Privacy
Policy

Draft. This document is the initial pre-launch version of the Nine·Tails Privacy Policy. It will be reviewed by counsel before any paid customer signs up. The legal-entity name, the controller/processor designations, and the subprocessor list will be finalized in that review.

1. Who this covers

This policy describes how Nine Tails ("Nine·Tails," "we") handles the personal information of (a) visitors to ninetailsagency.com, (b) people with Nine·Tails accounts, and (c) end clients of agencies using the Service ("end clients") to the extent we process their information on the agency's behalf.

For end-client data, the agency is the controller and Nine·Tails is the processor — see the Data Processing Addendum at ninetailsagency.com/legal/dpa for the formal terms.

2. What we collect

From visitors to the marketing site

• Browser type, OS, page paths, and referrer — minimal server logs.
• We do not run third-party analytics on the marketing site at this time. We will name the analytics vendor here before turning anything on.

From people with accounts

• Account information you provide: name, email, agency name, password (hashed), and team-membership records.
• Operational records: log-ins, settings changes, billing events, and report-creation events.
• Payment metadata via our payment processor (Stripe): card-brand and last four digits — never the full card number.

From third-party platforms you authorize

When you connect an ad platform or analytics tool to the Service, we receive metric data scoped to the accounts you authorize. We store snapshots of that data so reports can be regenerated. We do not pull personal information about end customers from those platforms — only aggregate metric series.

From end clients

We do not contact your end clients. End-client information appears in our system only as part of a Report that you draft and send. The Report's recipient address is processed by our email vendor solely to deliver the message and is not used for any other purpose.

3. How we use it

• To run the Service: authentication, billing, generating reports, sending you notifications, and customer support.
• To improve the Service: aggregate, de-identified analytics on which features are used. We do not train external models on your data.
• For legal and security obligations: fraud prevention, abuse response, and compliance with subpoenas and legitimate legal process.

We do not sell personal information, share it with advertisers, or use it to target you with ads outside our own product.

4. AI processing

Drafts of report narratives are generated by Anthropic's Claude family at time of writing. The metric snapshots we send to the model are processed under Anthropic's enterprise data terms — Anthropic does not train on the content of those calls. The model's role is limited to drafting; nothing is sent to your end clients without an authorized human review on your team.

5. Subprocessors

We use a small number of operational subprocessors. The list below is current as of this document's effective date and is also maintained in the DPA appendix:

• Vercel — hosting and edge delivery.
• Neon — managed Postgres database.
• Upstash — Redis (rate limiting, caching).
• Clerk — authentication.
• Stripe — payments.
• Anthropic — large-language-model API.
• Resend — transactional email delivery (planned, before public launch).

We will notify customers in advance of new subprocessors via email and an in-product banner.

6. Data retention

• Account information: kept while your account is active; deleted within 30 days of cancellation, except where we are required to retain (e.g. tax records).
• Metric snapshots and reports: kept for the duration of your subscription. You can export and delete on request — typically processed within 24 hours.
• Server logs: 30 days, unless extended for security investigation.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal information. Email hello@ninetailsagency.com and we will respond within 30 days.

If you are in the EEA / UK / California, you can exercise these rights under GDPR / UK GDPR / CCPA respectively. We honor verified deletion and access requests regardless of jurisdiction.

8. Security

• All data in transit is encrypted with TLS.
• Data at rest is encrypted in our database and storage providers.
• Access to production systems is limited to a small number of named engineers with audited access.
• We will publish a security disclosure process at ninetailsagency.com/security before public launch.

9. International transfers

Your data may be processed in the United States and the European Union depending on which subprocessor handles it. Where required, we rely on Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms.

10. Cookies and tracking

We use a strictly-necessary session cookie for authentication. We do not use third-party tracking cookies on the marketing site at this time. If we add analytics that fire before consent, we will publish a cookie banner and update this section first.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect information from them.

12. Changes to this policy

We may update this policy. Material changes get at least 30 days' notice via email and an in-product banner. The "Last updated" date at the top of the page reflects the most recent revision.

13. Contact

For privacy questions or to exercise your rights — write to hello@ninetailsagency.com.