Privacy Policy

Last updated: April 21, 2026

Who runs CompoundCraft

CompoundCraft is operated by Greg Baker, a sole proprietor based in California. References to "we," "us," or "CompoundCraft" in this policy mean the same person and business. If you want to reach us about anything in this policy, email greg@compoundcraft.co.

What we collect

We collect three kinds of information: what you give us directly, what our vendors handle on our behalf, and what we collect automatically when you use the site.

What you give us

Account information. We use Google OAuth for authentication. When you create an account, Google shares your name, email address, and profile picture with us. You don't set or share a password with us — Google handles that part.

Assessment responses. The assessment asks about your professional background (title, years of experience, industry, company size), your current situation (employment status, runway, goals), your financial targets and constraints, and your lifestyle considerations such as healthcare coverage and location flexibility. You can also optionally upload a LinkedIn profile as a PDF.

Anything else you send us. If you email us, reply to a survey, or contact us directly, we keep that correspondence for support and record-keeping.

What our vendors handle

Payment information. If you subscribe, Stripe handles your payment method. We never see or store your card details. Stripe sends us your subscription status and customer and subscription IDs so we know what access to grant you.

What we collect automatically

Analytics. We use PostHog to understand how people use the product — which pages they visit, which features they interact with, where they drop off. This helps us improve the experience.

Server logs. Our web host records standard request information, including IP address, browser type, and timestamps. This is routine for any website and helps with debugging and abuse prevention.

How we use your data

We use your data to:

• Generate your personalized pathway analysis and deliver it to you
• Provide platform features if you're a subscriber — authentication, subscription management, experiment tracking, access to resources and cohorts
• Send you transactional email: account confirmations, your assessment results, subscription updates, and occasional product updates
• Understand how the product is used, so we can improve it
• Respond when you contact us
• Comply with legal obligations

We do not use your assessment responses or account data to train AI models. We do not sell your data. We do not share your data with advertisers or data brokers.

Who we share it with

We share data only with the vendors we use to run the product. Each of these companies processes data on our behalf, under their own data protection terms:

• Supabase — database and authentication (US region)
• Stripe — payment processing and subscription billing
• Resend — transactional email delivery
• Anthropic — AI processing of your assessment responses, via their API
• Inngest — background job orchestration
• Upstash — rate limiting
• Vercel — web hosting
• PostHog — product analytics
• Google — OAuth authentication

If you want to read about any of these vendors' privacy practices, their policies are available on their websites.

One thing worth highlighting: when we generate your pathway analysis, we send your assessment responses to Anthropic's API. Anthropic's commercial API terms state that inputs and outputs from API calls are not used to train their models. Your responses are processed to generate your analysis and are not retained by Anthropic beyond what their API policy permits.

We may also share data if required by law — a subpoena, court order, or legal process — or to protect our rights or the safety of others. This is uncommon, but we won't pretend it can't happen.

Where your data is stored

Data is stored in the United States, primarily through Supabase (US region) and our other US-based vendors. If you're accessing CompoundCraft from outside the US, your data will be transferred to and processed in the US.

How long we keep it

• Account data and assessment responses: as long as your account is active, and for a reasonable period after you close it in case you want to return. You can request deletion at any time.
• Billing records: we keep subscription and payment records for as long as required for tax and accounting purposes.
• Analytics: we retain aggregated analytics indefinitely, but individual user-level analytics are tied to your account and deleted when your account is deleted.
• Email correspondence: kept for as long as needed for support history, typically up to two years.

If you want your data deleted sooner, email us.

Your rights

Regardless of where you live, you can:

• Access your data — we'll send you what we have
• Correct anything that's wrong
• Delete your account and associated data
• Export your data in a machine-readable format
• Unsubscribe from non-transactional email at any time — transactional email like your assessment results and account confirmations will still be sent

To exercise any of these rights, email greg@compoundcraft.co. We aim to respond within 30 days.

If you're a California resident

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we've collected about you, the right to delete it, and the right not to be discriminated against for exercising these rights. You can exercise these rights using the contact method above. We don't sell personal information, so there's nothing to opt out of on that front.

If you're in the European Economic Area, UK, or Switzerland

If you're in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent laws. These include the rights listed above — access, correction, deletion, and export — plus the right to restrict processing, object to processing based on legitimate interests, withdraw consent where we rely on it, and lodge a complaint with your local data protection authority.

Legal bases we rely on. We process your data under the following legal bases: to provide the service you've signed up for (contract); to improve and secure the product through analytics and abuse prevention (legitimate interests); and where we ask for it specifically, your consent.

International transfers. Your data is processed in the United States. Where required, we and our vendors rely on standard contractual clauses or equivalent safeguards to protect your data during transfer.

To exercise any of these rights, email greg@compoundcraft.co.

Cookies and similar technologies

We use cookies and similar technologies for a few specific purposes:

• Authentication — to keep you logged in after you sign in
• Analytics — PostHog uses cookies to understand usage patterns
• Billing — Stripe uses cookies during checkout

You can disable cookies in your browser, but the product won't work properly without authentication cookies. We don't use advertising cookies or third-party tracking pixels.

Children's privacy

CompoundCraft is built for professionals with 15 or more years of experience. It isn't designed for or directed to anyone under 18, and we don't knowingly collect information from minors. If we learn that we've collected information from someone under 18, we'll delete it.

Changes to this policy

We may update this policy as the product evolves or as regulations change. If we make material changes, we'll email account holders and post a notice on the site. The "Last updated" date at the top will always reflect the current version.

Contact

Questions about this policy, requests about your data, or anything else privacy-related: