What we keep, what we don't.

1. What we collect

• →Waitlist email + kit name — when you submit the waitlist form. Stored in our Supabase database. Purpose: one launch-day email per kit you signed up for. No newsletter, no drip sequence.
• →Order data from Polar — after you buy a kit, Polar sends us a webhook with the order ID, your email, your name (if you gave it), the product slug, amount, and currency. Stored so we can issue your download link and honor refunds.
• →Download tokens — per-order opaque strings tied to your order, with a use count and expiry. Purpose: making the download URL single-customer and time-limited.

2. What we don't collect

• →Credit card numbers, CVVs, or any payment-instrument data — all of that stays with Polar and Polar's processors. We never see it.
• →Third-party advertising cookies or retargeting pixels. No Facebook pixel, no Google Ads tag, no affiliate tracking.
• →Session replays or keystroke tracking.

3. Analytics

We use two optional, privacy-respecting analytics tools. Either or both may be active depending on deployment config:

• →Plausible — cookieless page-view analytics. GDPR-friendly by default; no personal data leaves your browser.
• →PostHog — funnel analytics, hosted in the EU region, configured with person_profiles: 'identified_only' so anonymous visitors are not profiled.

Neither is used for advertising. Both can be disabled per deployment by unsetting their env vars — so if you're reading this on a fork or white-label, the operator may have turned them off.

4. Sub-processors

• →Supabase — database. All tables use row-level security with default deny; customer-facing reads and writes happen server-side only.
• →Polar — checkout and Merchant-of-Record. Polar has its own privacy policy that governs the purchase transaction.
• →Resend — transactional email delivery (download links, refunds, launch notifications).
• →Cloudflare R2 — object storage for the kit ZIPs. Access is via signed URLs tied to your download token.
• →Vercel — hosting. Standard access logs apply (IP, user agent, URL); logs are rotated per Vercel's retention policy.

5. How long we keep things

• →Waitlist emails — until the kit ships + 14 days, then deleted. Or until you ask us to remove you, whichever comes first.
• →Order records — kept for 7 years for tax and refund-audit purposes (NZ tax law).
• →Download tokens — automatic 7-day expiry or 10 downloads, whichever comes first.

6. Your rights

You can email [email protected] at any time to:

• →See the data we hold about you.
• →Correct anything that's wrong.
• →Delete your waitlist entry at any time.
• →Request deletion of order records where legally allowed (note: NZ tax law requires some fields kept for 7 years).

We respond within 7 days. If you're in the EU or UK, these rights are in addition to your GDPR / UK GDPR rights, which we honor.

7. Changes to this policy

Material changes bump the "last updated" date at the top of this page. Customers get an email when the change affects how their data is handled.