share it with
Nobody, except the third parties listed above as needed to deliver the service. We don't sell data. Ad-platform pixels (Meta, LinkedIn) only fire if you Accept on the cookie banner.
How long we keep it
- Account + tool runs: until you delete your account.
- AI Gateway request bodies: 30 days, then aggregated.
- Wallet + credit ledger: legal retention period (typically 7 years) even after account deletion, anonymized.
Your rights
- Right to access: see your data on /account and /account/requests. CSV export available.
- Right to erasure: /account/delete-data scrubs your PII and user-generated rows. Wallet records are preserved (anonymized) for accounting.
- Right to opt out of training: AI Coach does not train models on your prompts. We pass them to upstream LLM providers only for the call itself.
Contact
Privacy questions: /contact.