Privacy Policy.

This Privacy Policy describes what personal information Masthead collects, why we collect it, how long we keep it, and who we share it with. It applies to all visitors to masthead.studio and all Masthead Members. It complements our Member Terms of Service at masthead.studio/terms, which set out the agreement that governs membership; this document focuses specifically on data.

If anything in this Policy conflicts with the Member Terms of Service on a privacy matter, this Policy controls.

Masthead is operated by brainAI, a Cyprus-based business. Cyprus law governs Masthead's operation; the EU General Data Protection Regulation (GDPR) and UK GDPR apply to how we handle personal information.

For all privacy matters — including questions, complaints, or requests under data protection law — write to info@masthead.studio.

Three categories of data, listed plainly:

— Account information. Your name and email address, provided when you join. Your marketing opt-in preference, if any. Payment information, handled by Stripe — Masthead never sees or stores full card details, and Stripe collects your billing address directly on its hosted Checkout or Customer Portal pages (see Section 6 for the processor relationship). The version of the Member Terms of Service you accepted, the timestamp of acceptance, and the IP address from which you accepted, captured at the moment you click accept.

— Usage data. The queries you submit to the concierge. The dossiers you compose. The items you save to your personal collection.

— Technical data. IP address, browser type, request paths, server timestamps. Authentication session cookies set when you sign in.

We collect this data to operate the service. We don't collect more than we need.

Three purposes:

— To operate the service: compose dossiers from your queries, manage your account and subscription, process your payments, and render the saved issues you've built.

— To send you transactional and account communications: magic-link sign-in emails, payment receipts, service notices, billing reminders, and similar operational messages.

— To send you marketing communications, only where you have explicitly opted in. You can unsubscribe from marketing emails at any time, either via the unsubscribe link in any marketing email or by emailing info@masthead.studio.

Masthead does not sell your personal data to third parties. Masthead does not share your data with advertising networks, social media platforms, or data brokers.

Masthead uses minimal cookies. The current inventory:

— Authentication session cookies. Set by Supabase, our authentication provider, when you sign in. These keep you signed in across page loads. They are first-party (set on masthead.studio), HTTP-only, and expire when your session ends.

— Vercel platform routing cookies. Set automatically by Vercel, our hosting provider, for traffic routing and load distribution. These are not analytics cookies; they do not track behaviour across visits.

When you use Stripe Customer Portal to manage your subscription, you are taken to a Stripe-hosted page on stripe.com. Stripe.js sets session cookies on stripe.com — these are not Masthead cookies. They are governed by Stripe's privacy policy, which Stripe makes available on their site.

Masthead does not use third-party advertising or tracking cookies. We do not run Google Analytics, Facebook Pixel, or comparable trackers. We do not sync your usage to ad networks, social platforms, or data brokers.

If we add an analytics integration in a future version of the service, this Policy will be updated and members will be notified per Section 10.

Masthead routes member data through a small set of third-party processors. We share only the minimum each needs to perform its function. Each processor publishes its own privacy policy; you can find them by searching the processor's name on the web.

— Stripe — processes subscription payments. Stripe is PCI-DSS compliant; Masthead never sees full card details. Stripe receives your name, email, billing address, and the card details you enter directly on Stripe's hosted Checkout or Customer Portal pages.

— Resend — sends transactional and (where you've opted in) marketing email on Masthead's behalf. Resend receives your email address and the contents of the messages we send.

— Anthropic — provides the Claude models that compose dossiers. The queries you submit to the concierge are sent to Anthropic for processing, along with the cited article content needed to compose the dossier.

— OpenAI — provides embedding and supplementary models for retrieval. Anonymised query content may be processed by OpenAI's embedding service to find the most relevant articles in our index.

— Vercel — hosts the Masthead application infrastructure, including server-side rendering and edge functions.

— Supabase — provides our database and authentication infrastructure. Account data, subscription state, and saved issues are stored in Supabase, hosted in the European Union.

We retain account data while your Membership is active and for 24 months after cancellation, after which we delete or anonymise it. Payment records are retained for the period required by tax and accounting law (typically seven years from the relevant transaction).

Usage data — queries you submit, dossiers you compose — is retained for service quality monitoring. We may anonymise older queries to remove personally identifiable information while retaining aggregate patterns useful for improving the service.

If you ask us to delete your data sooner, see Section 8.

Under EU GDPR, UK GDPR, and equivalent laws elsewhere, you have the right to:

— Access the personal data we hold about you. — Rectify data that is inaccurate or incomplete. — Erase your data ("right to be forgotten"), subject to legal retention requirements. — Restrict how we process your data in certain circumstances. — Object to processing for marketing purposes (you can also unsubscribe directly from any marketing email). — Withdraw consent at any time for processing based on consent (such as marketing emails — use the unsubscribe link in any email). — Port your data to another service in a structured, machine-readable format.

Masthead processes data under either contract (operating the service for you as a Member) or legitimate interest (improving the service through aggregate analysis), depending on the specific processing activity.

To exercise any of these rights, write to info@masthead.studio. We respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority — or, since Masthead is operated from Cyprus, the Cyprus Data Protection Commissioner.

Masthead is operated from Cyprus, within the European Union. Most processors store data in EU regions. Some processors are based outside the EU — Anthropic and OpenAI are US-based, and Vercel and Stripe operate global infrastructure. Where personal data is transferred outside the EU, we rely on Standard Contractual Clauses (SCCs) or the relevant adequacy decisions in force at the time of transfer.

We may update this Privacy Policy with at least 30 days' notice to your registered email address for material changes (such as adding a new processor or changing how long we retain data). Non-material updates — clarifications, processor list refreshes, contact details — may be made without notice; the version stamp at the top of this page reflects the current version.

The current version of this Privacy Policy is always available at masthead.studio/privacy.

For all privacy matters — including exercising your rights under data protection law, asking how we handle your data, or raising a concern: info@masthead.studio