Privacy Policy
Last updated: April 24, 2026
This policy describes what personal data Content Gremlins collects, why we collect it, and what rights you have over it. It applies to the Content Gremlins website, the waitlist, and the product (once live).
We take privacy seriously because we have to — and because we want to build the kind of product we'd want to use ourselves.
Who's responsible
Content Gremlins is operated by Adam Kosinar, a sole trader (OSVČ) based in the Czech Republic, IČO 24592986. For the purposes of GDPR, Adam Kosinar is the Data Controller for all personal data processed through Content Gremlins.
Contact for any privacy-related question: [email protected].
The Czech Data Protection Authority is the Úřad pro ochranu osobních údajů (ÚOOÚ). If you believe we've mishandled your data, you have the right to complain to them.
What we collect
On the marketing site (current)
- Waitlist email. If you submit the waitlist form, we store your email address, which form you used (hero or final CTA), and the timestamp.
- Aggregate analytics. We use Vercel Analytics and Vercel Speed Insights, which are cookieless and do not identify individual visitors. We see page views, load times, and rough geographic regions — never individual user identifiers.
- No tracking pixels. No third-party advertising networks, no Facebook Pixel, no Google Analytics, no session replay.
In the product (applies at launch)
When you sign up and use Content Gremlins:
- Account data. Your email, name (if provided), password hash, and account settings.
- Client workspace data. Workspaces you create, clients you invite, posts you draft, captions, assets, brand briefs, comments, and scheduling data.
- Usage data. Which features you use, timestamps of activity, and technical logs for debugging (IP address, browser type). We keep activity logs (MCP tool calls, auth events) for up to 90 days and aggregated usage for up to 12 months.
- Billing data.Handled by Lemon Squeezy — see "Third parties" below. We don't store your credit card number.
- AI integration data.If you use Ask Gremlin, we log which tool calls your AI assistant made (draft created, brief read, post sent for review, etc.) so you can audit activity. We don't store the full contents of your AI conversations.
Data your clients generate
If you invite clients to a portal, we collect their name and email, their approvals/rejections/comments on your posts, and when they log in. You (the manager) are responsible for having the right to share your clients' names and emails with us — typically this is covered by your own agreement with them.
Why we collect it
- To provide the service— show your drafts to your clients, deliver notifications, let your AI draft in your client's voice, etc.
- To bill you — through Lemon Squeezy, once the product launches.
- To support you — respond to your questions, debug issues, improve the product.
- To keep the service secure — detect abuse, prevent unauthorized access.
- To comply with legal obligations — tax records, responding to lawful requests from authorities.
Legal bases under GDPR: contract performance (running the service you signed up for), legitimate interests (security, support, product improvement), and consent (waitlist signup, optional marketing emails).
Third parties
We use a small number of infrastructure providers to run Content Gremlins. Your data is processed by them strictly to deliver the service:
| Provider | What they handle | Where |
|---|---|---|
| Vercel | Website hosting, marketing site analytics | US (servers globally) |
| Supabase | Database, authentication, file storage | EU (Frankfurt, Germany) |
| Cloudflare R2 | Media asset storage | Global CDN |
| Lemon Squeezy | Payment processing, as Merchant of Record | US |
| Resend | Transactional email delivery | US |
| Anthropic / OpenAI (optional) | Your AI provider, if you use Ask Gremlin | Per their terms |
We do not sell your data, share it with advertisers, or use it to train machine learning models.
International transfers
Most of your data lives in the EU (Supabase Frankfurt). Some infrastructure providers (Vercel, Lemon Squeezy, Resend) are US-based and receive data under the EU–US Data Privacy Framework or Standard Contractual Clauses. Cloudflare stores assets on its global CDN, primarily in the EU for EU-origin requests.
How long we keep your data
- Waitlist emails: until you unsubscribe, or 12 months after public launch, whichever comes first.
- Active account data: as long as your account is active, plus 30 days after closure in case you want to come back.
- Billing and tax records: retained for 10 years, as required by Czech accounting law, even after your account closes.
- Activity logs (MCP tool calls, auth events): up to 90 days.
- Server runtime logs(handled by Vercel): per Vercel's default retention, typically a few days.
- Aggregated usage data: up to 12 months.
You can ask us to delete your data sooner where legally possible (see "Your rights" below).
Your rights
If you're in the EU, UK, or any jurisdiction with equivalent protections, you have the right to:
- Access — ask what data we have on you
- Rectification — correct anything that's wrong
- Erasure — have your data deleted (except what we must keep for legal reasons, like billing records)
- Portability — get a machine-readable export of your data
- Restriction — ask us to pause processing while we figure out a disagreement
- Objection — object to processing based on legitimate interests
- Withdraw consent— for anything we're doing based on your consent
- Lodge a complaint — with the ÚOOÚ or your local data protection authority
To exercise any of these rights, email [email protected]. We'll respond within 30 days, usually faster. You can also turn off individual notification email types directly in your account settings.
Cookies
The marketing site sets no cookies other than what's strictly needed for the site to function (Vercel's hosting cookies). Vercel Analytics is cookieless.
The product (at launch)will set cookies for authentication (to keep you logged in) and for the View-as-Client toggle. Some preferences (such as which panels you have open) are stored in your browser's local storage, not cookies. We don't use cookies for tracking or advertising.
Security
We use industry-standard practices to protect your data: HTTPS everywhere, encrypted database storage, hashed passwords, access controls for anyone who can see the data (which right now is just Adam).
No system is perfectly secure. If a breach happens that affects your data, we'll notify you and the ÚOOÚ within the 72-hour window GDPR requires.
Children
Content Gremlins is not directed at children under 16. We don't knowingly collect data from children. If you believe a child has submitted their email to us, email us and we'll delete it.
Changes to this policy
We might update this policy as the product evolves. For material changes we'll email active users at least 14 days before the change takes effect. For minor clarifications we'll update the "Last updated" date at the top.
Contact
Privacy questions, data requests, complaints: [email protected]
Data Protection Authority (Czech Republic): Úřad pro ochranu osobních údajů