Legal

PRIVACY POLICY

Effective date: April 19, 2026 · Last updated: July 18, 2026

CIO Digest ("we", "us", "our") provides a personalized daily intelligence briefing for executives and technology leaders. We take your privacy seriously and only collect the minimum information needed to deliver the service. This policy explains what we collect, why, and your rights.

1. Information We Collect

Account data: Email address (required for sign-in via 6-digit code) and a system-generated unique user identifier.

Early-access data: If you request launch updates, we temporarily process the address you submit only to deliver a time-limited verification link. Before confirmation, we retain only a keyed, non-readable address fingerprint and timestamp to prevent repeated-email abuse. We store the address as a launch contact only after you explicitly confirm it.

Briefing preferences: Briefing name, location(s), commute, delivery schedule, selected news categories, theme, accent color, font style, articles-per-category, text size, and optionally an iCal URL you provide.

Subscription data: Stripe Customer ID, Subscription ID, plan tier, billing period end date. We never store your full credit card number — that is handled by Stripe.

Usage data: Timestamps of briefing generation and minimal anonymous analytics for operational reliability. We do not build advertising profiles.

SMS data: If you enable SMS, we collect your mobile phone number, SMS opt-in status, verification status, delivery preferences, and opt-out history so we can send daily briefings, one-time codes, and account notices.

2. How We Use Your Information

  • Authenticate you and prevent unauthorized access.
  • Generate, personalize, and deliver your daily briefing via web, email, or SMS.
  • Process subscription payments through Stripe.
  • Send transactional communications (sign-in codes, receipts, service notices).
  • Send launch updates and an invitation only to addresses that completed our double-opt-in confirmation.
  • Improve the product through aggregated, de-identified usage analytics.

We do not sell your personal information. We do not share your data with third-party advertisers.

SMS consent is protected: No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with any third parties or affiliates. We use mobile information only to provide CIO Digest SMS, including daily briefings, one-time verification codes, security notices, account notices, HELP replies, and STOP processing.

3. Service Providers

To operate CIO Digest, we rely on a small set of trusted processors:

  • Supabase — database, authentication, file storage (US region).
  • Stripe — subscription billing and payment processing.
  • Vercel — application hosting and edge delivery.
  • Namecheap Private Email — outbound email delivery.
  • Twilio — SMS delivery, phone verification, and messaging compliance.
  • OpenAI — text-to-speech generation for audio briefs (script sent; audio returned; no data retention per OpenAI's API policy).
  • Google — Gemini API for AI-assisted content summarization (opt-in).

Each provider is bound by its own data-processing agreement and operates under industry-standard security practices.

4. Calendar Integration (Optional)

If you provide an iCal URL, we fetch event data only to display your upcoming meetings in the briefing. We do not modify your calendar, invite others, or share event details with any third party. You can remove the URL at any time in Settings.

5. Data Retention

Paid accounts: We retain your profile data while your subscription is active and for up to 30 days after cancellation to allow for recovery. Subscription records are retained for 7 years per tax and accounting obligations.

Free accounts (inactive): To keep the service affordable and storage healthy, free accounts that show no activity for 15 consecutive days are automatically deleted along with their associated data. "Activity" means opening a delivered email, loading your digest, signing in, or changing any setting. We send a reminder email at day 12 before deletion. After deletion, your email address may be re-registered by anyone, including you.

Early-access list: Confirmed addresses are retained until the launch list is closed or you withdraw permission. Unconfirmed request markers are deleted after 48 hours; pseudonymous email-delivery evidence is deleted after 30 days. Neither is eligible for launch email. A one-way suppression record may be retained to honor a request not to receive future confirmation emails. You can request deletion at any time.

You can request full deletion at any time (see Section 9).

6. Security

We use industry-standard security measures including TLS 1.2 or newer in transit, AES-256 encryption for confirmation capabilities, private service-only storage, Row-Level Security on database tables, and limited access to production systems. No system is perfectly secure — if we learn of a breach affecting your data, we will notify you promptly as required by law.

7. Cookies

We use first-party cookies strictly for:

  • Authentication session tokens (sb-* from Supabase).
  • UI preferences to avoid theme/color flash on reload (cio-theme, cio-accent, cio-font).
  • A secure, HttpOnly early-access confirmation cookie that expires within 24 hours and is deleted after the confirmation attempt.

We do not use tracking cookies and do not share cookie data with ad networks.

8. Children's Privacy

CIO Digest is designed for professionals and not intended for users under 16. We do not knowingly collect data from children. If we learn we have, we will delete the account and associated data.

9. Your Rights

Depending on your jurisdiction (GDPR, CCPA, or similar), you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information (directly in Settings, or by request).
  • Delete your account and associated data.
  • Export a portable copy of your data.
  • Withdraw consent and unsubscribe from any email or SMS delivery.

To exercise any of these rights, email our privacy team at privacy@ciodigest.app from your registered address. We aim to respond within 30 days.

For SMS, you can also withdraw consent immediately by replying STOP to any CIO Digest text message.

10. Changes to This Policy

We may update this policy to reflect changes to our practices or legal requirements. Material changes will be announced via email or an in-app notice at least 14 days before taking effect.

11. Contact

Questions about this policy or our data practices:

Privacy & data requests: privacy@ciodigest.app

Legal & compliance: legal@ciodigest.app

General support: hello@ciodigest.app

12. Sponsored Content

Free-tier digests include a small sponsored placement from a vetted third-party ad network (e.g., Carbon Ads, EthicalAds). These networks are contextual and do not receive your personal information. We never embed tracking pixels or cross-site cookies in the digest itself. Paid subscribers receive an ad-free experience.