Privacy Policy

This Privacy Policy explains what data The Detective collects, how we use it, and the choices you have. We try to be specific instead of catch-all; if a section feels vague, email hello@thedetective.io and we'll clarify.

1. What we collect

1.1 Account data

• Email. Required for sign-in. Used for the magic-link flow and as the identifier on any passkeys you enroll, both via Supabase Auth.
• Name. Optional, supplied during signup or editable in your profile.
• Country. Optional, used for analysis personalization.
• Avatar image.Optional, uploaded to Supabase Storage and visible only to you (and to your teammates if you're on Operator and have a team).

1.2 Intake answers

Your intake form responses (skills, budget, time, languages, target income, exclusions, motivations) are stored on your customer record and used to seed the analysis pipeline. We don't share these with other customers or third parties.

1.3 Analyses

Every analysis we generate is stored in your account. The analysis body (verdicts, cited sources, evidence tiles) is retained indefinitely so you can return to past work. Aggregated, de-identified metrics may be used to improve the product (see §3).

1.4 Passkey credentials

If you enroll a passkey (Touch ID, Face ID, Windows Hello, or a security key) for faster sign-in, we store the credential's public key, a counter, and a device label you choose. We never receive or store the private key. The private key lives on your device and never leaves it. You can remove an enrolled passkey at any time from your settings page.

1.5 Payment data

Payments are handled by Polar (Polar Software Inc.) acting as the merchant of record. We receive only a customer reference and your subscription tier from Polar; we never see or store your card number, CVV, or full billing details. Polar's own privacy policy governs the billing flow.

1.6 Email delivery

Transactional emails (analysis ready, analysis failed, team invitations) are sent via Resend. Resend retains email metadata per their privacy policy. We do NOT send marketing emails as part of the Service today.

1.7 Pipeline data

Each analysis runs through Anthropic Claude. Your intake and idea inputs are sent to Anthropic as part of the model prompt. Anthropic's data handling is governed by their privacy policy. We do not opt in to training data sharing.

1.8 Page analytics

We use Vercel Analytics and Vercel Speed Insights to count page views and measure performance. These are first-party, cookie-less, and do not build a cross-site profile of you. The data we get back is aggregated (e.g. “the /pricing page got 420 views yesterday”) and cannot be traced to a single person. Vercel's own privacy policy covers what they retain.

We also use Google Analytics 4 (via Google's gtag.js) to understand how visitors find and move through the site. Unlike Vercel Analytics, GA4 sets cookies (e.g. _ga) and shares usage data with Google, which receives your truncated IP address, device and browser details, and the pages and events you trigger. We do not send GA4 your name, email, intake answers, or analyses. Google's own privacy policy governs that data.

1.9 Bot protection on public forms

The contact form and the magic-link signup use Cloudflare Turnstile to tell humans apart from automated traffic. Turnstile is a privacy-preserving alternative to traditional CAPTCHA — it does not show puzzles, does not set tracking cookies, and does not build a cross-site profile. Cloudflare receives the page URL, your IP address, basic browser headers, and a short-lived challenge token to run the check. Cloudflare's own privacy policy governs that data.

1.9b Consent for non-essential cookies (EU / UK / Brazil)

If you visit us from the European Economic Area, the United Kingdom, or Brazil, we ask for your consent before non-essential cookies and analytics fire. The choice is presented as a banner at the bottom of the page on your first visit; until you pick, Google Analytics and PostHog are configured in default-denied mode (Google Consent Mode v2), Microsoft Clarity does not load at all, and only the strictly necessary cookies (sign-in session, anti-fraud) operate. The choice is recorded in the first-party cookie detective_consent (365 days, SameSite=Lax) so you do not see the banner again on this device.

You can change your mind at any time by emailing hello@thedetective.io or by clearing the detective_consent cookie in your browser (the banner reappears on the next page load). Visitors outside the EEA / UK / Brazil see no banner and analytics fire on the standard pageview basis described in §1.8.

1.9c Reddit Pixel and Conversions API (ads)

If we run paid acquisition on Reddit, we use Reddit's pixel (client-side script from www.redditstatic.com) plus Reddit's server-side Conversions API to attribute conversions back to the ad we paid for. The pixel sets first-party cookies under.reddit.comto record the click + page visit; the server-side API receives a hashed (SHA-256) version of your email at the moment a payment lands so the conversion can be matched without us sending Reddit your raw email. Reddit's own privacy policy governs what they retain. The pixel + CAPI fire ONLY whenNEXT_PUBLIC_REDDIT_PIXEL_ID and the server-side access token are configured (currently silent-installed; this clause is in force the moment we provision a Reddit ad account). EEA / UK / Brazil visitors must Accept on the consent banner (§1.9b) before either fires.

1.10 Attribution (UTM tags)

If you arrive at the site from a link with ?utm_source=…&utm_medium=… tags (Reddit, a podcast, an editorial mention, etc.), we store those five standard UTM fields plus the moment you first hit the site (first_seen_at) on your customer record at the moment you complete intake. We use this strictly to understand which acquisition channels work — never to retarget, never shared with third parties for advertising. The capture is first-touch (your initial source wins; a later visit from a different link does not overwrite). The data lives in a first-party cookie (detective_utm, 90-day max age, SameSite=Lax) until intake submission, then in your customer row.

1.11 What we do NOT collect

• No advertising or retargeting pixels (no Facebook Pixel, no ad networks). We use Google Analytics 4 for site analytics only — see §1.8 — never for ad targeting.
• No location data beyond the country field you optionally provide.
• No microphone, camera, or device access.
• No social-graph data.

Honest caveat on the “don't collect” framing: like every web service, our infrastructure (Vercel function logs, Trigger.dev task logs, Resend send-metadata, Sentry breadcrumbs) captures the technical context around requests and errors so we can investigate failures. That context can include the URL you hit, your IP address at request time, truncated request payloads on errors, and the most recent actions you took before an error. We never query these logs as a customer-data source, but they exist and are retained per the relevant vendor's policy (typically 7-30 days for raw logs, longer for aggregated error events). If you request account deletion under §4.2, we trigger deletion of the row-level data we control immediately; vendor-side logs age out on their own retention schedule.

2. How we use it

• Authenticate you via email magic-link or passkey (WebAuthn), both backed by Supabase Auth.
• Generate analyses by feeding your profile + idea inputs into the runner pipeline.
• Personalize the dashboard with your name, avatar, and historical analyses.
• Send transactional emails when analyses finish, fail, or your teammate accepts an invitation.
• Aggregate de-identified metrics for product improvement (e.g. average preflight pass rate, average source tier across analyses). These aggregations cannot be traced back to any individual customer.

3. Sharing

We don't sell your data. We share data with the third parties named above only as required to operate the Service:

• Supabase. Auth, database, and storage hosting.
• Anthropic. Runs the AI pipeline.
• Resend. Transactional email delivery.
• Polar (merchant of record). Billing, tax, invoicing, refunds, and chargebacks.
• Vercel. Hosting, edge runtime, and first-party page-view + performance analytics (cookie-less, aggregated).
• Google (Analytics 4). Site analytics via gtag.js (cookie-based) — usage, not advertising.
• Trigger.dev. Background job orchestration for the runner pipeline.
• Cloudflare. Bot protection on public forms (contact form, magic-link signup) via Cloudflare Turnstile.
• Sentry. Application error monitoring and crash reporting (server + browser) so we can detect and fix faults. Receives technical error context (stack traces, request metadata); we do not send it your analyses or intake answers.
• Google (Measurement Protocol, server-side). When a payment lands, we POST a small purchaseevent to GA4 server-side so revenue attribution survives ad-blockers and missed redirects. Payload includes a transaction id, the tier purchased, and your customer row id as a stable analytics identifier — never your name, email, intake answers, or analyses. Subject to Google's privacy policy linked above.
• Healthchecks.io.Dead-man's-switch ping service that pages us if the runner stops processing reports. Receives only ping URLs (no customer data, no analyses, no identifiers). Used purely for uptime monitoring of our background job pipeline.
• Slack (operator alerts only).When our daily cost-drift cron detects an anomaly in our own pipeline metrics (per-tier average spend, p95 step duration, or failure rate drift), a single summary alert is posted to our internal operations channel. The alert body contains aggregate numbers only (e.g., "Hunter avg spend last 7d $0.0X vs 23d baseline $0.0Y"); it never contains your name, email, intake answers, analyses, or any per-customer identifier. Slack is used for operator paging only — we never share customer data with Slack.
• Microsoft Clarity.Free heatmap + session replay service we use to debug specific UX reports (e.g., "the intake form Next button stopped responding for me on Safari"). Project-side masking is set to strict — every text input + every customer-facing analysis content is masked by default in recordings. Clarity receives page URLs, click coordinates, scroll positions, and viewport dimensions; it does NOT receive your intake answers, your analyses, or any text you typed into masked fields. Subject to Microsoft's privacy statement.
• Reddit (Pixel + Conversions API). If we are running paid traffic on Reddit, the client pixel + server CAPI fire to attribute clicks and purchases back to the ad. The server CAPI receives a SHA-256 hash of your email so Reddit can match the conversion without seeing your raw email. No raw intake answers, analyses, or names are shared. Subject to Reddit's privacy policy. EEA / UK / Brazil visitors must Accept the consent banner before either path fires; see §1.9b.
• PostHog. Product analytics + feature flags + a session replay surface scoped to /intake and /report/[id]only (other routes never start a recording). All text inputs are masked by default in replays; the runner-side PostHog integration records per-call model + latency + token counts + cost (without recording prompt or response content). We send PostHog the same typed funnel events we send GA4 (signup, generate_lead, begin_checkout, etc.) plus the customer's opaque user id for identity stitching across sessions. PostHog respects the DNT (Do-Not-Track) browser signal; subject to PostHog's privacy policy.

Each of these vendors has its own data-handling commitments. We chose them in part because of those commitments.

4. Your rights

4.1 Access + export

You can see all delivered analyses in your dashboard. To export your data (intake answers, full analyses), email us and we will respond within 7 days.

4.2 Deletion

Delete your account from dashboard settings. On deletion we:

• Remove your customer row + intake answers.
• Remove your team memberships and any pending invitations you sent.
• Retain de-identified copies of your delivered analyses (no email, no name, no profile fields) for product-improvement purposes. These cannot be traced back to you.
• Retain payment records as required by tax law (typically 7 years, held by our payment processor as merchant of record).

4.3 Corrections

Update your name, email, country, avatar, and intake answers at any time from dashboard settings. To correct a record we cannot edit ourselves (e.g. payment data held by our payment processor), email us and we'll guide you to the right place.

4.4 EU / UK customers

If you're in the EU or UK you have the rights described in GDPR (Articles 15-22): access, rectification, erasure, portability, objection, restriction. Email hello@thedetective.io to exercise any of these. Polar is the data controller for payment data as merchant of record, and Supabase / Anthropic / Resend / Vercel / Google (Analytics 4 + Measurement Protocol) / Trigger.dev / Sentry / Healthchecks.io are sub-processors for the platform.

5. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors. If we discover an underage account we'll delete it.

6. Security

Data at rest is encrypted on Supabase's infrastructure. Connections are HTTPS-only. Service-role keys are server-side only and never exposed to clients. We rotate keys when they leak and notify affected customers within 72 hours of discovery.

7. Changes

We'll update this Policy when our data flows change. For material changes (new third-party processor, new data category collected) we'll email registered users at least 30 days before the change takes effect.

8. Who controls your data + contact

The Detective is operated by its two founders, who are the data controller for the platform data described in this Policy. For privacy questions, data-export requests, or to exercise any right above, email hello@thedetective.io or use the contact page. Email is our address of record for privacy notices; a registered business mailing address will be added once the operating entity is formed.