PRIVACY POLICY

CIO Digest ("we", "us", "our") provides a personalized daily intelligence briefing for executives and technology leaders. We take your privacy seriously and only collect the minimum information needed to deliver the service. This policy explains what we collect, why, and your rights.

1. Information We Collect

Account data: Email address (required for sign-in via 6-digit code) and a system-generated unique user identifier.

Briefing preferences: Briefing name, location(s), commute, delivery schedule, selected news categories, theme, accent color, font style, articles-per-category, text size, and optionally an iCal URL you provide.

Subscription data: Stripe Customer ID, Subscription ID, plan tier, billing period end date. We never store your full credit card number — that is handled by Stripe.

Usage data: Timestamps of briefing generation and minimal anonymous analytics for operational reliability. We do not build advertising profiles.

SMS data: If you enable SMS, we collect your mobile phone number, SMS opt-in status, verification status, delivery preferences, and opt-out history so we can send daily briefings, one-time codes, and account notices.

2. How We Use Your Information

• Authenticate you and prevent unauthorized access.
• Generate, personalize, and deliver your daily briefing via web, email, or SMS.
• Process subscription payments through Stripe.
• Send transactional communications (sign-in codes, receipts, service notices).
• Improve the product through aggregated, de-identified usage analytics.

We do not sell your personal information. We do not share your data with third-party advertisers.

SMS consent is protected: No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with any third parties or affiliates. We use mobile information only to provide CIO Digest SMS, including daily briefings, one-time verification codes, security notices, account notices, HELP replies, and STOP processing.

SMS frequency and rates: If you enable CIO Digest SMS, you may receive 1 to 3 recurring daily briefing messages per day based on the schedule you choose, plus occasional one-time verification codes, security notices, billing or account notices, HELP replies, and STOP confirmations. Message and data rates may apply from your mobile carrier. You can cancel SMS at any time by replying STOP.

3. Service Providers

To operate CIO Digest, we rely on a small set of trusted processors:

• Supabase — database, authentication, file storage (US region).
• Stripe — subscription billing and payment processing.
• Vercel — application hosting and edge delivery.
• Namecheap Private Email — outbound email delivery.
• Twilio — SMS delivery, phone verification, and messaging compliance.
• OpenAI — text-to-speech generation for audio briefs (script sent; audio returned; no data retention per OpenAI's API policy).
• Google — Gemini API for AI-assisted content summarization (opt-in).

Each provider is bound by its own data-processing agreement and operates under industry-standard security practices.

4. Calendar Integration (Optional)

If you provide an iCal URL, we fetch event data only to display your upcoming meetings in the briefing. We do not modify your calendar, invite others, or share event details with any third party. You can remove the URL at any time in Settings.

5. Data Retention

Paid accounts: We retain your profile data while your subscription is active and for up to 30 days after cancellation to allow for recovery. Subscription records are retained for 7 years per tax and accounting obligations.

Free accounts (inactive): To keep the service affordable and storage healthy, free accounts that show no activity for 15 consecutive days are automatically deleted along with their associated data. "Activity" means opening a delivered email, loading your digest, signing in, or changing any setting. We send a reminder email at day 12 before deletion. After deletion, your email address may be re-registered by anyone, including you.

You can request full deletion at any time (see Section 9).

6. Security

We use industry-standard security measures including TLS 1.3 in transit, AES-256 at rest, Row-Level Security on database tables, and limited access to production systems. No system is perfectly secure — if we learn of a breach affecting your data, we will notify you promptly as required by law.

7. Cookies

We use first-party cookies strictly for:

• Authentication session tokens (sb-* from Supabase).
• UI preferences to avoid theme/color flash on reload (cio-theme, cio-accent, cio-font).

We do not use tracking cookies and do not share cookie data with ad networks.

8. Children's Privacy

CIO Digest is designed for professionals and not intended for users under 16. We do not knowingly collect data from children. If we learn we have, we will delete the account and associated data.

9. Your Rights

Depending on your jurisdiction (GDPR, CCPA, or similar), you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information (directly in Settings, or by request).
• Delete your account and associated data.
• Export a portable copy of your data.
• Withdraw consent and unsubscribe from any email or SMS delivery.

To exercise any of these rights, email our privacy team at privacy@ciodigest.app from your registered address. We aim to respond within 30 days.

For SMS, you can also withdraw consent immediately by replying STOP to any CIO Digest text message.

10. Changes to This Policy

We may update this policy to reflect changes to our practices or legal requirements. Material changes will be announced via email or an in-app notice at least 14 days before taking effect.

11. Contact

Questions about this policy or our data practices:

Privacy & data requests: privacy@ciodigest.app

Legal & compliance: legal@ciodigest.app

General support: hello@ciodigest.app

12. Sponsored Content

Free-tier digests include a small sponsored placement from a vetted third-party ad network (e.g., Carbon Ads, EthicalAds). These networks are contextual and do not receive your personal information. We never embed tracking pixels or cross-site cookies in the digest itself. Paid subscribers receive an ad-free experience.