Pitch Like ThisLogin

Privacy Policy — Pitch Like This

Version: 0.3.0
Published On: February 06, 2026
Last Updated On: February 06, 2026

This document explains what we collect, why, how we protect it, who can see it, and how you can control it.

1 — Quick overview

  • You create projects and campaigns.
  • Live (Active) campaigns are accessible to anyone with the common "project link" (or UUID). Drafts are private. Paused campaigns stop being served but may have been copied while live.
  • We store verified user emails and sign-in metadata; anonymous visitors get a browser JWT and are not personally identified.
  • You can sign up or log in using LinkedIn OAuth or magic link email authentication.
  • Leads (people who voluntarily fill forms on your campaign) are visible only to you in your dashboard.
  • We use Supabase (DB), Vercel/Netlify (hosting), Google Analytics (usage), and LinkedIn (OAuth authentication).
  • No LLM trains on your data in the current live version of the app.
  • For data deletion or privacy requests, email: pranavdotexe@gmail.com (from the email tied to your Pitch Like This account).

2 — Information we collect

  • Verified users (magic link or LinkedIn OAuth via Supabase):

    • Email (verified)
    • Account creation date
    • Last sign-in date
    • Authentication cookie/JWT for session management
    • LinkedIn OAuth users (when using LinkedIn sign-in):
      • LinkedIn profile data: name, given name, family name, profile picture URL, locale (country, language)
      • LinkedIn unique identifier (sub)
      • Verified email (if provided by LinkedIn)
      • Temporary encrypted cookie storing LinkedIn identifier (expires in 15 minutes, used only when email verification is pending)

  • Anonymous visitors (public campaign viewers):

    • Browser JWT for session continuity (no personal identifier stored)

  • Usage & analytics:

    • Page views, click events (Google Analytics)
    • Session analytics (internal schema):
      • Random session identifier (UUID) for each visit to a campaign link.
      • Campaign and project identifiers associated with that session.
      • Session timestamps: when the session started and when it ended.
      • Active time spent on the campaign page (in seconds), calculated from heartbeat pings while the tab/window is actively in view.
      • Session classification flags (for example: new_session, actual_session, engaged_session) derived from time spent and number of interactions.
      • Hashed user agent: a one‑way hash (for example, SHA‑256) of the browser user agent string, used to deduplicate sessions without storing the raw user agent.
    • Event analytics (internal events table):
      • Random event identifier (UUID) for each tracked event.
      • The session identifier that the event belongs to.
      • Event type (for example, link_open, button_click).
      • Event metadata in structured form (for example, page step, button name, or whether an external link was clicked); this does not include lead form message contents.
      • Event timestamp.

  • Performance & errors:

    • Hosting & platform logs (Supabase, Vercel, Netlify)

  • Service-specific / User-generated content (UGC):

    • Projects, campaigns, case studies, services, CTAs (may include PII you enter)

  • Lead submissions (optional; provided by leads):

    • Name, company, email, optional phone number — visible only to the project owner
    • Abuse and rate limiting metadata: IP address and request metadata (such as timestamp and request path) may be stored for a short period in an in‑memory store (for example, Upstash Redis) to enforce rate limits (for example, 5 requests per minute per IP) and protect forms from automated abuse.

3 — How we use information

  • Verify users and enable authenticated features
  • Authenticate users via LinkedIn OAuth or magic link email
  • Enrich user profiles with LinkedIn data (name, profile picture, locale) when provided and when profile fields are empty
  • Link LinkedIn accounts to existing magic link accounts when email addresses match
  • Provide, operate, and improve the service
  • Maintain security and debug performance/errors
  • Analyze aggregate usage and campaign performance (for example, sessions, engaged sessions, active time spent, event counts) for product improvement
  • Detect and prevent abuse, such as repeated or automated lead submissions, by using technical protections including rate limiting based on IP address and request frequency
  • Send email updates for information that is necessary to be provided for continual of service or necessitated to be shared by the privacy and terms of service
  • We do NOT: sell data, pool UGC into third-party datasets, or train LLMs on your data in the current live version of the app

4 — Publishing, campaigns, and public data — exact rules

  • Projects: private by default. Only you (authenticated owner) can see your full project list.
  • Campaign states — Draft, Active, Paused:
    • Draft: never public.
    • Active: publicly accessible to anyone with the “project” UUID or link. Content can include your CTAs.
    • Paused: removed from live serving; prior viewers may have cached/copied contents.
  • Case studies are visible only when their campaign is Active.
  • Do not publish NDA-restricted or private information.
  • Leads are optional and visible only to the owner of the project in the dashboard.
  • We do not track lead behavior (clicks/views) in the current version.

5 — Third-party services we use

  • Supabase — database, authentication, and internal storage of session and event analytics in a private schema.
  • Vercel / Netlify — hosting, CDN, edge runtime.
  • Google Analytics — page view & click analytics.
  • LinkedIn — OAuth authentication provider (when you choose to sign in with LinkedIn).
  • Upstash Redis — in‑memory data store used for short‑lived analytics queues (for example, processing events and heartbeats) and for enforcing rate limits on repeated lead submissions based on IP address and request metadata.

6 — Data retention, deletion timeline & breach notification

  • We retain data as needed to provide the service.
  • Deletion timeline:
    • Account or project deletion requests are processed within 30 days of verified request (earlier where feasible).
    • Requests must be sent from the email associated with your Pitch Like This account.
  • Campaign caching reality: Paused campaigns are unserved, but third-party or user-side cached copies may persist outside our control.
  • Breach notification:
    • If a confirmed security incident meaningfully risks user data, affected users will be notified at their verified email within 72 hours of confirmation, subject to legal constraints. The notice will include scope, impact, and remediation steps.

7 — Security practices

  • Row Level Security (RLS) on Supabase tables with least-privilege access.
  • Role-based access control is implemented for data access and governed under the Internal Database Querying Rules.
  • Sensitive RPC endpoints are not publicly accessible; explicit application-authenticated routes only.
  • Secure cookies and CSRF protection for client–DB communication.
  • Data in transit is encrypted using TLS 1.3.
  • LinkedIn OAuth temporary identifiers are stored in encrypted cookies (AES-256-CBC) with 15-minute expiration when email verification is pending.
  • No LLM (including Supabase AI) is permitted to read or train on table contents in the current live version of the app.

Incident reporting follows the breach-notification terms above.

8 — Sharing & disclosure

  • We do not sell personal data.
  • Disclosure occurs only as necessary for:
    • Hosting/infra operations
    • Analytics
    • Legal requirements (with notice where not prohibited)

9 — Your rights & choices

  • Access or copy your data.
  • Correct inaccurate information.
  • Delete account or specific projects (processed within 30 days).
  • Opt-out of analytics (contact us).

Requests: email pranavdotexe@gmail.com from your verified account email.

10 — Cookies & tracking

  • Secure authentication cookies.
  • Google Analytics cookies.
  • Anonymous browser JWT for anonymous sessions.
  • Analytics session cookie (for example, a random UUID) used to associate multiple page views and events within a single campaign visit and compute metrics such as engaged sessions and time spent. This cookie is linked only to technical identifiers (session ID, campaign and project IDs, hashed user agent) and does not store your name, email, or lead message contents.
  • Temporary encrypted cookie for LinkedIn OAuth (when email verification is pending): stores LinkedIn identifier in encrypted form, expires in 15 minutes, automatically deleted after use or expiration.

Blocking cookies may break features, including authentication and analytics used to show you campaign performance metrics.

11 — Minors

  • Not directed to children under 13. Contact us for removal if such data was submitted.

12 — International transfers

  • Data may be processed by providers in other jurisdictions. Details available on request.

13 — Changes to this policy

  • Updates may occur when features change. New and old versions of the policy are available in our public github repo Pitch Like This Repository.

14 — Contact

15 — Internal Database Querying Policy

Purpose: prevent unauthorized access, misuse, and accidental leakage of user data.
Principles: least-privilege access, need-to-know, accountability, auditability, and separation of duties.

Access rules

  • Role-based access control governs all privileged access.
  • Temporary elevated access requires documented justification and approval under the internal rules.
  • Contractors and future employees do not receive production data access unless explicitly approved and documented.

Querying & operations

  • Queries are executed in staging unless a production operation is required and approved.
  • Production queries must serve a documented product or support purpose under the internal rules.
  • Exports of PII require explicit approval, documented purpose, and secure transfer consistent with the internal rules.

Logging & monitoring

  • Privileged actions and production queries are logged with actor, time, and purpose.
  • Logs are retained for an appropriate period to support accountability and investigations.

Prohibited actions

  • Downloading or storing lead/user data on personal devices.
  • Using data for non-product business purposes.
  • Sharing PII over informal channels without authorization and appropriate protection.

Emergency & incident handling

  • Break-glass access requires post-event justification and logging.
  • Suspected incidents are escalated, contained, investigated, and notified per breach-notification terms.

Review

  • Policy reviewed periodically and when major product changes occur.
  • Continued use of product or services implies all users have acceptance towards the policy.

16 — Practical guidance (for users)

  • Avoid publishing NDA-restricted or private information in campaigns.
  • Assume paused content may exist in third-party caches.
  • Use your account email when submitting deletion or privacy requests.
← Back to HomeReview Policy Versions