1. Who we are
PledgeOFF ("PledgeOFF", "we", "us", or "our") is a Decision Intelligence Platform that helps founders validate product ideas using live market signals.
We operate the website and application at pledgeoff.com.
For any privacy-related enquiries, contact us at hello@pledgeoff.com.
2. What personal data we collect
2.1 Account data
When you create an account we collect:
- Email address — required for authentication and transactional emails.
- Password — stored as a salted bcrypt hash by our authentication provider (Supabase). We never see your plain-text password.
- Google profile data (if you sign in with Google) — name, email address, and profile picture as provided by Google OAuth. We store only the email and a hashed identifier.
- Account creation timestamp and last sign-in timestamp.
2.2 Content you submit
Idea text — the free-text description of the product idea you submit for validation. This text is sent to our AI provider (Groq) and used to fetch public signals from Reddit and GitHub. Ideas are stored in our database and linked to your user account.
Feedback votes — thumbs-up or thumbs-down signals on AI verdicts. Stored anonymously per decision record.
2.3 Technical and usage data
We automatically collect:
- IP address — logged at the server level by our hosting provider (Vercel) and included in structured server logs. IP addresses are not stored in our database; they are retained in log files for up to 30 days.
- Browser and device information — user-agent string, viewport size, operating system. Used for error diagnostics.
- Request metadata — URL path, HTTP method, response status, latency in milliseconds, and a randomly generated trace ID per request. Used for performance monitoring.
- Error data — JavaScript stack traces and error messages captured by our error-tracking tool (Sentry) when the application crashes. Error payloads do not include your idea text.
- Page view data — if you have consented to analytics cookies, we use Google Analytics 4 to track page visits and user journeys in aggregate form.
2.4 Data we do NOT collect
- Mobile phone number
- Payment card details (handled entirely by our payment processor)
- Physical address
- Government ID or date of birth
- Any special category data (health, political opinions, etc.)
3. Legal basis for processing (GDPR)
We process personal data under the following legal bases as defined in Article 6 of the GDPR:
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Processing idea submissions and generating verdicts | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (account confirmation, password reset) | Performance of a contract (Art. 6(1)(b)) |
| Server logs and error tracking for security and reliability | Legitimate interests (Art. 6(1)(f)) — ensuring platform integrity |
| Analytics and usage statistics | Consent (Art. 6(1)(a)) — via cookie banner |
| Marketing emails and product updates | Consent (Art. 6(1)(a)) — explicit opt-in only |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. How we use your data
- To create and maintain your account.
- To process your idea submissions: the idea text is sent to our AI provider to generate a GO / KILL / PIVOT verdict with supporting evidence.
- To fetch public market signals (Reddit threads, GitHub issues) relevant to your idea. We do not share your idea text with Reddit or GitHub — we query those platforms independently using your idea as a search context.
- To send you email confirmations and essential account notifications.
- To detect and prevent fraud, abuse, and security incidents.
- To improve and debug the platform using anonymised, aggregated usage data.
- To send you product updates and marketing emails if you have explicitly opted in. You can unsubscribe at any time via the link in any email.
5. Third-party processors
We engage the following sub-processors to deliver the service. Each processor is bound by a Data Processing Agreement and, where applicable, Standard Contractual Clauses for international transfers.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, row-level security | Email, hashed password, idea text, decisions, feedback | AWS us-east-1 (US) |
| Vercel | Application hosting, edge network, server logs | IP address, request metadata, server logs | Global CDN (US primary) |
| Groq | LLM inference (verdict generation) | Idea text, signal summaries | US |
| Resend | Transactional email delivery | Email address, email content | US |
| Sentry | Error tracking and diagnostics | Stack traces, browser info, anonymised user ID | US |
| Axiom | Server log management | Structured server logs (trace IDs, latency, status codes) | US |
| OAuth sign-in (optional), Analytics (consent-gated) | Email, name (OAuth); anonymised browsing data (Analytics) | US/global | |
| Cloudflare | DNS, DDoS protection | IP address (in transit only, not stored by Cloudflare for us) | Global |
We do not sell your personal data to any third party, ever.
6. International data transfers
Several of our processors are based in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to countries not recognised as providing adequate data protection, we rely on:
- Standard Contractual Clauses (SCCs)— the EU Commission's approved model clauses for controller-to-processor transfers; and/or
- Data Privacy Framework (DPF) — for processors certified under the EU-US Data Privacy Framework.
You can request a copy of the relevant transfer safeguards by emailing hello@pledgeoff.com.
7. Data retention
| Data type | Retention period |
|---|---|
| Account data (email, auth records) | Until account deletion, then 30 days for soft-delete recovery |
| Idea submissions and verdicts | Until account deletion or explicit deletion request |
| Feedback votes | Anonymised and retained indefinitely for model improvement |
| Server and access logs | 30 days (Vercel) / 30 days (Axiom) |
| Error reports (Sentry) | 90 days |
| Analytics data (GA4, if consented) | 14 months (Google default, anonymised) |
| Waitlist emails | Until unsubscribe or account creation, whichever is first |
When you delete your account, all personally identifiable data is removed from our primary database within 30 days. Anonymised or aggregated data derived from your usage (e.g., aggregate verdict statistics) may be retained indefinitely.
8. Cookies and tracking technologies
8.1 What cookies we use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
sb-* | Strictly necessary | Supabase authentication session | Session / 1 week |
cookie_consent | Strictly necessary | Stores your cookie consent decision | 1 year |
_ga, _ga_* | Analytics (consent required) | Google Analytics 4 — page views and user journeys in aggregate | 2 years |
8.2 Your choices
When you first visit PledgeOFF, you will see a cookie banner. You may:
- Accept all — enables strictly necessary cookies and analytics cookies.
- Reject non-essential — strictly necessary cookies only (the service requires these to function).
You can withdraw or change your consent at any time by clearing your browser cookies for pledgeoff.com. The banner will reappear on your next visit.
You can also opt out of Google Analytics across all websites using the Google Analytics Opt-out Browser Add-on.
9. Your rights under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
- Right of access (Art. 15) — you can request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — you can ask us to correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — you can ask us to delete your personal data. We will comply unless we are required to retain it by law.
- Right to restriction of processing (Art. 18) — you can ask us to suspend processing of your data in certain circumstances.
- Right to data portability (Art. 20) — you can request a machine-readable export of the data you provided to us (account details, idea submissions, verdicts).
- Right to object (Art. 21) — you can object to processing based on legitimate interests (e.g., server-side logging). We will assess and respond within 30 days.
- Right to withdraw consent — for any processing based on your consent (analytics, marketing emails), you can withdraw at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint — you have the right to lodge a complaint with your national data protection supervisory authority. In Ireland: the Data Protection Commission. In Germany: your state's Datenschutzbehörde.
To exercise any of these rights, email us at hello@pledgeoff.comwith the subject line "Privacy Request — [your right]". We will respond within 30 days. We may need to verify your identity before fulfilling the request.
10. Children
PledgeOFF is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at hello@pledgeoff.com and we will delete it promptly.
11. Security
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction, including:
- All data in transit encrypted with TLS 1.2+.
- All data at rest encrypted using AES-256 (Supabase).
- Row-level security (RLS) on all database tables — no user can read another user's data.
- Rate limiting on all API endpoints.
- No secrets or personal data in application logs.
- Service role keys (used server-side only) rotated on any suspected compromise.
Despite our best efforts, no method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware.
12. Links to third-party sites
Our blog and application may contain links to third-party websites. This Privacy Policy does not apply to those sites. We encourage you to review their privacy policies before providing any personal data.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify registered users by email at least 14 days before the change takes effect.
Continued use of the service after the effective date of any change constitutes your acceptance of the revised Privacy Policy.
14. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:
PledgeOFF
Email: hello@pledgeoff.com
Website: https://pledgeoff.com
See also: Terms of Service