Privacy Policy

1. What We Collect

We collect three categories of information, and only these three:

Billing information (required by Stripe to process payment):

• Your name as it appears on your billing method
• Your billing address
• Your email address for receipts and engagement correspondence
• Payment method details, which Stripe holds and we never see in raw form

Engagement substrate (what you choose to share during the audit):

• The artifacts you provide for the audit (architecture documents, code surfaces you choose to share, policy documents, prior audit findings, anything else you author into the engagement)
• Notes from our working sessions, which you receive copies of
• Correspondence during the engagement

Correspondence necessary to deliver the work:

• Email exchanges related to scheduling, scope clarification, and deliverable delivery

That is the complete list. We do not collect anything else.

2. How You Share Substrate With Us

The channel through which you share your engagement substrate matters as much as what you share. We use channels with appropriate security properties for the sensitivity of the material, and you choose which channel works for you.

You have two channel options for the engagement substrate:

Option 1: Private GitHub repository. You can invite us as a read-only collaborator on your existing private repository, or we can create a private repository for the engagement and invite you. Either shape works; you choose. GitHub provides encryption in transit and at rest, granular access control, a built-in audit log of every access event, and the ability to revoke our access with a single click at the close of the engagement.

Option 2: Proton Drive. Proton Drive is a Swiss-based end-to-end encrypted file-sharing service with a free tier (5 GB) sufficient for most engagement substrate. Files are encrypted client-side before upload; Proton's servers cannot read your substrate. You sign up at proton.me, share a folder with us using the email address we provide, and revoke our access at engagement close.

You choose between these two options based on what fits your team and your artifacts. If you have a different end-to-end encrypted channel you already trust and prefer (for example, your organization's existing secure file-sharing tool), name it and we use it instead.

Email is acceptable for logistical correspondence only: scheduling, scope clarification, deliverable delivery. We do not send or receive code, architecture documents, security findings, or audit deliverables via email attachments.

What you can refuse: any specific channel, at any time, for any reason. If neither of our two default options works for you and you do not have a preferred alternative, we work with you to find a channel that does. The substrate is yours; the channel that carries it should be one you trust.

What we never do: transmit substrate over unencrypted channels, share substrate with any third party including the platforms above beyond what is required to transmit it, or retain access to the substrate after the engagement closes plus the ninety-day clarification tail.

3. What We Do Not Collect

We name this explicitly because the absence of a thing is sometimes more important than its presence:

• We do not collect behavioral telemetry on your interactions with us
• We do not run analytics tools on our correspondence or working sessions
• We do not build cross-engagement profiles of customers
• We do not inject third-party trackers into confirmation pages, receipt emails, or deliverables
• We do not collect data that would let us infer anything about you beyond what you have chosen to share
• We do not enrich your record with data from data brokers or other third-party sources
• We do not assume incompleteness; we assume sovereignty. The scope you author is the scope of the engagement.

4. How We Use What We Collect

Engagement substrate is used only to deliver the engagement you paid for. We do not use it for any other purpose, including but not limited to:

• Marketing or sales outreach
• Training AI models, ours or anyone else's
• Building generalized methodologies or frameworks based on your specific situation
• Sharing as case-study material without your explicit written per-use consent
• Any other purpose that you did not author the substrate to serve

Billing information is used only for payment processing and engagement correspondence.

Correspondence is used only to communicate with you about the engagement.

5. Third-Party Sharing Limits

We use a small number of third parties because we have to, and we keep that number small on purpose. The complete list:

Stripe processes payments and receives the billing information required to do so. Stripe's privacy practices are governed by Stripe's policy at stripe.com/privacy.

Email provider (currently Resend) processes outbound transactional email. Your email address is shared with the provider for the limited purpose of delivering the message.

Substrate transfer channels (GitHub or Proton Drive, per Section 2): These platforms receive the engagement substrate you choose to share, for the limited purpose of transmitting it between you and us. Their privacy practices are governed by their own policies at github.com/privacy and proton.me/legal/privacy.

That is the complete list of third parties that receive any engagement-related information. We do not share engagement substrate with any third party beyond what is required to transmit it via the channel you choose.

If we ever need to add a third party for any operational reason, this policy is amended before the addition takes effect, you are notified at the email address on file, and the addition is recorded in the document's amendment history.

6. Retention

Engagement substrate is held for the duration of the engagement plus a ninety-day tail for you to return with clarification questions at no additional charge. After the ninety-day tail closes, the substrate is deleted, not anonymized. True deletion. The records do not persist in a shape we could later re-identify.

Billing records are retained as long as legally required for tax and accounting purposes (typically seven years under United States federal requirements), then deleted.

Correspondence is retained alongside engagement substrate and follows the same ninety-day tail policy.

You can ask for earlier deletion at any time. See section 8.

7. Security Baseline

Engagement substrate is held with encryption at rest and encryption in transit. Working sessions are conducted via tools you and we agree on; we default to options that do not record content beyond what you authorize.

Access to engagement substrate is limited to the named primary point of contact (Erin Stanley) and any team members you explicitly approve. We do not grant access to any other party without your explicit written permission.

If we ever become aware of an unauthorized access event affecting your engagement substrate, you are notified within seventy-two hours at the email address on file, with the facts as we know them at the time of notification and any updates as we learn more.

8. Your Right to Refuse

This section matters most. Read it carefully.

You may refuse, decline, or withdraw at any layer of this relationship:

• You may decline to share any artifact at any time during the engagement
• You may revoke prior consent to share an artifact you already shared; we delete the artifact from our records
• You may ask us to delete all engagement substrate at any time, including before the ninety-day tail expires
• You may ask us to delete all correspondence
• You may ask us to delete all records of you that we are not legally required to retain (billing records may be subject to tax-law retention)
• You may refuse any future contact from us, for any reason, or for no reason
• You may decline any specific channel for substrate transfer and name an alternative you prefer

None of these choices require you to justify them to us. We do not retain shape we could later use to re-identify you. We do not interrogate the request. We honor it, confirm it in writing, and complete it within a reasonable timeframe (typically within ten business days, often faster).

The wall holds. It requires nothing from you.

9. Your Verification and Deletion Rights

You can ask at any time:

• What information about you we currently hold
• Where we hold it
• Who at our end has had access to it
• When we expect to delete it under the retention schedule

We respond within ten business days with the complete answer, in plain language, without friction or surveys.

You can also ask us to:

• Correct any information we hold that is inaccurate
• Delete information we are not legally required to retain
• Export your engagement substrate to you in a portable format before deletion

There is no charge for any of these requests. There is no limit on how often you can make them. There is no surveying you about why.

10. Governing Law

This policy is governed by the laws of the State of Idaho. If you are a resident of a state with stronger privacy protections than those provided here (including California, Virginia, Colorado, Connecticut, Utah, or any other state with enacted comprehensive privacy law), those protections apply to you in addition to the protections in this document. We honor the stronger protection in any case where state law and this policy differ.