Privacy Policy

Effective Date: June 1, 2025

This Privacy Policy describes how MyContentHarbor (“we”, “us”, “our”, or “the Service”), operated by Alpine Economics LLC, collects, processes, uses, stores, transfers, and protects your information—including personal data and content—when you interact with our website at mycontentharbor.com, related domains, applications, and all features or services described in our Terms of Service (“TOS”).
By accessing or using MyContentHarbor, you consent to the practices described herein. If you do not agree, do not use or access our services.

1. Information We Collect

We collect information about you in various ways, both directly and automatically, as part of providing, securing, and improving MyContentHarbor:

• Account & Identification Data:
  • Email address (required), password hash (we never store your plaintext password), account activity/metadata, verification status, unique referral code, API keys, and user-set preferences.
  • If you sign in via email/password, we process your hashed credential. If you interact with APIs, we record your authentication tokens/keys.
• Profile, Preferences, and Settings:
  • Preferences like theme, notification, newsletter consent, language selections, content template choices, and any custom content settings for advanced plans.
• Generated & Submitted Content:
  • Topics, prompts, keywords, selections, AI-generated outputs, uploaded content, export requests, and logs of your actions with the Service—including version history and outlines you generate.
• Device, Usage, and Log Data:
  • IP address (e.g., for authentication, rate-limiting, anti-abuse), device/browser type and fingerprint, time zone, language, approximate location (never precise geolocation), access logs, timestamps of actions and session tokens.
  • Operational logs for errors, support interactions, and system security (including failed login, authentication attempts, and audit trail of admin/support/admin actions).
  • Pages you visit (for analytics and product improvement, not sold/marketed), feature usage statistics, and system event logs.
• Payment & Billing Information:
  • Handled by Stripe, our PCI-DSS compliant payments provider. We never have direct access to or store your full card numbers. Stripe collects payment method information, billing name, postal address, country, and transaction records. See the "Stripe" and “Data Sharing” sections for more.
  • We store references required by Stripe (customer ID, subscription ID) and information about your plan, usage quotas or credits, and payment status from Stripe’s system.
• Cookies & Authentication Tokens:
  • Session cookies for authentication (“CF_AUTH”), CSRF tokens, rate limiters, state management, abuse prevention, and security. No tracking/ad/marketing cookies, and no cross-site tracking.
  • We may use secure session cookies to recognize your device/browser and keep you logged in. See section 6 for more detail.
  • Essential (strictly necessary) cookies only. For more privacy info, read section 6.
• Support, Communications, and Feedback:
  • Any support ticket or message you submit (including email address, content, attachments, and correspondence metadata).
  • Feedback or bug reports (feature suggestions, content improvement ideas) may be logged and anonymized for service improvement.
• Third-Party Integrations & APIs:
  • To fulfill your actions (for example, by generating AI content through OpenAI APIs, sending password reset/verification emails via Resend, or processing payments via Stripe), data you provide may be securely relayed to or from these partners. See section 3 for precise data-flows and liability boundaries.

2. How We Use Your Information

We will only use your information for the purpose for which it was collected, or as otherwise described in this Policy or as permitted by law.

• Service Functionality & Customer Experience: To create and maintain your account, authenticate user actions, deliver content, remember session status, manage encouragement/reward programs, and show your content history and usage statistics.
• Content Generation: To send the prompts/content you provide (including keywords, instructions) to OpenAI or other model providers to create content on your request, and to store/output result content for you.
• Security & Abuse Prevention: Including enforcing AuthN/AuthZ, brute-force lockouts, abuse/fraud monitoring, limiting risky or illegal use, and fulfilling legal obligations of platform or third-party providers.
• Payments, Subscription & Billing: To process payments, verify eligibility, allocate quotas, apply referral/discount codes, and keep track of active plans (all sensitive payment data is handled by Stripe, see section 3).
• Analytics & Metrics: To improve service quality, analyze site/app usage, feature popularity, funnel metrics, error rates, and aggregated statistical reporting, all in a privacy-respecting and pseudonymized manner. No direct user tracking for marketing purposes.
• Communications: To send verification emails, password resets, service notifications, system alerts, legal updates, transactional confirmations, or support responses. Marketing or newsletter emails only if you have expressly opted in (with separate, logged consent).
• Regulatory Compliance & Protection: To comply with legal, contractual, or regulatory obligations, enforce the Terms of Service and Acceptable Use Policy, resolve disputes, investigate and prevent fraudulent/malicious activity, or protect the rights, property, or personal safety of MyContentHarbor, its users, or third parties.
• Business Operations: To support audits, accounting, backups, product development, and (if needed) lawful transfers of control or ownership (see section 11).

3. Disclosure & Sharing of Information

We share your data with third parties only as required to provide you the MyContentHarbor service, comply with law, or protect our rights. These include:

• Payment Processor (Stripe):
  • Stripe acts as our merchant of record and handles all payment processing, subscription/billing, invoices, and refund support. We never see or store your full credit card number or sensitive payment data. Stripe privacy details: stripe.com/privacy.
  • What we receive from Stripe: flags about payment status, amount paid, plan/subscription IDs, invoice records, and the minimal billing metadata we need to allocate credits and provide support.
• AI Model Provider (OpenAI):
  • Whenever you use our AI content generation, your prompt and related context are securely transmitted to OpenAI’s servers to fulfill your request. Output is returned and displayed/stored in your account. OpenAI privacy details: openai.com/policies/privacy-policy.
  • Note: We do not send your full account details, password, or payment data to OpenAI—only prompt content and security identifiers necessary for generation/rate-limiting.
    Any content generated is subject to OpenAI's policies and may be logged by OpenAI as part of their abuse/security practices, in accordance with their own terms.
• Email/Notification Provider (Resend):
  • We use Resend, a transactional email service, to send account verification, reset, and alert emails. The provider processes your email address, relevant message content, and limited delivery metadata (not message content history or browsing data). Privacy details: resend.com/legal/privacy-policy.
• Infrastructure (Cloudflare, Analytics, Storage):
  • Our Service, including database and static asset storage, runs on Cloudflare’s platform (Data Center in USA/EU), which may process unstructured traffic, logs, and D1 database queries. Cloudflare privacy: cloudflare.com/privacypolicy.
  • Basic usage metrics are collected for performance/security, not for marketing. Cloudflare may analyze traffic for operational and security purposes (e.g. DDoS defense, rate limiting, error tracking).
• Other Service Providers (where applicable):
  • We may use vetted contractors or vendors under data processing agreements for activities required for business operation—such as backup, support ticket triage, legal/audit/compliance, or analytics. These third parties may only use data as instructed by us and subject to strict confidentiality requirements.
• Legal Obligations & Enforcement:
  • We may access and disclose your information if necessary to enforce our terms or policies, respond to legal process (e.g., court orders, subpoenas), or protect the safety, property, or rights of us or others (e.g., investigating fraud/abuse, or as mandated by law).
• Business Transfers:
  • If we are involved in an acquisition, merger, sale of assets, bankruptcy, or similar business transfer, your information may be transferred as part of that transaction. We will post a prominent notice or otherwise notify users if such a transfer materially impacts your privacy rights.
• Aggregated/De-Identified Data:
  • We may share aggregated statistics (e.g. anonymized reports on usage, content trends, number of posts generated) that do not identify particular individuals, for research, analytics, or business purposes.
• No Sale of Data:
  • We do not sell, license, rent, or transfer your personal information to advertisers or third parties for commercial purposes. No cross-site retargeting, profiling, or advertising cookies are used line with the Service’s commitment to privacy-by-design. Your data is used strictly as necessary to deliver and improve the Service or as required by law.

4. Data Security & Protection

• Encryption & Storage:
  • Data in transit is protected with state-of-the-art encryption (HTTPS/TLS 1.3 or higher).
  • Authentication tokens are cryptographically signed; passwords are hashed (PBKDF2-SHA256, never stored in plaintext).
  • User content is stored in secure, access-controlled Cloudflare D1 databases. Backups may be maintained for a limited time, subject to the section on retention.
• Access Control:
  • Administrative access is strictly limited to a small number of authorized personnel, with extensive audit logging and “least privilege” access policies enforced.
  • All accesses to user data for support or debugging are logged, monitored, and subject to disciplinary action if abused.
• Security Practices:
  • We use rate-limiting, brute-force protection, strong session/cookie properties (HttpOnly, Secure, SameSite), and regularly review security controls for compliance with best practice.
  • No system can guarantee 100% protection. By using the Service, you acknowledge that breaches or unauthorized access, while unlikely, cannot be ruled out. If a breach occurs that is likely to result in a risk to your rights or freedoms, we will notify affected users and authorities as required by law.
• Incident Response:
  • In case of a security incident, we will (a) contain the breach, (b) investigate scope/cause, (c) take corrective measures, and (d) notify regulators and users if required by law/regulation in a timely manner.

5. Data Retention & Deletion

• Data Retention: Your account data, generated content, support logs, and activity records remain available as long as your account is active and required to deliver the Service.
• Deletion on Request: You may request deletion of your account and its associated personal/data content by contacting support@mycontentharbor.com or using dashboard features (if provided). After verification, your account will be scheduled for deletion. Some aggregate, anonymized summary data may be retained for analytics or business continuity.
• Backups & Legal Holds: Deleted data may persist for up to 90 days in system backups or log archives; longer if needed to comply with applicable laws, litigation, regulatory requirements, or abuse/fraud investigations. In such cases, data is restricted and finally destroyed once retention requirements end.
• Payment Records: Transactional data (including plan, payment status, invoices, and usage records) may be retained for up to 7 years for tax, accounting, and regulatory compliance, as required by law.
• Operator's Right to Retain for Abuse/Legal Reasons: We may retain information, including user-generated content, necessary to enforce our Terms, investigate suspected abuse, fraud, or legal disputes, or comply with law enforcement, even if your account is deleted.

6. Cookies, Tracking Technologies & Analytics

• Strictly Necessary Cookies:
  • We use cookies/tokens solely for authentication, CSRF/XSRF protection, abuse prevention, session state, and required analytics.
  • No advertising, tracking, social, or third-party marketing cookies are set.
• Authentication Cookies:
  • On login, we set a session token (“CF_AUTH”) as a secure, HttpOnly, SameSite cookie. This allows you to remain logged in, and is required to use most authenticated functions of the Service.
  • This token does not track you across sites or for advertising. It is only valid for our domain.
• Analytics:
  • We use privacy-focused analytics (Cloudflare Analytics Engine) to measure overall usage, feature adoption, requests, and technical performance. We avoid persistent identifiers whenever possible, and never use analytics for ad-targeting.
  • Analytics data is pseudonymized and subject to internal retention/information minimization policies. No personal content, password, or payment data is included in analytics.
• Your Controls:
  • Your browser settings allow you to block/manage cookies. Blocking essential cookies may disrupt login or critical features.
  • Most browsers also allow you to review, clear, or delete cookies at any time.
• Third-Party Integrations/Links:
  • MyContentHarbor may link to or integrate content from external services (e.g., Stripe’s or OpenAI's hosted payment/portal pages, docs, or support resources). These sites may set their own cookies or tracking as governed by their policies. We strongly recommend you review their privacy statements prior to interacting with them. We accept no responsibility or liability for third-party privacy practices.

7. International Data Transfers & Regional Compliance

• Data Locations:
  • Your data is primarily stored and processed in the United States; it may also be processed in the European Union, depending on your location and the services you access.
  • By using MyContentHarbor you consent to the transfer, processing, and storage of your information in jurisdictions that may have different privacy standards than your own. Wherever required by applicable law, we use safeguards such as Standard Contractual Clauses with our subprocessors.
• EU & EEA Users (GDPR):
  • Additional rights apply to you if the data controller is subject to GDPR (General Data Protection Regulation): see section 8.1 for more.
• California Users (CCPA):
  • Additional disclosures and rights apply: see section 8.2 below.
• Children:
  • MyContentHarbor is not designed for or intended to be used by children under 16. We do not knowingly solicit or collect personal data from anyone under 16. If you believe a user is under 16, contact us and we will delete the data as required.

8. Your Rights & Options

• Access: You can view and export your data and generated content from your dashboard at any time.
• Correction: You may update preferences, newsletter status, or password in your dashboard. For any correction to immutable data (like account email), contact support.
• Deletion: You may request deletion of your account and data by contacting support. We will honor all deletion/erasure requests as promptly as possible, and in any case within 30 days, except where legal or billing requirements mandate longer retention.
• Export: Users can initiate content export and account data download from the dashboard, or request a full export via support.
• Withdraw Consent: Where our processing is based on your consent (e.g., newsletter subscription), you may withdraw consent at any time by updating your preferences.
• Object/Restrict: Under certain circumstances, you may request that we limit our processing of your information (for example, to restrict use for marketing). We honor such requests in accordance with applicable law.
• Non-Discrimination: We will not discriminate against you for exercising rights under the CCPA, GDPR, or similar laws. However, essential Service features may require certain data to function.

8.1 Additional Rights for EEA/UK Users (GDPR, UK GDPR):

• Right to access, rectification, and erasure;
• Right to restrict or object to certain processing;
• Right to data portability;
• Right to lodge a complaint with a data protection authority (see section 12).

Contact us to exercise these rights. Before acting on any request, we may require identity verification. “Controller” for GDPR purposes: Alpine Economics LLC, support@mycontentharbor.com

8.2 Additional Rights for California Residents (CCPA):

• Right to know the categories of personal information we collect, use, and disclose, as detailed above;
• Right to request deletion of personal information, subject to certain legal exceptions;
• Right to opt out of “sale” of personal information (we do not sell your personal information);
• Right to access and receive your information in a portable format.

Submit requests to support@mycontentharbor.com. You may designate an authorized agent to make a request on your behalf with valid written permission.

9. AI Content, Third-Party Processing & Liability Disclaimers

• AI Model Processing:
  • When you create content via MyContentHarbor, your prompt/topic, selected keywords, and context are securely relayed to OpenAI or a similar AI model operator to process and generate the requested output. Your data will be processed according to the privacy and security practices of the applicable provider, which may be updated or changed at their discretion.
  • No direct user account, password, or payment data is shared with the AI provider as part of the generation operation.
  • The AI provider may log/monitor prompts or output as required for abuse detection, filtering, debugging, or analytics, subject to their privacy policy and any legal requirements.
  • You acknowledge that the content output is machine-generated (possibly similar to outputs returned to other users), may contain inaccuracies, third-party material, or information unsuitable for publication or reliance, and is provided as is (see TOS & section 10).
• Third-Party Providers:
  • Payment, email, and hosting providers only receive the data strictly necessary for provision of their service. They may log operational details, error reports, receipts, delivery status, and abuse/incident events for audit/compliance. Your use of these services is additionally governed by their privacy statements and terms.
• Liability Mitigation:
  • NO SECURITY SYSTEM IS IMPENETRABLE. YOUR USE OF THE SERVICE IS AT YOUR OWN RISK. We employ best practices, but you agree that:
    • We are not responsible for the actions, breaches, or policies of third-party processors, providers, or model operators.
    • Transmission and storage of information over the internet may be subject to risks beyond our control.
    • You are solely responsible for reviewing, editing, fact-checking, and lawfully using all AI-generated content before any use, publication, or reliance.
    • Except where prohibited by law, our liability for any data incident, breach, unauthorized disclosure, or loss is strictly limited as set forth in our TOS; your sole and exclusive remedy is to cease using the Service and request deletion of your data.
• User Responsibilities:
  • Do not share your account, API key or password. Do not submit sensitive, regulated, or confidential third-party data without explicit right to do so.
  • Do not use the Service to process, store, or share any data subject to special regulation (e.g., protected health information, sensitive financial records, or special categories of personal information under GDPR) unless you are authorized and in compliance with all legal requirements.

10. Policy Changes & Notification

• Policy Updates:
  • This Privacy Policy may be updated periodically to reflect operational, legal, regulatory, or Service changes. The latest version will always be posted at /legal/privacy with the effective date indicated at the top.
  • If we make material changes (e.g., broader data use, new processors, new purposes), we will attempt to notify active users by email or prominent in-app notification as required by law.
  • Your continued use of the Service after changes constitutes consent to the new terms. If you do not agree, discontinue use and/or request account deletion.

11. Miscellaneous

• Ownership & Contact: MyContentHarbor is operated by Alpine Economics LLC.
• Applicable Law: This Policy and any use of the Service is governed by the laws of the State of Utah, United States.
• Contact & Questions: Direct privacy-related inquiries, access/deletion requests, or any questions to support@mycontentharbor.com or via the support portal. You may also reach us by mail at the address above.
• Supervisory Authority: If you believe your privacy rights have been violated, you may contact your local Data Protection Authority or regulatory body. However, we encourage you to contact us first for prompt resolution.