Effective date: November 1, 2025

1. What we collect

Account data

• Name, email address, username, password (hashed — we never see your plaintext password).
• Sponsor / referrer username, registration date, IP address, browser user-agent.

Payment receipts

• Because payments are peer-to-peer, we do not store your credit-card or bank information. We may record an attestation that a payment occurred (timestamp, sponsor, amount tier) so the system knows you have access.

Activity data

• Invitations you generate, contacts you upload, AI prompts and outputs, follow-up messages MailBot sends on your behalf, response data from your prospects.
• Page views, clicks, and event logs needed to operate the Platform.

AI provider keys

• If you provide an Anthropic or OpenAI API key, we store it encrypted at rest and use it only to make AI calls on your behalf. You can rotate or revoke it any time.

2. How we use your data

• To operate the Platform — generate invitations, send follow-ups, attribute commissions to sponsors, and authenticate you.
• To prevent abuse — detect spam complaints, fraud, duplicate accounts, and policy violations.
• To communicate with you about your account, billing-tier upgrades, security alerts, and material changes.
• To improve the Platform — aggregated, de-identified analytics on usage and performance.

3. What we don't do

• We do not sell your personal information.
• We do not share your contact list with other members or third parties.
• We do not use your prospect data to train our AI models.
• We do not run third-party advertising trackers across the member dashboard.

4. Who we share data with

• AI providers (Anthropic, OpenAI) — we send the prompts and contact data needed to generate the message. Your provider's privacy policy applies to that processing.
• Email infrastructure (Postmark, SES, or similar) — to deliver invitations and follow-ups on your behalf.
• Hosting & database providers — to operate the application.
• Law enforcement — when compelled by valid legal process or to protect rights, safety, or property.

5. Cookies & similar tech

We use first-party cookies for session management, CSRF protection, and remembering your preferences. We may use minimal analytics cookies (page-view counts) — never cross-site advertising cookies. Your browser's "Do Not Track" signal is respected for analytics.

6. Data retention

• Account data: kept for the life of your account plus 24 months after closure for accounting and dispute records.
• Activity logs: 24 months rolling.
• Hashed passwords: deleted within 30 days of account deletion.
• AI prompts/outputs: 12 months unless you delete them sooner from your dashboard.

7. Your rights

Depending on where you live (GDPR, CCPA, etc.) you may have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your account and associated personal data.
• Export your data in a portable format.
• Object to or restrict certain processing.

To exercise any of these rights, contact us. We respond within 30 days.

8. Security

We use TLS in transit, encryption at rest for sensitive fields (API keys, auth tokens), bcrypt password hashing, CSRF tokens on state-changing forms, and rate limiting. No system is perfectly secure — if we detect a breach affecting your account we will notify you within 72 hours of confirmation.

9. Children

The Platform is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will delete the account.

10. International transfers

Our servers are located in the United States. By using the Platform from outside the U.S. you consent to your data being processed in the U.S., which may have different data-protection laws than your jurisdiction.

11. Changes

We will post any material changes to this policy here with an updated effective date and, when changes are significant, notify you by email.

12. Contact

Questions, requests, or concerns? Reach out.