What we collect. What we never do.

Customer email — provided to Stripe at checkout. We use it to deliver the Monday dossier and to reply when you write to us. It is not sold, traded, or used for any third-party marketing.

Watch domains — the list of domains you ask us to monitor on your behalf. Stored in our database (Supabase, Frankfurt region) for the duration of your subscription. Deleted within 30 days of cancellation unless you ask us to retain them longer for archival purposes.

Stripe-managed billing data (card last-four, billing address, etc.) — stored by Stripe under their PCI-compliant infrastructure. We never see, store, or process your full card number. Stripe's privacy practices govern that data; we receive only a customer-id reference.

We do not run analytics, advertising pixels, third-party trackers, session recording, or A/B testing infrastructure on this site. There is no Google Analytics, no Meta Pixel, no Hotjar, no Segment. Open the network tab.

We do not sell, rent, share, or transfer customer data to third parties for their own use. The only exception is the data processors strictly required to deliver the service (Stripe for billing, Resend for email, Vercel for hosting, Supabase for storage).

We do not request raw breach credentials, password dumps, or PII from any of our OSINT sources. The Pythia dossier is built from aggregate metadata only — counts and dates, not records. We refuse data we don’t need.

Pythia pulls public OSINT (cert transparency logs, RDAP/WHOIS, passive DNS, Shodan banners, GreyNoise reputation, BuiltWith tech fingerprints, HIBP aggregate breach counts, etc.) for the domains you ask us to watch. This data is already public and queryable by anyone; we deliver it as a curated weekly dossier. We do not perform active scanning, port probes, vulnerability exploitation, or any action that would constitute unauthorized access under the CFAA or equivalent law in any jurisdiction we operate in.

Hard blocklist: we refuse watch-list submissions targeting hyperscalers (Microsoft, Google, Apple, Amazon, Meta), our own infrastructure providers (Vercel, Supabase, Stripe, Resend, Anthropic, OpenAI), and our OSINT source vendors. The list is in our public source repo at lib/blocklist.ts.

Email contact@creatorfusion.net with subject prefix [Privacy] for any of the following: data access, correction, deletion, export, objection to processing, restriction of processing, or to lodge a complaint. Replies inside 24 hours; substantive responses inside 30 days as required by GDPR Article 12 (we apply the same standard regardless of jurisdiction).

The full list of services we hand customer data to:

• · Vercel — hosting + edge delivery
• · Supabase — primary data store (Postgres)
• · Stripe — billing
• · Resend — transactional email
• · OSINT source vendors (Shodan, BuiltWith, GreyNoise, VirusTotal, Censys, SecurityTrails, HIBP, Dehashed, urlscan.io, crt.sh, RDAP) — we send your watch-list domains, not your identity, when querying their APIs.

We’ll publish material changes here and email subscribers at least 14 days before they take effect. Non-material edits (typo fixes, link updates) get the bump in the “last updated” date above.