What we hold, how we hold it, and what we refuse to do with it.

We collect only what the analysis needs to be useful to you. Nothing else.

• Your email. Required for sign in. We use passwordless authentication, so no password is ever stored.
• Optional profile fields. Name, country, avatar. All optional, all editable from settings.
• Your intake answers. The information you give us so the analysis can be personalized to your skills, budget, time, and refusals.
• Your analyses. Every report we deliver, kept available so you can return to past work.
• Your watchlist. The niches you save and any project notes you keep on them.

We do not collect marketing tracking pixels, location beyond the optional country field, microphone or camera access, or social graph data. Full detail lives on the Privacy page.

Sensible defaults, applied uniformly. We do not invent new security postures for marketing purposes.

• Encrypted in transit and at rest. Every connection uses HTTPS. Stored data is encrypted by our hosting infrastructure.
• Per customer isolation.The database is scoped so one customer cannot read another customer's data, even at the lowest layer.
• Passwordless sign in. Account access uses a one time link sent to your email. There is no password for us to leak.
• Least privilege secrets. Server credentials stay on the server. They are never bundled into the browser code.
• Disclosure on leak. If a credential we control leaks, we rotate it and notify affected customers within 72 hours of discovery.

The product is a promise. These are the lines we will not cross to grow it.

• We do not sell or share customer data. Not to advertisers, not to data brokers, not as part of any future partnership.
• We do not train AI on your data. Your intake answers and analyses are not used as training material for any model.
• We do not fabricate source citations. Every claim in every analysis carries a real source URL and a confidence label. Made up citations are not possible in our pipeline.
• We do not silently lower the bar. When evidence is thin, the verdict says so. We never quietly soften a result to make it ship.
• We do not analyze regulated industries. Insurance, medical, legal advice, financial advice, tax preparation, construction lien. We refuse those before spending and tell you why.

Honest version. We are an independent product team. We do not have a formal compliance audit at this stage. What we do have is a short list of rights and practices we honor in writing.

• Delete on request. Delete your account from settings at any time, or email us. We remove your account record and your saved work. Retention edges are documented on the Privacy page.
• Export on request. Email us and we return your intake answers and analyses within 7 days.
• EU and UK rights. Customers in those regions have the full set of access, rectification, erasure, portability, objection, and restriction rights under their local data law. Email hello@thedetective.io to exercise any of them.
• EU data residency. Available on request for customers who need it.

When our compliance posture changes, the update will appear here and in the changelog.

If you find a vulnerability, email security@thedetective.io. Include a description, reproduction steps, and the impact you observed.

We acknowledge within 3 business days, work the issue, and credit you in the changelog if you want public attribution. We do not pursue legal action against researchers who follow good faith disclosure.

For everything else (privacy, billing, general questions), use hello@thedetective.io.