Privacy Policy

We collect three buckets of data:

• Account info you give us. Name, email, password hash, billing address (collected by Stripe; we never see the card number), and any profile information you add.
• Content you generate inside the product. App Review replies you draft, photos you upload for profile-photo work, prompts you send to image generation, dating profile drafts, date prep queries, and your message history with the app.
• Usage signals. Pages you visit, articles you read, credits consumed, time-on-page, and session metadata. We use this to understand product health and improve the experience; we do not use it for ad retargeting.

We use your data for four purposes:

• Run the product (sign-in, billing, generation, support).
• Charge your card for what you bought (via Stripe).
• Send you transactional email: receipts, password resets, coaching reminders. Not marketing blasts unless you opt in.
• Improve the product. We look at aggregate usage to figure out which features are working and which to fix.

• We don't sell your personal data or route it through data brokers.
• We don't share your App Review conversations or profile-photo options with anyone outside our processors.
• We don't train any public model on your private data.
• We don't run ad-retargeting pixels (Facebook, TikTok, Google Ads, etc.).
• We don't sell or rent your email.

Photos and prompts you submit for profile-photo work are sent to our AI providers (fal.ai, Replicate) for inference and returned to you. We store the resulting images with our image provider (fal.storage) inside your account namespace. We don't share them with other users. We don't use them to train any model. If you delete the image inside the product, we delete the underlying file within 30 days.

• Stripe: payment processing, billing, refunds.
• Supabase: primary database (hosted on AWS).
• fal.ai: image generation, training, and asset storage.
• Mux: course video delivery.
• OpenAI: AI replies, triage, image generation.
• Replicate: additional image generation models.
• Resend: transactional email delivery.
• Vercel: application hosting and analytics.

We hold your account data for as long as your account is active. If you cancel and delete your account, we delete personal data within 30 days, except for billing and tax records we're legally required to retain.

You can request a copy of your data, delete your account, or correct anything we have on file by emailing hello@coldapproach.io. We respond within 30 days. Where local law (GDPR, UK GDPR, CCPA, etc.) gives you specific rights, those rights apply on top of this policy regardless of what we say here.

Passwords are stored as bcrypt hashes rather than plaintext. Communications use HTTPS. Database access is restricted to service-role keys held in our deploy infrastructure. We scope every database query through Supabase Row Level Security so users can only access their own records. No system is risk-free, but these controls are designed to keep account access scoped and auditable.

Cold Approach is for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email us and we'll delete the account.

For privacy questions, deletion requests, or to exercise any right under GDPR / CCPA / similar, email hello@coldapproach.io.