Privacy Policy

The short version

We collect only what's needed to sell you a product and keep it working. We don't sell your data. We don't run analytics tools that profile you. You can delete your data at any time by emailing us.

What we collect

When you buy:

• Your email address (from Stripe at checkout)
• Your country (from Stripe, for tax calculation)
• Payment amount and timestamp
• Your Stripe Checkout Session ID (acts as your license reference)

We do NOT receive your full credit card number — Stripe handles that.

When you fill a confirmation form:

• Email (re-confirmed)
• GitHub username — so we can invite you to your private repo

When you visit our sites:

• Vercel Analytics collects aggregated visit counts (no personal identifiers). Anonymized IP-based region. You can opt out via Do Not Track; we respect it.
• Vercel Speed Insights measures page performance (same anonymization).
• No third-party trackers, no Facebook Pixel, no Google Analytics.

What we do with it

• Send you the product you bought (via email + GitHub invite)
• Send you transactional emails about your purchase (receipt, updates, refund confirmation)
• Let you re-retrieve your license via /my-purchases using your session ID
• Add significant product updates or critical security fixes (rare, and only to existing buyers — we don't do marketing blasts)

What we don't do

• Sell or rent your data to anyone. Ever.
• Share your email with advertisers, data brokers, or affiliates.
• Profile you across sites. Our analytics are aggregate only.
• Use your data to train AI models.

Who can see your data

• Stripe — processes payment. Their privacy policy: stripe.com/privacy
• Resend — delivers our transactional email to you. resend.com/legal/privacy-policy
• GitHub — holds the private repositories you get access to. GitHub privacy
• Formsubmit.co — relays confirmation form submissions to our inbox. formsubmit.co/privacy
• Vercel — hosts our sites and runs our serverless functions. vercel.com/legal/privacy-policy

That's the complete list. No ad networks, no analytics firms, no data brokers.

How long we keep it

Purchase records live in Stripe for accounting/refund purposes (typically 7 years per US tax requirements). Everything else — confirmation form submissions in our inbox, repository collaborator lists — is retained as long as you're a customer. If you request account deletion, we remove what we control within 30 days, though Stripe retains transaction records for compliance.

Your rights

You can at any time:

• See what we have: email us and ask for a copy of your data.
• Fix what's wrong: email us with a correction.
• Delete your data: email us to request deletion. We'll remove what we control, revoke your repository access, and confirm within 30 days.
• Stop getting emails: reply to any email asking to stop. Except critical ones (like a refund confirmation) we're legally required to send.

California residents: we comply with CCPA/CPRA. Email us for specific rights requests.

EU/UK residents: we comply with GDPR. Email us to exercise your rights under Articles 15–22.

Security

We take reasonable steps (encrypted transport, signed webhooks, no plaintext secrets, per-user license isolation) but no system is perfectly secure. If we become aware of a breach affecting your data, we'll notify you within 72 hours per applicable law.

Children

Our products are for developers and business operators. We don't knowingly collect data from anyone under 16.

Contact

Questions about this policy, your data, or to make a request: SeptimLabs@gmail.com.