Privacy Policy

1. Information We Collect

1.1 Account Information

When you create a creator account, we collect:

• Your email address (for account creation and notifications)
• Your chosen @charged.chat handle
• Stripe Connect account information for payment processing
• Account creation timestamps

1.2 Message Information

To facilitate message delivery, we temporarily collect:

• Sender (fan) email addresses
• Message content (subject, body text, HTML content)
• Email attachments
• Message metadata (headers, timestamps, SendGrid message IDs)
• Payment correlation data

1.3 Payment Information

Payment processing is handled by Stripe. We store:

• Payment intent IDs and transaction metadata
• Transfer amounts and platform fees
• Payout status and timestamps
• Stripe account connection status

1.4 Technical Information

We automatically collect certain technical information:

• Service usage logs and error reports
• Webhook delivery status and timestamps
• System performance and reliability metrics

2. How We Use Your Information

Purpose	Data Used	Legal Basis
Account Management	Email address, handle, Stripe account info	Contract performance
Message Delivery	Message content, sender/recipient emails	Contract performance
Payment Processing	Payment data, transaction metadata	Contract performance
Service Improvement	Usage logs, performance metrics	Legitimate interest
Legal Compliance	All data as required	Legal obligation
Fraud Prevention	Payment data, usage patterns	Legitimate interest

3. Data Storage and Retention

3.1 Storage Infrastructure

We use the following systems to store your data:

• DenoKV - For creator accounts, pending emails, and transfer records
• Stripe - For payment processing and payout management
• SendGrid - For email delivery infrastructure

3.2 Data Retention Periods

• Creator accounts: Retained until account deletion
• Message content: Deleted immediately after successful delivery
• Pending emails: Automatically deleted after 24 hours
• Payment records: Retained for 7 years for tax and legal compliance
• System logs: Retained for 90 days for service operations

3.3 Data Minimization

We practice data minimization by:

• Only collecting data necessary for service functionality
• Automatically deleting message content after delivery
• Using temporary storage for payment correlation data
• Implementing automatic cleanup of old pending transfers

4. Data Sharing and Third Parties

4.1 Service Providers

We share data with trusted third-party service providers:

• Stripe: Payment processing, Connect accounts, and payouts
• SendGrid: Email delivery and receiving infrastructure
• Deno Deploy: Application hosting and KV storage

4.2 Legal Requirements

We may disclose your information when required by law, including:

• Compliance with valid legal process (subpoenas, court orders)
• Protection of our rights, property, or safety
• Investigation of fraud or other illegal activities
• National security or law enforcement requirements

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our service of any change in ownership.

5. Security Measures

5.1 Technical Safeguards

• Encryption in transit (HTTPS/TLS) for all data transmission
• Encryption at rest for stored data in DenoKV
• Secure webhook signature verification
• Access controls and authentication for admin operations

5.2 Operational Security

• Regular security audits and vulnerability assessments
• Incident response procedures for data breaches
• Employee training on data protection practices
• Monitoring and logging of system access

5.3 Third-Party Security

Our service providers maintain their own security standards:

• Stripe is PCI DSS Level 1 certified for payment security
• SendGrid implements SOC 2 Type II security controls
• Deno Deploy provides enterprise-grade infrastructure security

6. Your Privacy Rights

6.1 Access and Portability

You have the right to:

• Request a copy of your personal data we hold
• Receive your data in a structured, machine-readable format
• Transfer your data to another service provider

6.2 Correction and Deletion

You can:

• Update your email address by contacting support
• Request deletion of your account and associated data
• Correct inaccurate information in your account

6.3 Processing Restrictions

You may request that we:

• Stop processing your data for specific purposes
• Limit how we use your information
• Object to automated decision-making (where applicable)

7. International Data Transfers

charged.chat operates globally, and your data may be transferred to and processed in countries other than your residence. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions where available
• Service provider certifications (Privacy Shield successors)

8. Cookies and Tracking

8.1 Essential Cookies

We use minimal essential cookies for:

• Session management and authentication
• Security protection (CSRF prevention)
• Service functionality and error handling

8.2 Analytics

Currently, we do not use third-party analytics or tracking. We only collect server-side logs necessary for service operation and security.

9. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

10. Data Protection Officers

For data protection inquiries, you can contact us at:

• Email: privacy@charged.chat
• Response time: Within 30 days
• EU Representative: Available upon request

11. California Privacy Rights (CCPA)

California residents have additional privacy rights under the California Consumer Privacy Act:

• Right to know what personal information is collected and how it's used
• Right to delete personal information
• Right to opt-out of the sale of personal information (we don't sell data)
• Right to non-discrimination for exercising privacy rights

12. European Privacy Rights (GDPR)

If you're located in the European Union, you have additional rights under GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

• Email notification to all registered users
• Prominent notice on our website
• Updated "Last modified" date at the top of this policy

Continued use of our service after changes constitutes acceptance of the updated policy.

14. Contact Information