GM Agency

LEGAL

Privacy Policy

Effective 22 May 2026 · v1.0

This policy explains what data GM Agency collects, why, and how you can exercise your rights over it. We act as a data controller for your account information and as a data processor for any user data that flows through builds we deliver to you.

01 · WHAT WE COLLECT

Account
Name, email, password hash, optional billing address. Used to identify you, send transactional email, and bill projects.
Project
Scoping answers, uploaded references, generated specifications and mockups, build logs, change requests. Used to execute and deliver the project.
Payment
Held by Stripe. We see only the last four digits of the card and Stripe's customer/invoice identifiers — never the full card number or CVC.
Provider tokens
Encrypted OAuth tokens for GitHub / Vercel / Supabase / Cloudflare, used solely to provision your project and transfer it to you. Revoked or rotated after delivery on request.
Technical
IP address, user-agent, session cookies, application logs. Retained for security and debugging.

02 · HOW WE USE IT

  • To deliver the project you commissioned.
  • To process payments through Stripe.
  • To send transactional emails about your project's state.
  • To detect abuse, prevent fraud, and meet legal obligations.
  • To improve our scoping and build prompts in aggregate; we do not use your specifications to train third-party models.

We do not sell, rent, or share your personal data with advertising networks. We do not send marketing email without a separate opt-in.

03 · THIRD-PARTY PROCESSORS

Your data is processed by a small list of subprocessors strictly necessary for the service:

  • Stripe, Inc. — payment processing.
  • Anthropic, PBC and NVIDIA NIM — AI inference for scoping, mockup generation, build, and triage. Prompts may include your specification but exclude your credentials.
  • Postmark (ActiveCampaign) or equivalent — transactional email delivery.
  • Cloudflare, Inc. — DDoS protection and DNS for our domain.
  • GitHub, Inc., Vercel, Inc., Supabase, Inc. — only as needed to provision and transfer your project; their privacy policies apply to the accounts you control.

04 · RETENTION

Account and project data are retained while your account is active and for up to 24 months after a project closes, for warranty and audit purposes. Build logs are retained for 12 months. Stripe payment records are retained for as long as required by tax and anti-fraud law (typically 7 years). You may request earlier deletion at any time, subject to legal retention requirements.

05 · YOUR RIGHTS

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, and similar), you have rights to:

  • access the personal data we hold about you;
  • correct or update inaccurate data;
  • request deletion of your data ("right to be forgotten");
  • export your data in a portable format;
  • object to or restrict certain processing;
  • withdraw consent for any processing based on consent.

Email [email protected] to exercise any of these rights. We respond within 30 days.

06 · COOKIES

We use a single first-party session cookie (gm_agency_session_v2) to keep you signed in, plus a CSRF-protection cookie. We do not use analytics or advertising cookies.

07 · SECURITY

Passwords are hashed (bcrypt). Provider tokens are encrypted at rest. Traffic is served over TLS. We are a small team and aim to follow industry best practice but cannot guarantee absolute security; if a breach occurs we will notify affected users within 72 hours.

08 · CHANGES

Material changes are notified by email at least 14 days before taking effect.

Contact

Privacy questions or data requests: [email protected]