Privacy Policy

• Account data: email and full name you provide at signup; a hashed password (Supabase Auth never gives us your plaintext password); your role (user / admin).
• Subscription data: tier, subscription status, current period end. Linked to your Stripe customer ID.
• Billing data: Stripe processes your payment method. We store only the Stripe customer ID, subscription ID, the last 4 digits of your card, and your billing country. We never see your full card number or CVC.
• Learning data: XP earned, daily streak, courses in progress, lessons completed, prompts copied, items saved, quiz attempts.
• Onboarding preferences: the goals, persona, AI experience level, favourite domains and content types you selected during onboarding. Used to personalize your feed.
• Page-view data: for each navigation we log: path, timestamp, your user ID (if logged in), an anonymous device ID stored in localStorage (so we can count unique visitors without identifying you), the referring URL. Used only for aggregate admin analytics.
• Device/browser data: User-Agent header, approximate region from Cloudflare (city/country level — never IP-based geolocation stored long-term).
• Support data: messages you send us by email.

• To provide the Service: authentication, tier-gated content access, learning progress tracking.
• To process payments through Stripe and update your subscription state via Stripe webhooks.
• To personalize your dashboard feed based on onboarding preferences and viewing history.
• To send transactional emails (signup confirmation, password reset, change-email, magic-link login). Marketing or product-update emails only with your explicit opt-in.
• To produce aggregate site analytics for admins (total visitors, page views, content engagement). No individual user is profiled or shown to advertisers.
• To prevent abuse, fraud, and rate-limit attacks against our autonomous content engine.

LAUNCHVAULT’s autonomous content engine calls OpenAI to generate the prompts, courses, workflows, and other content you see in the library. We do not send your personal data to OpenAI as part of normal content generation. The generation prompts are pre-authored by us; only our prompt text plus the list of existing content IDs is sent to the model.

If a future feature ever processes your personal data through an AI model (e.g. a personalized AI tutor), we will disclose it here and request your consent first.

We process your data under: (i) contract — to deliver the Service you signed up for; (ii) legitimate interests — to secure and improve the Service; (iii) legal obligation — to retain tax and billing records; (iv) consent — for optional marketing emails and non-essential cookies.

We do not sell your personal data. We share it only with the following processors, each under data-processing terms:

• Stripe Payments Canada Ltd. — to process subscription payments.
• Supabase Inc. — database hosting and authentication. Your data is stored in a Supabase project we control.
• OpenAI, L.L.C. — for backend content generation only (no personal data sent).
• Cloudflare, Inc. — DNS, edge hosting, Workers runtime, and bot protection.
• Law-enforcement or regulators when required by valid legal process.

• Account data: kept while your account is active. Deleted within 30 days of account closure.
• Billing & transaction data: kept for 7 years to meet tax obligations.
• Page-view analytics: kept for 13 months in aggregated form, then deleted.
• Support emails: kept for 24 months after the last response.

You have the right to: access your data, correct it, delete it, restrict its processing, port it to another service, and object to certain types of processing. EU/UK users may lodge a complaint with their supervisory authority. California residents have CCPA rights including the right to know, delete, and opt out of any sale (we do not sell).

To exercise any right, email launchvaultcanada@gmail.com. We respond within 30 days.

Data is encrypted in transit (TLS 1.3) and at rest. Authentication uses Supabase Auth with hashed passwords. Database access requires row-level-security policies — premium content payloads are never returned to the browser without a verified access check. Payment data lives in Stripe, never on our servers.

LAUNCHVAULT is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

We may update this Policy from time to time. Material changes will be notified by email at least 14 days in advance. The current version always lives at this URL.

For questions about this Privacy Policy or to exercise your rights, email launchvaultcanada@gmail.com.