What we keep, what we don’t.

• Your email address (for sign-in and receipts).
• Your business name, type, market, and the ad text you write.
• A Stripe customer ID and the last four digits of your card. The card itself never touches our servers; Stripe holds it.
• Server logs of API requests with IP and user agent. Kept 30 days, then deleted.

• Email address and market for delivery.
• Whether the edition was opened and how far you got. We don’t track individual story reads.
• One device push token per signed-in device, used solely for the 6 a.m. local notification.

• No third-party ad networks, no behavioral retargeting.
• No data sold or rented to anyone, period.
• No social-graph imports. We don’t ask for your contacts. We don’t have a contacts feature.
• No analytics SDKs that phone home with whole sessions. Server-side only.

• Stripe. Payments and customer billing portal.
• Firebase Auth. Sign-in (email + password).
• Firestore. Your account doc, ad records, run history.
• Resend. Outbound transactional email (receipts, run confirmations).
• Apple / Google APNs / FCM. The morning push.

Each of these is a sub-processor. We don’t share with anyone else.

• Export. Email hello@debriefd.app and we’ll send a JSON of everything we have on you within 7 days.
• Delete. Same address. We delete the account and associated records within 14 days. Past-edition ads stay in the historical record because the paper is archival, but they’re decoupled from your account.
• Correct. You can edit account fields yourself from your account, or write to us.

We use a single first-party session cookie for sign-in. No tracking cookies, no analytics cookies, no banner. There is nothing to consent to.

Debriefd is operated by Fifth of Fifth Technologies, Inc.