Privacy Policy

1. Introduction

Neural Marketer LLC, doing business as StartupShortcut (“we,” “our,” or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, dashboard, and services (collectively, the “Service”).

Data Controller: Neural Marketer LLC, 629 N High St, Columbus, OH 43215, United States.

We comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), CAN-SPAM Act, and other applicable data protection laws. By using our Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, password (encrypted), and authentication credentials (including Google OAuth tokens and magic link tokens)
• Assessment Responses: Business goals, experience level, budget, timeline, skills, passions, industry preferences, target market information, and business idea descriptions submitted through our quiz or AI chatbot assessment
• Dashboard Data: Business ideas, viability assessments, market research inputs, pain points, opportunities, personas, offers, content studio creations, GTM strategies, website builder outputs, brand identity preferences, domain naming choices, and logo generation prompts
• Payment Information: Billing details processed securely through Stripe (we do not store full credit card numbers)
• Communication Data: Messages sent through our contact form, support requests, newsletter signups, feedback submissions, and AI chatbot interactions

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, tool generation counts, time spent, click patterns, and navigation paths
• Device Information: IP address, browser type and version, device type, operating system, unique device identifiers
• Cookies and Tracking Technologies: Session cookies for authentication (essential, always active), and analytics tracking via Google Analytics and Google Tag Manager. For non-EU visitors, analytics cookies are set under legitimate interest. For EU/EEA/UK visitors, analytics run in privacy-preserving cookieless mode unless consent is granted.
• Log Data: Access times, error logs, and system activity
• Email Engagement Data: Email open rates, click-through rates, delivery status, and bounce information collected through our email service provider to measure and improve our communications

2.3 Information from Third Parties

• Authentication Providers: If you use Google login, we receive basic profile information (name, email, avatar)
• Payment Processors: Transaction confirmations and payment status from Stripe
• Analytics Services: Aggregated usage statistics and performance metrics via Google Analytics / Google Tag Manager. For non-EU visitors, analytics are loaded automatically. For EU/EEA/UK visitors, analytics operate in cookieless mode via Google Consent Mode v2 unless consent is granted.

2.4 Accounts Created Automatically

When you complete a business assessment (quiz or AI chatbot) without an existing account, we may automatically create an account using the email address you provide. This is necessary for delivering your personalized results and roadmap. You will receive a confirmation email and can manage or delete this account at any time.

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

• Generate personalized Viability Scores and business assessments
• Provide AI-powered market research, pain point discovery, opportunity generation, persona building, offer creation, content studio tools, GTM strategy planning, website generation, brand identity tools, and logo generation
• Deliver dashboard access with your customized data and analytics
• Process payments and manage your account and subscription
• Send transactional emails (account confirmations, password resets, magic link authentication, purchase receipts, and roadmap deliveries)

3.2 Onboarding and Engagement (Legal Basis: Legitimate Interest)

• Enroll new users in an automated onboarding email sequence to help them get value from the platform (you may unsubscribe at any time via the link in each email)
• Send nurturing emails to users who completed the assessment but have not yet engaged with their dashboard
• Track email engagement (opens, clicks) to optimize delivery timing and content relevance

3.3 Service Improvement (Legal Basis: Legitimate Interest)

• Analyze usage patterns to improve features and user experience
• Conduct research using anonymized, aggregated data to enhance our algorithms
• Test and develop new features
• Identify and fix technical issues

3.4 Communication (Legal Basis: Consent)

• Send newsletters with business tips and platform updates (opt-in only)
• Send daily startup idea emails via Shortcuts (opt-in only, unsubscribe anytime)
• Notify you about new features
• Respond to contact form submissions and support requests

4. AI and Data Processing

Our Service uses artificial intelligence and machine learning models from third-party providers to generate business insights, market research, content, and visual assets. Specifically:

• Text Generation: We use large language model providers (via API) to generate market research, personas, content, strategies, and other text-based outputs. Your business-related input data (descriptions, assessment responses) is sent to these providers for processing.
• Image Generation: We use AI image generation services to create logos, brand assets, and visual content. Your brand name and style preferences are sent to these providers.

We do not use your data to train third-party AI models. AI-generated outputs are stored in your account for your use. All AI providers are bound by data processing agreements and process data solely to fulfill your requests.

5. Automated Decision-Making and Profiling

Our Service uses automated processing to generate your Business Viability Score. This score is calculated algorithmically based on your assessment responses and market data, and it may influence the content and recommendations you see on your dashboard.

In accordance with GDPR Article 22, you have the right to:

• Obtain an explanation of how your Viability Score was calculated
• Express your point of view and contest the score
• Request human review of the automated decision

The Viability Score is provided for informational purposes only and does not restrict your access to any features of the Service. To exercise these rights, contact us through our contact page.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Service Providers: Supabase (database and authentication), Stripe (payments), Resend (email delivery and tracking), Google Cloud (infrastructure and analytics), AI text generation providers (content generation), and AI image generation providers (logo and visual asset creation). All providers are bound by data processing agreements.
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)
• With Your Consent: For any other purpose with your explicit consent

7. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your personal data
• Data Portability: Receive your data in a structured, machine-readable format
• Restrict Processing: Limit how we use your data
• Withdraw Consent: Opt out of marketing communications at any time
• Object: Object to processing based on legitimate interest

EU/EEA/UK Residents: You have full GDPR rights, including the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully. A list of EU data protection authorities can be found at edpb.europa.eu.

California Residents: You have CCPA/CPRA rights including the right to know, delete, correct, and opt-out of data sales (we do not sell data). You may also designate an authorized agent to make requests on your behalf.

To exercise your rights, submit a request through our contact page or use the self-service options in your account settings.

8. Data Retention

• Account data: Retained while your account is active. Deleted within 90 days of account deletion.
• Transaction records: Retained for 7 years for legal and tax compliance.
• Analytics data: Aggregated and anonymized data may be retained indefinitely.
• Email preferences: Unsubscribe records retained to honor your opt-out.
• Contact form submissions: Retained for up to 2 years for support and legal purposes.

9. Data Security

We implement industry-standard security measures including encryption in transit (TLS/SSL) and at rest (AES-256), secure password hashing (bcrypt), role-based access controls, Row Level Security (RLS) at the database level, and continuous monitoring. While no system is 100% secure, we take reasonable steps to protect your data.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Provide information about the nature of the breach, the data involved, the likely consequences, and the measures taken to address it

11. Cookies and Tracking

• Essential Cookies: Required for authentication and core functionality (Supabase session cookies). Always active, no consent needed.
• Analytics (non-EU visitors): Google Analytics and Google Tag Manager load automatically. Analytics cookies (_ga, _ga_*) measure site usage under legitimate interest. No consent banner is displayed.
• Analytics (EU/EEA/UK visitors): Google Analytics loads in privacy-preserving cookieless mode via Google Consent Mode v2. No analytics cookies are stored on your device unless you explicitly consent. A cookie banner allows you to accept full analytics cookies or reject them.

EU/EEA/UK visitors will see a cookie consent banner. You can accept, reject, or dismiss it at any time. Non-EU visitors do not see a cookie banner as consent is not required under applicable law. EU/EEA/UK visitors can change their cookie preferences at any time through the Cookie Settings link in our footer. All visitors can control cookies through their browser settings.

12. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU/EEA transfers.

13. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last updated” date. For material changes that affect how we process your personal data, we will also notify you via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Information