Your Data, Your Rules

• We collect emails for the VIBES newsletter and to unlock Garrett's Mom.
• Resend handles email delivery + open/click tracking.
• Supabase stores your subscription, plans you publish, and (if you opt in) Curator favorites.
• We don't sell your data. We don't train models on your personal data.
• You can unsubscribe or delete your data anytime by emailing [email protected].

Email + name — when you subscribe to VIBES, unlock Garrett's Mom, or submit a venue/event.

Plans you publish — title, content, your verified email, optional display name (only shown publicly if you toggle byline).

Engagement signals — email opens, clicks (via Resend), and on-site interactions (page views, clicks). Used to personalize what we send and to improve the platform. Aggregated, never resold.

Cookies + local storage

• admin_session — HMAC-signed session for staff/curators. HttpOnly, 7-day max age.
• portal_location_id — remembers which business location an owner is managing.
• gm_subscriber (localStorage) — keeps you unlocked in Garrett's Mom for 7 days.
• Cloudflare and Vercel set a small number of operational cookies (DDoS protection, edge routing). We don't set any ad-tech cookies.

Server logs — Cloudflare and Vercel keep short-lived access logs (IP, user-agent, path). Used to debug and stop abuse. Rotated within ~30 days.

• We don't use Google Analytics, Facebook Pixel, TikTok Pixel, or any ad-tech tracker.
• We don't buy data from data brokers.
• We don't do cross-site tracking.
• We don't collect SSN, government ID, or precise location (unless you explicitly share an address).
• We don't train external LLMs on your personal data. AI features pass your prompt to Microsoft Azure AI Foundry under their data-protection terms — your inputs aren't used to train OpenAI's models.

• Deliver the VIBES newsletter (via Resend)
• Unlock Garrett's Mom and the Publish-a-Plan flow
• Personalize what we recommend (planned: a Personalized Plan engine — your engagement signals would feed it)
• Run the magic-link auth flows for business owners, officials, and curators
• Detect and stop abuse (rate limiting, spam filtering)
• Improve the platform — aggregate metrics only, never sold

Service providers under contract — same operational scope, can't use your data for their own marketing:

• Cloudflare — edge / DDoS / DNS
• Vercel — site hosting
• Supabase — database, magic-link auth
• Resend — newsletter delivery + click/open tracking
• Ghost CMS — newsletter editorial
• MapBox — geocoding (address only, no email)
• Microsoft Azure AI Foundry — Garrett's Mom inference
• Stripe — payment processing (paid features only, e.g., Curator Card when launched)

We'll only share data with law enforcement when legally required (subpoena, court order) and will fight overbroad requests.

Wherever you are, you can:

• Access — see what we have on you
• Correct — fix anything wrong
• Delete — nuke your account and all linked data
• Port — get a copy of your data in a machine-readable format
• Unsubscribe — every email has a 1-click unsubscribe link
• Object — say no to specific uses (e.g., engagement-based personalization)

Email [email protected] from your subscribed address and we'll respond within 14 days. California residents have additional CCPA/CPRA rights — same process, just say “CCPA request.” EU/UK residents have GDPR/UK-GDPR rights — same process, just say “GDPR request.”

• Subscription records: kept while active, deleted within 30 days of unsubscribe (we keep an audit row showing unsubscribe happened — no other PII).
• Published plans: kept indefinitely as part of the public CurationsLA archive (unless you delete them or your account).
• Server logs: ~30 days.
• Email engagement events (open/click): ~12 months.
• AI prompt logs (Garrett's Mom): ~90 days for debugging + abuse review, then deleted.

All traffic uses TLS. Admin sessions are HMAC-signed (constant-time verification). Subscriber tokens are HMAC-signed. Webhook callbacks verify signatures (Stripe, Resend). We don't store passwords — we use magic links and HMAC tokens.

Found a vulnerability? See /.well-known/security.txt. We respond within 24 hours for critical issues.

CurationsLA isn't directed at children under 13. We don't knowingly collect data from kids. If you're a parent/guardian and think your kid signed up, email us — we'll delete it.

We'll update this policy as the platform grows. For material changes, we'll change the date at the top and notify subscribers via VIBES. Continuing to use the Services after updates means you accept them.

Privacy questions, data requests, complaints: [email protected]. Security disclosures: [email protected] (or see /.well-known/security.txt).