Privacy Policy
// effective: 2026-05-09
PickBits.AI ("PickBits", "we", "us") respects your privacy. This policy explains what we collect, how we use it, who we share it with, and the choices you have. It applies to the website at pickbits.ai, the University, the Arcade, the Experimenters subscriber experience, paid Track Packs, and any related services we operate.
Information We Collect
- Account information: email address, username, display name, optional bio, optional avatar URL, optional Discord handle. If you sign in with Google or GitHub OAuth, we receive the basic profile fields those providers expose (name, email, profile picture).
- Paid-subscriber state: your subscription tier (free / experimenter / founder), period end date, and any active Track Pack entitlements (which packs you own and when access expires).
- Progress data: University module completion, XP, levels, login streaks, achievement unlocks, arcade leaderboard scores.
- Payment data: when you buy a Track Pack, Stripe collects your payment details directly. We do not see or store your card information; we receive only the email address you used at checkout, the Stripe customer/payment IDs, and metadata about which product was purchased.
- Substack reconciliation data: when reconciling Experimenter access, we process the email addresses appearing in the paid-subscribers CSV export from our Substack publication. Substack is a separate data controller for the underlying subscription.
- Free-tier Substack signups (email gate & banner): when you submit your email to the University email gate (the inline "Keep Reading" card on a gated lesson), the slim Experimenters bottom-banner, or another lead-capture form on this site — and you leave the Substack opt-in checkbox checked — we send your email address to Substack's free-tier subscribe endpoint at
pickbitsai.substack.com/api/v1/free. This enrolls you in the free PickBits newsletter (new module drops, expansion guides, daily signal). The opt-in checkbox defaults to checked; unchecking it captures your email locally for site-access purposes only, without enrolling you in the newsletter. You can unsubscribe from the newsletter at any time via the link in the footer of any Substack email, with no effect on your unlocked University content. - Usage analytics: page views, feature use, AB-test exposure, and basic device info (browser, screen size, country at the IP-region level) collected via PostHog and Google Analytics. Where possible we configure these to mask IP addresses.
- Server logs & error reports: request logs (path, status, timestamp), edge-function logs, and uncaught errors captured by Sentry. These may contain a hashed user ID for diagnostic correlation.
- Coaching session data: if you book a coaching session, Acuity Scheduling collects your booking details (name, email, scheduled time, optional pre-survey responses) directly. We see only what's needed to run the session.
- Communications: if you email us, we keep the email and any attachments to provide support.
How We Use Your Information
- Create and operate your account.
- Deliver the content and perks tied to your subscription tier and Track Pack ownership.
- Process payments through Stripe and reconcile paid-subscriber state with Substack.
- Enroll opt-in email-gate signups in the free PickBits Substack tier so subscribers receive new module drops and the daily signal newsletter.
- Maintain the University, Arcade, leaderboards, and progression system.
- Diagnose technical issues and improve the service.
- Send transactional email (purchase confirmation, coaching scheduling, security alerts) and, only if you've opted in, marketing or product-update email.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
Third-Party Services
We share data only with the third-party services necessary to operate PickBits. We do not sell personal information.
| Provider | Purpose | What it sees |
|---|---|---|
| Supabase | Authentication, database, edge functions | Account profile, subscription state, progress, server logs |
| Stripe | Payment processing for Track Packs | Card data (handled by Stripe), email, billing address |
| Substack | Newsletter + paid Experimenter subscription | Email address, subscription tier (governed by Substack's own privacy policy) |
| Acuity Scheduling | Coaching session booking | Name, email, scheduled time, pre-survey answers |
| PostHog | Product analytics, feature flags, A/B tests | Anonymous or pseudonymous usage events, distinct ID |
| Google Analytics (GA4) | Aggregate website analytics | Page views, country-level IP region, device class |
| Sentry | Error and performance monitoring | Exception traces, sometimes a hashed user ID |
| AWS (S3 + CloudFront) | Static site hosting and CDN | HTTP request logs (IP, path, user-agent) |
| Vercel | Hosting for adjacent apps (e.g., Ask Mark) | HTTP request logs |
| Discord | Subscriber community (you join voluntarily) | Whatever you share on Discord; governed by Discord's own privacy policy |
| OpenAI / Anthropic / other model providers | AI features and content generation | Prompts you submit through AI features; we do not pass your account email |
We may also disclose information if required by law, valid legal process, or to protect the safety of our users, the public, or PickBits.
Cookies & Local Storage
PickBits uses cookies and browser local storage for:
- Authentication: Supabase stores a session token in local storage so you stay signed in.
- Preferences: small flags such as your University email gate state (
pb_university_email) and dashboard UI choices. - Analytics: PostHog and Google Analytics set their own cookies for aggregate usage measurement.
You can clear cookies and local storage through your browser, though doing so will sign you out and reset preferences.
Data Retention
- Account, profile, subscription, and progress data: kept while your account is active.
- Stripe payment records: kept as long as required by tax and accounting law (typically 7 years).
- Server access logs: 30–90 days, depending on the provider.
- Aggregated, de-identified analytics: kept indefinitely.
- Email correspondence: kept while reasonably needed to provide support and comply with legal obligations.
If you delete your account, we remove or anonymise your personal data within 30 days, except for records we are legally required to retain (notably Stripe payment records).
Your Rights
- Access: request a copy of the personal data we hold about you.
- Correction: update or correct inaccurate information from your dashboard or by emailing us.
- Deletion: request account deletion by emailing owner@pickbits.ai.
- Portability: request a machine-readable export of your data.
- Objection / restriction: object to or restrict particular processing where the law allows.
- Withdraw consent: for any processing based on consent, withdraw at any time without affecting the lawfulness of prior processing.
- Complaint: users in the UK or EU may lodge a complaint with their national data-protection authority.
Data Security
We use industry-standard security measures: HTTPS for all traffic, Supabase row-level security, secure password hashing for the auth provider, scoped service-role keys for privileged edge functions, and an admin-secret-protected reconciliation interface. No system is 100% secure; we cannot guarantee absolute protection against every form of unauthorised access. Significant data breaches will be communicated to affected users and regulators where required by law.
International Data Transfers
PickBits is operated from the United States. By using the service, you consent to your information being processed in the US and in any country where our service providers operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers from the UK / EU.
Children Under 13
PickBits is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the website or by email to your account address. Continued use after the effective date of an updated policy constitutes acceptance.
Contact
PickBits.AI
Glendale, Arizona, USA
Email: owner@pickbits.ai