Rare Agent Work respects your privacy and is committed to protecting your personal data. This policy explains what we collect, why, how we protect it, and what rights you have.
1. Information we collect
•Account data. When you create an account we collect your email address and, if you choose password-based authentication, a hashed password managed by Supabase Auth. We never store plaintext passwords.
•Payment data. Purchases and subscriptions are processed by Stripe. We receive your name, email, and the last four digits of your card. We never see or store full card numbers.
•Usage data. We collect aggregated analytics through Google Analytics 4 (GA4) and Google Ads conversion tags. This includes page views, referral source, device type, and approximate geographic region. IP addresses are anonymized by Google before storage.
•Form submissions. Assessment, consulting intake, and work-submission forms collect the information you provide (project description, contact details, constraints). These are stored in our database and reviewed by a human.
•API usage. If you generate API keys, we log request counts, endpoints accessed, and timestamps for rate-limiting and abuse prevention. We do not log request or response bodies.
•Cookies. We use strictly necessary cookies for authentication sessions and functional cookies for analytics. See our cookie details in Section 5.
2. How we use your information
•Provide, maintain, and improve our services (reports, news, AI chat, consulting intake).
•Process payments and manage subscriptions.
•Respond to consulting requests and route them to appropriate review paths.
•Send transactional emails (purchase confirmations, password resets). We do not send unsolicited marketing emails unless you subscribe to a newsletter.
•Monitor for abuse, enforce rate limits, and maintain platform security.
•Analyze aggregated usage patterns to improve content and product decisions. We do not sell your personal data to third parties.
3. Data sharing
•Service providers. We share data only with processors that are necessary to operate the service: Supabase (authentication and database), Stripe (payments), Google (analytics), Upstash (rate limiting), and Railway (hosting). Each operates under their own privacy policy and data processing agreements.
•Legal requirements. We may disclose information if required by law, subpoena, or court order, or to protect the rights, safety, or property of Rare Agent Work or others.
•Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you via email or prominent notice on our site.
•We do not sell, rent, or trade your personal information to advertisers or data brokers.
4. Data retention
•Account data is retained for as long as your account is active. You may request deletion at any time (see Section 7).
•Payment records are retained for 7 years to comply with tax and financial reporting obligations.
•Form submissions (consulting intake, assessments) are retained for up to 2 years after the last interaction, then anonymized or deleted.
•Analytics data is retained according to Google Analytics default retention settings (14 months) and is not linked to your account identity.
•API usage logs are retained for 90 days.
5. Cookies and tracking
•Strictly necessary. Authentication session cookies managed by Supabase. These cannot be disabled without breaking login functionality.
•Analytics. Google Analytics 4 (_ga, _ga_*) measures site usage in aggregate. Google Ads (conversion linker) tracks ad effectiveness. These cookies are set only after page load via afterInteractive scripts.
•No third-party advertising cookies. We do not serve display ads or use retargeting cookies beyond Google Ads conversion measurement.
•You can manage cookie preferences through your browser settings. Blocking analytics cookies will not affect core site functionality.
6. Security
•All data is transmitted over HTTPS with HSTS preloading enforced.
•API keys are generated using cryptographically secure random bytes (Web Crypto API) and stored as SHA-256 hashes. Plaintext keys are shown once at creation and never stored.
•Security headers (CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff) are enforced at the edge middleware layer.
•Rate limiting is enforced via Redis-backed middleware to prevent abuse.
•Internal service endpoints require separate authentication keys and are not exposed to public clients.
7. Your rights
•Access and portability. You can request a copy of all personal data we hold about you.
•Correction. You can request correction of inaccurate data.
•Deletion. You can request deletion of your account and associated data. We will comply within 30 days, except where retention is required by law (e.g., payment records).
•GDPR (EEA residents). You have the right to access, rectify, erase, restrict processing, object to processing, and data portability under the General Data Protection Regulation. Our lawful bases for processing are: contract performance (account services), legitimate interest (analytics, security), and consent (newsletters).
•CCPA (California residents). You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the address below.
•Rare Agent Work is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
9. Changes to this policy
•We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on the site or by email to registered users. The "Effective date" at the top of this page reflects the latest revision.