Privacy Policy
Effective date: June 19, 2026 Last updated: June 24, 2026
1. Introduction
This Privacy Policy explains how Data Curator Co ("Data Curator," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our marketing analytics service (the "Service"), which we operate at app.datacurator.co and market at datacurator.co.
By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.
This policy works alongside our Terms of Service.
2. Who we are
Data Curator Co 132 Veterans Ln Unit A #320 Doylestown, PA 18901 United States
For all privacy-related questions or requests: privacy@datacurator.co.
We provide a multi-tenant SaaS analytics platform that connects to third-party marketing and payment services (Stripe, HighLevel, PayPal, Teachable, and others added over time) on behalf of our subscribers, ingests their data into our database, and presents dashboards and reports.
3. Information we collect
3.1 Information you provide directly
- Account information: name, email address, password (stored as a salted hash), organization name, role.
- Billing information: processed by Stripe (our payment processor) on our behalf. We receive billing status and the last four digits of the payment card, but we do not store full payment card numbers.
- Customer communications: the content of emails, support tickets, and other messages you send us.
3.2 Information from connected third-party platforms
When you connect a third-party platform (Stripe, HighLevel, PayPal, Teachable, and others) to your Data Curator organization, we access and store data from that platform on your behalf, including but not limited to:
- Stripe: charges, refunds, subscriptions, invoices, customers, products, and prices.
- HighLevel: contacts, opportunities, orders, funnels, forms, and products.
- PayPal: transactions, subscriptions, and payer information.
- Teachable: sales transactions, refunds, and student information.
This data may include personal information about your end customers (names, email addresses, phone numbers, billing addresses, transaction history). You are the data controller for this information; we act as your data processor.
3.3 Information collected automatically
- Service usage: IP address, browser type, pages viewed, timestamps, referring URLs, and similar diagnostic and analytics data when you use
app.datacurator.co. - Marketing-site analytics: when you visit
datacurator.co, we use Google Analytics 4 and the Meta Pixel to understand visitor behavior and measure advertising effectiveness. See Section 11 (Cookies and tracking). - Cookies and similar technologies: see Section 11.
4. How we use information
We use information for the following purposes:
- Provide the Service: authenticate users, ingest and display data from your connected platforms, generate dashboards and reports.
- Billing: process subscription payments via Stripe.
- Support: respond to your questions and troubleshoot issues.
- Improve the Service: monitor performance, debug errors, build new features.
- Security and fraud prevention: detect abuse, prevent unauthorized access, enforce our Terms.
- Communications: send service notifications (mandatory) and product updates (you can opt out).
- Marketing: measure ad effectiveness on
datacurator.co(only with your consent where required by law). - Legal compliance: comply with applicable laws and respond to lawful requests.
5. Legal bases for processing (EU / UK customers)
If you are in the European Union, United Kingdom, or other jurisdictions requiring a legal basis under GDPR or similar laws, we rely on:
- Performance of a contract: to provide the Service you signed up for.
- Legitimate interests: to secure the Service, prevent fraud, improve features, and communicate operationally — balanced against your rights and freedoms.
- Consent: for non-essential cookies, marketing communications, and any processing that legally requires consent. You can withdraw consent at any time.
- Legal obligation: to comply with applicable law (e.g., tax records, lawful demands).
6. Sub-processors
We use the following sub-processors to operate the Service. Each is contractually bound to handle data only as instructed by us and to apply appropriate security measures.
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Google Cloud Platform | Compute (Cloud Run, Cloud Functions), database (Cloud SQL PostgreSQL), object storage (Cloud Storage), messaging (Pub/Sub), secrets (Secret Manager) | United States |
| Stripe, Inc. | Subscription billing (our billing of you) | United States |
| Anthropic, PBC | AI-assisted analytics queries (Claude API) when you use AI features | United States |
| Cloudflare, Inc. | DNS, edge caching, DDoS protection, TLS termination | Global edge network |
| Postmark (ActiveCampaign LLC) | Transactional email delivery (magic-link sign-in, account notifications, password resets, system alerts) | United States |
| Google LLC (Google Workspace) | General business communication (support correspondence, account management email) | United States |
We update this list when sub-processors change. Where required by GDPR, we will notify customers in advance of material changes via email or in-product notification, and you may object.
7. AI processing of customer data
7.1 In-product AI features
When you use AI features within the Service (for example, asking analytics questions in plain language inside the Data Curator app), the query you submit and a constrained context of your organization's data are sent to Anthropic's Claude API to generate a response.
We have configured this integration so that:
- Your data is not used by Anthropic to train its general models.
- Only the minimum data needed to answer your query is sent.
- Requests are subject to Anthropic's API terms and Anthropic's enterprise data handling policies.
If you do not use in-product AI features, no customer data is sent by us to Anthropic.
7.2 Model Context Protocol (MCP) server
We operate a Model Context Protocol (MCP) server at mcp.datacurator.co that lets you connect MCP-compatible client applications (such as Claude Desktop, Cursor, or your own integrations) to query your organization's data in Data Curator programmatically.
When you authorize an MCP client to access your organization's data:
- The client authenticates to our MCP server via OAuth or magic link.
- The client may invoke the analytics tools we expose to query your data.
- The data returned to the client is scoped to your organization.
Important: If your MCP client integrates with an AI provider (for example, Claude Desktop transmits to Anthropic, and other MCP-compatible clients may transmit to other AI providers), the queries you submit and the data returned by our MCP server may be transmitted onward to that AI provider as part of the AI interaction. We do not control what happens to your data after it leaves our MCP server and reaches your chosen client and its AI provider.
You are responsible for:
- Choosing MCP clients and AI providers that meet your privacy, security, and compliance requirements.
- Reviewing the privacy policy of any AI provider you connect.
- Managing access to MCP client credentials issued for your organization.
We log MCP access for security and audit purposes. We do not use the contents of your MCP queries for any purpose other than fulfilling the query and operating the Service.
8. International transfers
We are based in the United States and process data in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.
For transfers of personal data out of the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other lawful transfer mechanisms as applicable. Contact privacy@datacurator.co to request a copy of the SCCs or to enter into a Data Processing Addendum.
9. How we share information
We share information only as follows:
- With sub-processors listed in Section 6, for the purposes described.
- With third-party platforms you connect: when you authorize Data Curator to connect to Stripe, HighLevel, PayPal, Teachable, or another platform, we exchange data with that platform on your behalf as needed to operate the integration.
- With your authorized users: other users in your organization can see data within your organization based on the access you grant them.
- For legal reasons: to comply with applicable law, respond to lawful subpoenas or court orders, enforce our Terms, or protect the rights, property, and safety of Data Curator, our customers, or others.
- In a business transfer: if Data Curator is acquired, merged, or sells assets, your information may transfer to the successor entity. We will notify you of any such transfer and any material change in this policy.
Government and law-enforcement requests. When we receive a request from a government agency, law-enforcement body, or other public authority for your personal information, we review the request for legal validity before responding and disclose only the minimum information necessary to comply. We push back on requests we consider overbroad, legally insufficient, or otherwise improper, and we keep internal records of the requests we receive, our responses, and the legal reasoning for any disclosure. Where we are legally permitted to do so, we will notify the affected customer before disclosing their information.
We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.
10. Data retention and deletion
- Account and platform data: retained for the duration of your active subscription. On cancellation or termination, we immediately stop ingesting new data from your connected platforms. We retain your existing data for ninety (90) days (the "Post-Termination Period") so you can export it, reactivate your account, or request earlier deletion. After the Post-Termination Period, we automatically delete your Customer Data without further notice. Reactivating during the Post-Termination Period restores access and resumes ingestion; after the Post-Termination Period ends, reactivation requires reconnecting your platforms and reingesting data.
- Billing records: retained for seven (7) years to comply with US tax and financial recordkeeping requirements. These are not affected by the Post-Termination Period.
- Operational logs and backups: retained for up to 90 days.
- Communications: customer support communications retained for two (2) years.
You may request earlier deletion at any time during the Post-Termination Period by emailing privacy@datacurator.co or by following the instructions at https://datacurator.co/delete. We respond to deletion requests within 30 days of confirming the request.
Some information may be retained beyond these periods where required by law or legitimate business need (for example, ongoing legal disputes, fraud prevention records).
11. Cookies and tracking
Marketing site (datacurator.co)
We use the following on our marketing site:
- Google Analytics 4 (GA4): measures site visits, traffic sources, and engagement. GA4 sets cookies that identify returning visitors anonymously.
- Meta Pixel: measures the effectiveness of our advertising on Meta platforms (Facebook, Instagram). The Meta Pixel sets cookies that allow Meta to attribute conversions to ad campaigns.
You can opt out:
- Google Analytics: install the Google Analytics Opt-out Browser Add-on.
- Meta: adjust your Meta ad preferences.
- All cookies: configure your browser to block them.
Where required by law (for example, the EU ePrivacy Directive), we will request your consent before setting non-essential cookies.
Application (app.datacurator.co)
We use only session cookies necessary to keep you signed in and to maintain your selected organization context. These cookies are strictly necessary for the Service to function and cannot be disabled.
12. Security
We apply administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction, including:
- TLS (HTTPS) encryption in transit.
- Encryption at rest for database storage and backups.
- Role-based access control and least-privilege principles.
- Multi-factor authentication for administrative access.
- Audit logging of administrative actions.
- Vendor security review for sub-processors.
No method of transmission or storage is 100% secure. If a data breach affects your information, we will notify you and any required authorities in accordance with applicable law (including GDPR Article 33 and 34, and US state breach notification laws).
13. Your rights
EU / UK / EEA / Switzerland (GDPR and UK GDPR)
You have the right to:
- Access the personal information we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure of your data ("right to be forgotten"), subject to legal retention obligations.
- Restriction of processing in certain circumstances.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority in your member state.
California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, share, and sell about you.
- Delete personal information we collected from you.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell your personal information, and we honor the Global Privacy Control signal as an opt-out request.
- Limit the use of sensitive personal information.
- Non-discrimination — we will not deny you service, charge different prices, or provide a lesser quality of service for exercising your rights.
All other US residents
State privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and others) provide similar rights. We honor requests from residents of those states equivalently.
How to exercise your rights
Email privacy@datacurator.co with the subject "Privacy Rights Request" or use the form at https://datacurator.co/delete. We respond within 30 days. We may request information to verify your identity before fulfilling the request.
If we deny a request, we will tell you why and how to appeal.
14. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child under 18, contact privacy@datacurator.co and we will delete it.
15. Google API Services User Data Policy
When the Service accesses information from Google APIs (for example, Google Ads on your behalf), our use and transfer of that information adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We do not use Google user data to:
- Serve advertisements (including retargeting or personalized advertising).
- Train or improve general-purpose AI models.
- Sell to data brokers or information resellers.
- Determine creditworthiness or for lending purposes.
We use Google user data only to provide and improve the user-facing features of the Service that you have requested. We retain Google user data only as long as needed for those purposes.
16. Meta Platform Data
When the Service accesses information from Meta APIs (Marketing API, Pages, Lead Ads) on your behalf, we process that information only to deliver the analytics features you have authorized. We:
- Disclose what Meta Platform Data we process in this policy.
- Do not sell, license, or transfer Meta Platform Data to third parties.
- Promptly delete Meta Platform Data on your request, on account closure, when no longer needed for legitimate business purpose, or when Meta requests.
To request deletion of Meta-sourced data specifically, follow the instructions at https://datacurator.co/delete.
17. Stripe data accessed via OAuth
When you connect your Stripe account via OAuth, we access charges, refunds, subscriptions, invoices, customers, products, and prices on your behalf. We process this data only for the analytics features you have authorized.
We do not use Stripe data:
- For credit, lending, or insurance underwriting determinations.
- To make eligibility decisions about your end customers.
18. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the email associated with your account) or by an in-product notice at least 30 days before the changes take effect. The "Last updated" date at the top of this policy will reflect the most recent revision.
19. Contact
For privacy questions, requests, or to exercise your rights:
Email: privacy@datacurator.co
Mail: Data Curator Co Attn: Privacy 132 Veterans Ln Unit A #320 Doylestown, PA 18901 United States
If you are in the European Economic Area or United Kingdom and we have not addressed your concern to your satisfaction, you may contact your local data protection authority.