## Plain-English Summary (for UI)

TakeInterest, Inc. runs TakeInterest on the web and iOS. The Service is for adults 18+ only; we do not allow minors. We collect account details and the content you choose to save (your decisions, criteria, constraints, and evidence) so the product works. We use Firebase and Google Cloud to authenticate, host, and store data, and Google Vertex AI (Gemini) to generate AI responses when you ask for them. We do not sell personal information, and we do not store raw prompts or raw AI outputs in production logs. You can access, export, correct, delete, and (where applicable) port your data. Product analytics are opt-in and off by default; when enabled, we use Mixpanel as a third-party processor. Diagnostics for web error reporting are opt-in and off by default; when enabled, we send runtime error metadata with environment/build/version tags only (no decision content, prompts, or AI outputs). We only send marketing if you opt in, and you can manage analytics and marketing preferences in the in-app preference center.

### What we do NOT collect (short version)
- Payment card numbers, passwords, or private keys.
- Sensitive health data, biometric identifiers, or precise geolocation.
- Raw prompts or raw AI outputs in production logs.

---

# Privacy Policy - TakeInterest, Inc. / TakeInterest

Effective date: January 7, 2026
Last updated: February 6, 2026

This Privacy Policy explains how TakeInterest, Inc. ("TakeInterest," "we," "us," or "our") collects, uses, shares, and protects information when you use our services: takeinterest.ai (marketing site), app.takeinterest.ai (web app), api.takeinterest.ai (API), and our iOS application (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

## 1) What we collect

**Account data**
- Email address, and name if you provide it.
- Unique user ID (UID) and authentication metadata from Firebase Authentication.
- Authentication provider details (for example, Google Sign-In).

**User content you choose to save**
- Decision text, criteria, constraints, and evidence you provide.
- Notes, actions, and outcomes you record.
- Personas, committee settings, and other configurations you create.
- Exports you generate (PDF, CSV, JSON, RTF, and similar files).

**Usage and device data**
- App and page interactions (events) to understand usage and improve the Service, only if you opt in to analytics (processed by Mixpanel as a third-party processor).
- Diagnostics data for web error reporting (opt-in only): runtime error metadata with environment/build/version tags only, excluding decision content, prompts, or AI outputs.
- Device and browser information (device type, OS version, app version, language).
- Approximate location inferred from IP address for security and fraud prevention.

**Support and communications**
- Information you provide when you contact support.

**Payments and subscriptions (if enabled)**
- Stripe customer ID, subscription ID, and entitlement state.
- We do not store payment card numbers or full billing details.

**Cookies and local storage**
- Essential authentication cookies and local storage used by Firebase.
- Analytics cookies or local storage (Mixpanel, a third-party processor) only if you opt in.

**iOS-specific data**
- Push notification tokens (APNs) if you enable notifications.
- Crash diagnostics and performance signals provided by Apple.

## 2) What we do NOT collect

- Payment card data (Stripe processes this directly).
- Passwords (Firebase Authentication manages credentials; we do not see your password).
- Government IDs, biometric identifiers, or precise geolocation.
- Sensitive health information or other special-category data.
- Contacts from your device or address book.
- Private keys or API tokens unless you explicitly provide them.
- Raw prompts or raw AI outputs in production logs.

If we ever require identity verification or new data types, we will clearly notify you and update this Policy before collection.

## 3) How we use information

We use your information to:
- Provide and operate the Service (authentication, storage, and core features).
- Generate AI-assisted responses when you request them.
- Maintain security, prevent abuse, and debug issues.
- Communicate with you about your account and the Service.
- Send product updates and marketing only when you opt in (you can change preferences anytime).
- Comply with legal obligations and enforce our Terms.

## 4) AI processing, transparency, and automated decisions

When you use AI features, you are interacting with an AI system. We may send the following to Google Vertex AI (Gemini):
- Decision text and related context you provide.
- Criteria, constraints, evidence, and supporting notes.

We never send:
- Passwords or authentication secrets.
- Payment card data.
- API keys or other confidential credentials that you have not explicitly provided.

**Data minimization:** We limit what we send to AI providers to what is needed to fulfill your request. We cap prompt and context sizes, send only relevant selected context and excerpts, and avoid sending full exports or files unless you explicitly request it.

**AI outputs may be inaccurate or incomplete. You must review and verify AI outputs before using them.**

We do not make legally significant automated decisions about you. AI outputs are advisory and for informational purposes only.

We do not store raw request bodies or raw AI outputs in production logs. Our logs are limited to minimal metadata (timestamps, request IDs, status codes, and redacted errors).

We do not use your content to train public AI models unless we clearly disclose it and obtain your consent.

**Provider retention disclosure:** Our AI provider (Google) may temporarily retain request and response data for abuse and safety monitoring under Google Cloud and Vertex AI terms. Retention periods are controlled by provider policies and configuration and may include 30-day windows for certain safety processing.

## 5) How we share information

We share information with service providers that help us run the Service:
- **Google Firebase** (Authentication, Firestore database, Firebase Hosting).
- **Google Cloud Run** (API and backend services).
- **Google Vertex AI (Gemini)** for AI generation.
- **Mixpanel** for product analytics (opt-in only, third-party processor).
- **Sentry** for web error reporting (opt-in only, diagnostics metadata only).
- **Stripe** for payments (if enabled).
- **Apple** for iOS app distribution, notifications, and diagnostics.
- **Email delivery providers**, if used for transactional or marketing messages, listed in our Sub-processor List.

We may also disclose information:
- To comply with law or valid legal process.
- To enforce our Terms or protect users and the Service.
- As part of a corporate transaction (merger, acquisition, or asset sale), with notice when required.

**We do not sell personal information.** We do not share your data with third parties for their own marketing purposes.

## 6) Cookies and tracking

We use:
- **Essential cookies and local storage** for authentication and session security.
- **Analytics cookies or local storage** (Mixpanel, a third-party processor) to understand product usage, only when you opt in.

For users in jurisdictions requiring prior consent for non-essential cookies, non-essential analytics/diagnostics remain disabled by default and are enabled only after explicit opt-in through our consent controls.

You can block cookies in your browser settings, but some features may not work. You can also manage analytics and marketing preferences in the in-app preference center.

## 7) Legal bases for processing (EEA/UK)

If you are in the EEA or UK, our legal bases include:
- **Contract**: to provide the Service you request.
- **Legitimate interests**: to secure, operate, and improve the Service.
- **Consent**: for marketing and optional features where required.
- **Legal obligation**: to meet regulatory or lawful requests.

For U.S. users, we process data to provide the Service and comply with applicable laws, and we respect state privacy rights where applicable.

## 8) Data retention

- **Account data and saved content**: kept while your account is active. When you delete your account, we delete or anonymize this data within 30 days, except where legal obligations require retention.
- **Logs and security metadata**: retained up to 30 days for operations, security, and fraud prevention.
- **Backups**: retained up to 30 days to support recovery.
- **Support communications**: retained up to 24 months for quality and compliance.
- **Payments and entitlements**: Stripe customer/subscription IDs and entitlement state are retained up to 7 years as needed for billing, accounting, tax, chargeback defense, and legal compliance.

Where we retain data under legal obligations, typical bases include tax/accounting records, fraud prevention, contractual dispute handling, security investigations, and legal hold requirements.

We may introduce plan-based retention limits (for example, shorter retention on free tiers). If we do, we will disclose the limits in-product and update this Policy before enforcing them.

## 9) Your rights and choices

Depending on where you live, you may have rights to:
- Access your data.
- Correct inaccurate data.
- Delete your data and close your account.
- Restrict or object to certain processing.
- Withdraw consent where processing is consent-based.
- **Data portability** (receive your data in a structured, commonly used, machine-readable format, where applicable).
- Opt out of marketing communications.

You can request data portability and exports in available formats (including JSON, CSV, and PDF where applicable to the requested dataset).

To exercise these rights, email privacy@takeinterest.ai. We may verify your identity before fulfilling requests.
We respond to verified requests within 30 days (or longer where permitted by law).

If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority. See the European Data Protection Board authority list: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

## 10) California privacy rights (CCPA/CPRA)

California residents have rights to know, access, correct, delete, and opt out of sale/share (as defined by law).

We do not sell personal information and do not share personal information for cross-context behavioral advertising. We still provide a "Do Not Sell or Share My Personal Information" mechanism to exercise California opt-out rights.

**Do Not Sell or Share requests:**
- Submit through our web request path: `https://takeinterest.ai/privacy#do-not-sell-or-share`
- Or email: privacy@takeinterest.ai with subject line "Do Not Sell or Share"

We provide at least two methods to submit requests and will confirm receipt and outcome as required by applicable law.

## 11) Marketing communications

We only send marketing communications if you opt in. You can manage preferences in the in-app preference center or unsubscribe at any time using the link in our emails or by contacting privacy@takeinterest.ai. Transactional or service-related emails are still sent when needed (for example, security notices or account updates).

## 12) International transfers (EEA/UK and global users)

The Service is operated from the United States, and user data may be processed in the U.S. (including Google Cloud us-central1) and other jurisdictions used by our processors.

For transfers from the EEA and UK, we rely on appropriate safeguards, including:
- European Commission Standard Contractual Clauses (SCCs), and
- UK International Data Transfer Addendum (UK IDTA) or other UK-approved transfer mechanisms.

If you are located outside the U.S., your data may be transferred to and processed in the U.S. when you use the Service.

For questions about international transfers or to request a copy of applicable transfer safeguards, contact privacy@takeinterest.ai.

## 13) Data Processing Agreement (DPA) and sub-processors

For business customers and enterprise engagements, we provide a Data Processing Agreement (DPA) and maintain a current Sub-processor List.

- DPA reference: `docs/legal/data_processing_addendum.md`
- Sub-processor list: `docs/legal/subprocessors.md`

If a sub-processor change materially affects processing risk, we provide notice through our normal legal/compliance update channels.

## 14) Security and breach notifications

We use reasonable administrative, technical, and organizational measures to protect data, including encryption in transit and at rest, access controls, and monitoring. No system is 100% secure.

If we become aware of a data breach, we will notify affected users and relevant authorities as required by applicable law, including GDPR timelines where applicable.

If you believe your account or data has been compromised, contact security@takeinterest.ai.

## 15) Minors

The Service is strictly for adults 18+. We do not knowingly allow minors to use the Service or collect personal information from anyone under 18. If you believe a minor has provided us information, contact privacy@takeinterest.ai and we will delete it.

## 16) Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide notice by email or in the Service before the change takes effect, and we will update the "Last updated" date.

## 17) Contact and representative information

Privacy inquiries: privacy@takeinterest.ai  
Security issues: security@takeinterest.ai

DPO status: As of the Last updated date above, TakeInterest has not designated a Data Protection Officer under GDPR Article 37 based on current processing scope. We will update this section if that status changes.

EU/UK representative: We assess representative obligations under GDPR Article 27 and UK GDPR and will publish representative details in this section if appointment is required.

TakeInterest, Inc.  
Seattle, WA