T2D3 Operating System — Privacy Policy

1. Information We Collect

We collect the following categories of personal information.

Account information. When you create an account, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your email address, name, and profile photo from your Google account.

Profile and organization information. Your role, company name, time zone, language preference, and any optional profile fields you choose to complete.

Subscription and billing information. Your subscription tier (Free, Pro, or Enterprise), billing address, and tax identifiers where applicable. Payment card details are entered directly into our payment processor and are never stored on our systems. We receive only a tokenized customer reference, the last four digits of your card, the card brand, and the expiration date.

User-generated content. The content you create and store within the Service, including playbook task statuses and notes, OKRs, key results, action items, comments, links, file uploads, project structure, and any text you enter into AI prompts or chat interfaces.

Usage data. Pages visited, features used, click and navigation patterns, session duration, task completion events, and timestamps of interactions, collected through server logs and product analytics instrumentation.

Device and connection data. IP address, browser type and version, operating system, device identifiers, screen resolution, and referring URLs.

Communications. The content of emails, support tickets, and other messages you send to us, together with our responses.

Cookies and similar technologies. Described in the Cookies section below.

We do not knowingly collect special categories of personal data such as health, biometric, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or genetic information. Please do not enter such data into the Service.

2. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Service, including authentication, session management, and feature delivery.
• Process payments and manage subscriptions through our payment processor.
• Send transactional communications, including magic-link sign-in emails, task notifications, weekly digests, billing receipts, and security alerts.
• Power AI features such as coaching, suggestions, and analysis, as further described in the AI Processing section.
• Improve the Service through aggregated analytics, A/B testing, and product research, using de-identified or aggregated data wherever possible.
• Provide customer support and respond to your inquiries.
• Detect, prevent, and address fraud, abuse, security incidents, and violations of our Terms.
• Comply with legal obligations, enforce our agreements, and protect the rights, property, and safety of T2D3, our users, and others.

Legal bases under GDPR. Where GDPR applies, we process personal data on the following bases: performance of a contract (account, subscription, and support); legitimate interests (security, analytics, and product improvement); consent (where required for non-essential cookies or marketing); and legal obligation (tax, accounting, and lawful requests from authorities).

3. AI Processing

The Service uses third-party AI providers, currently Anthropic (Claude) and OpenAI (GPT models), to power coaching, content generation, summarization, and analysis features.

When you use an AI feature, the prompt and any context we attach to it (which may include your profile data, project structure, task content, and prior chat turns within that feature) is sent to the AI provider for processing. The provider returns a response, which we display to you and store in our database for continuity within your account.

Training. We do not authorize Anthropic or OpenAI to use your prompts or their outputs to train their models. Both providers operate under commercial API terms that, by default, exclude API inputs and outputs from model training. We do not use your prompts, outputs, or other content to train our own models or any third-party model.

Retention at AI providers.AI providers may retain prompts and outputs for a limited period (typically up to 30 days) for abuse monitoring and operational purposes, after which they are deleted under the providers’ standard terms. Enterprise customers may request zero-retention arrangements where supported by the underlying provider.

You should not enter information into AI features that you are not authorized to share with third-party processors.

4. Data Sharing and Subprocessors

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

We share personal information only with the following categories of recipients.

Service providers (subprocessors). We engage the following subprocessors to operate the Service. Each is bound by a data processing agreement and may process personal data only as needed to perform its function.

• Supabase, Inc. — Database hosting, authentication, and file storage.
• Vercel, Inc. — Application hosting and serverless compute.
• Stripe, Inc. — Payment processing and subscription management.
• Resend — Transactional email delivery (magic links, notifications, digests).
• Anthropic, PBC — AI model inference (Claude).
• OpenAI, L.L.C. — AI model inference (GPT).
• Mux, Inc. — Video hosting, streaming, and viewer analytics for masterclass and educational content.
• Google LLC — OAuth authentication and embedded YouTube API services.

A current list of subprocessors is maintained within the Service. We provide at least 30 days advance notice of new or replacement subprocessors by email or in-app notification, giving you the opportunity to raise any objection before the change takes effect.

Within your organization. Other members of your organization or workspace can see your name, email, role, task assignments and statuses, comments, and activity within shared projects. Workspace administrators may have additional visibility into member activity, audit logs, and account settings.

Legal and safety disclosures. We may disclose information when required by law, regulation, legal process, or governmental request; when necessary to enforce our Terms; or when necessary to protect the rights, property, or safety of T2D3, our users, or others.

Business transfers. If T2D3 is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users, and any successor will be bound by terms no less protective than this policy.

5. Data Retention

We retain personal information only as long as needed to provide the Service and meet our legal obligations. Specific retention periods by data category are as follows.

• Account data. Retained for the life of your account. On account deletion, we delete or anonymize your account profile, content, and associated data within 30 days, except where retention is required by law or for legitimate business purposes such as tax records, fraud prevention, or legal claims.
• User content. Playbook content, tasks, comments, and uploads are retained for the life of your account or until you delete them, whichever comes first.
• Backups. Deleted data may persist in encrypted backups for up to 90 days before being purged through normal backup rotation.
• AI prompts and outputs. Retained in your account history for the life of your account or until you delete them. Provider-side retention follows the AI Processing section above.
• Usage and analytics data. Retained in identifiable form for up to 24 months, after which it is aggregated or anonymized.
• Server logs. Retained for up to 90 days for security and debugging purposes.
• Billing and tax records. Retained for at least 7 years to comply with U.S. tax and accounting requirements.
• Marketing communications data. Retained until you unsubscribe, after which we maintain a minimal suppression record indefinitely to honor your opt-out.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information.

• Right to access. Request confirmation of whether we process your data and obtain a copy of it.
• Right to rectification. Request correction of inaccurate or incomplete data.
• Right to erasure. Request deletion of your data, subject to legal retention requirements.
• Right to restrict processing. Request that we limit how we use your data in certain circumstances.
• Right to data portability. Receive your data in a structured, commonly used, machine-readable format.
• Right to object. Object to processing based on legitimate interests, or to direct marketing at any time.
• Right to withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Right to lodge a complaint.File a complaint with your local data protection authority. EU residents can find their authority via the European Data Protection Board. UK residents can contact the Information Commissioner’s Office.

California residents (CCPA and CPRA). In addition to the rights above, you have the right to know the categories and specific pieces of personal information we collect, the categories of sources, business purposes, and third parties with whom we share information, the right to delete personal information, the right to correct inaccurate information, the right to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising any of these rights.

To exercise any of these rights, email privacy@t2d3.club from the email address associated with your account. We will respond within 30 days, or sooner where required by applicable law. We may need to verify your identity before fulfilling certain requests, and you may designate an authorized agent to act on your behalf.

7. International Data Transfers

T2D3 is based in the United States, and our primary infrastructure operates in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and in other countries where our subprocessors operate.

For transfers from the European Economic Area, the United Kingdom, and Switzerland, we rely on the European Commission’s Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and equivalent safeguards as appropriate. Copies are available upon request to privacy@t2d3.club.

8. Cookies and Similar Technologies

We use the following categories of cookies and similar technologies.

Strictly necessary cookies. Required for authentication, session management, security, and core functionality. These cannot be disabled while using the Service.

Functional cookies. Remember your preferences such as language, time zone, and interface settings.

Analytics cookies. Help us understand how the Service is used so we can improve it. Analytics data is aggregated and is not used for advertising.

We do not use third-party advertising cookies or cross-site tracking. You can control cookies through your browser settings, but disabling strictly necessary cookies will prevent the Service from functioning.

9. Children’s Privacy

The Service is intended for business use by adults. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected such information, we will delete it promptly. If you believe a child has provided us information, contact privacy@t2d3.club.

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including the following.

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
• Row-level security policies enforced at the database layer.
• Role-based access controls and least-privilege principles for our team.
• Multi-factor authentication for all administrative and production access.
• Regular security reviews and dependency scanning.
• Logging and monitoring of access to production systems.

We will notify affected users and the relevant supervisory authorities of any personal data breach in accordance with applicable law, including within 72 hours where required by GDPR.

No system is perfectly secure, and we cannot guarantee absolute security of your information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version within the Service with an updated effective date. For material changes, we will notify you by email or in-app announcement at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact Us

For privacy questions, requests, or complaints, contact:

T2D3 LLC
Attn: Privacy
89 Kirkland Ave, Suite 222
Kirkland, WA 98033
United States of America

Email: privacy@t2d3.club
General support: support@t2d3.club