Home / Privacy Policy
Privacy Policy
Effective July 1, 2026
We collect the minimum needed to deliver what you asked for. We do not sell personal information, run ad trackers, or store what you type into the tools. How the products keep your work on your machine is laid out in the Trust Center.
1. What we collect
- Email address, when you request the free kit, subscribe to the newsletter, buy a product, or request member access. We also record the source of the signup and consent time, and for newsletter and free-kit signups the IP address and country at the moment of consent, kept as proof of subscription.
- Order details for purchases: what you bought, the amount, and the email used at checkout. Card details go to Stripe and never touch our servers.
- Classifier results, if you choose to leave your email in the classifier, we store the resulting tier as a lead record.
- Basic technical data used for rate limiting and abuse prevention, such as a short-lived record keyed to your IP address.
2. What we deliberately do not collect
The policy generator sends your answers to the AI model for one request, returns your document, and stores nothing you enter. The EU AI Act classifier runs in your browser and stores nothing unless you submit your email. Purchased dashboards run entirely in your browser, make no network requests, and keep what you enter in your own browser's storage on your own device.
By default we set no cookies of any kind and run no analytics or cross-site trackers. The public site stores one preference in your browser: your answer to the privacy banner, which never leaves your device and can be changed any time from the Privacy choices link in the footer. If you arrive through a campaign link, the campaign tag is kept for your browser session only and is attached to a signup or order as its source; it is discarded with the session otherwise. If, and only if, you accept optional analytics in that banner, Google Analytics runs with advertising features disabled and IP anonymization on, and sets its own cookies; declining or ignoring the banner keeps everything off. We honor the Global Privacy Control browser signal as a decline.
3. How we use information
- Delivering purchases and the free kit by email.
- Sending The Governance Brief newsletter, if you opted in. Every issue has a one-click unsubscribe, honored immediately.
- Verifying Pro membership and sending sign-in links.
- Internal sales and operations reporting.
- Meeting legal, tax, and accounting obligations.
4. Who processes it for us
We use a small set of processors to run the business: Stripe (payments), Resend (email delivery), Supabase (database and file storage), Vercel (hosting), and Anthropic (processing generator requests). Each receives only what its function requires. Pages also load typefaces from Google Fonts, which means your browser requests font files from Google's servers and Google receives your IP address in that request, and Google provides analytics only if you accepted it in the privacy banner. We do not sell or rent personal information to anyone, and we do not share it for cross-context behavioral advertising as defined by the CCPA and CPRA.
5. Retention
Subscriber and order records are kept while they are needed for the purposes above or as law requires. Unsubscribing stops mailings immediately and we retain the suppression record so we do not email you again. Rate-limit windows expire within minutes and inactive rate-limit records are purged on a daily schedule.
6. Your choices and rights
You can unsubscribe from the newsletter with one click in any issue, change or withdraw your analytics choice any time via the Privacy choices link in the footer, and ask us to access, correct, or delete the personal information we hold about you by emailing support@extrasphere.com. California residents: we do not sell or share personal information, and we honor the Global Privacy Control signal as an opt-out. EU and UK residents: consent for optional analytics is requested before anything loads and is as easy to refuse as to give. Depending on where you live, you may have additional statutory rights; we honor verified requests regardless of jurisdiction.
7. Security
Data is stored with access controls and encryption in transit, database access is restricted to server-side functions, and paid files are delivered through signed, expiring links. No system is perfectly secure, so we keep what we store to a minimum.
8. Children
The site is for business use and not directed to children under 16. We do not knowingly collect their information.
9. Changes and contact
If this policy changes, the effective date above changes with it. Questions or requests: support@extrasphere.com.