Privacy Policy

Effective April 24, 2026. This explains what data we collect, why, who we share it with, and how long we keep it.

1. Who this covers

Two kinds of people interact with FunnelMaster:

Creators — people who sign up for an account to build funnels.
Buyers — people who submit a form or pay on a funnel a creator built. If you're a buyer, the creator (not FunnelMaster) is the primary data controller for the offer itself; we act as the data processor on their behalf.

2. What we collect

From creators: name, email, hashed password, business information you enter, Stripe account ID (but not your bank or card numbers — those stay with Stripe), your funnel content, and usage telemetry (pages visited, builds triggered, AI tokens consumed).

From buyers: whatever the creator's funnel asks for — typically email, name, and billing address during checkout. Payment card details are captured by Stripe's hosted elements and never touch our servers. IP address and browser user-agent for fraud prevention + analytics.

Cookies: an authentication cookie for signed-in creators, and a visitor-ID cookie on public funnels used for conversion analytics. No third-party advertising cookies.

3. Why we collect it

Run the Service (authenticate you, render your funnels, send buyer emails you configured).
Process payments (via Stripe Connect).
Comply with legal obligations (tax reporting, anti-fraud, responding to subpoenas).
Improve the product (aggregate analytics, not individualized profiles).

4. Third parties who process your data

We use these sub-processors. Each is contractually bound to process data only on our instructions.

Stripe — payments + Connect onboarding (Stripe's privacy policy: stripe.com/privacy)
Supabase — database + storage hosting
DigitalOcean — compute + object storage
Anthropic — the AI that helps you build funnels; prompts + your content are sent to Anthropic to generate output
Resend — transactional email delivery (for creators who haven't connected their own Resend key) or your own Resend key if you've configured one

We do not sell your data. Ever.

5. How long we keep it

Account data: for as long as the account is open, plus 30 days after deletion.
Buyer sales records: 7 years (tax/accounting obligation).
Aggregate analytics: indefinitely but deidentified.
Deleted funnels: live data removed within 30 days; backups cycle out within 90.

6. Your rights (GDPR / CCPA)

Depending on where you live, you may have the right to:

Access the personal data we hold about you
Correct inaccuracies
Delete your account + associated data (Settings › Danger Zone)
Export your data in a portable format
Object to processing or request a restriction
Withdraw consent (for anything based on consent rather than contract or legal obligation)

Email [email protected] and we'll respond within 30 days.

7. Security

We encrypt data in transit (HTTPS everywhere) and at rest (Supabase + DigitalOcean provide this). Passwords are bcrypt-hashed. Stripe keys and webhook secrets are rotated on breach. No system is perfectly secure; if we detect unauthorized access to your data, we'll notify you within 72 hours.

8. Children

The Service is not directed at children under 16. If you learn a child gave us data, email us and we'll delete it.

9. International transfers

We're based in the US. If you're in the EEA, UK, or Switzerland, your data is transferred to the US under Standard Contractual Clauses with our sub-processors.

10. Contact + supervisory authority

Privacy inquiries: [email protected]. If you're in the EU and we don't resolve a complaint to your satisfaction, you may contact your local data protection authority.