Privacy Policy

AGGREGATE+ is a Creator Income Operating System. To run that for you, we store your account, your profile, your content, and — when Stripe is wired — the ledger of money moving between you, your subscribers, and your customers. Nothing more.

We don't sell your data. We don't rent it. We don't share it with advertisers. We don't build a secondary data market on top of your audience. The only parties who see your data are the sub-processors we need to run the service (payments, hosting, database, email), each listed by name below with a link to their policy.

You can export your data in a machine-readable format whenever you want, and you can delete your account at any time. The 1% of things we have to hold onto — financial records, audit trails around money movement — we hold onto for the legal minimum and nothing more.

AGGREGATE+ is operated by Brian Nuesi as an individual founder-operator (a legal entity is in formation; this section will be updated once incorporation is complete, and the controller designation will carry over without interrupting your rights under this policy).

You can reach us any time:

• Privacy requests: privacy@aggregates.plus
• General contact: hello@aggregates.plus
• Website: aggregates.plus

For users in the EU/EEA or UK: we do not have an Article 27 representative yet because AGGREGATE+ is early and US-operated. If that changes, we'll update this section before we begin systematically processing EU personal data at scale.

• Performance of contract. Running your account, serving your money page, processing subscriptions, tips, products, and bookings on your behalf. If we don't have this data, we can't deliver the service you signed up for.
• Legitimate interest. Platform security, fraud and abuse prevention, rate limiting, and the audit trail of who-did-what around money movement. We balance this against your rights every time we collect new data in this basis.
• Consent. Newsletter opt-ins to the creators you explicitly follow, and any analytics beyond what's strictly necessary. You can withdraw this consent at any time without affecting your account.
• Legal obligation. Tax records, payout reporting, dispute and chargeback history, and anti-money-laundering checks required of payments infrastructure. Where a legal obligation requires retention, we keep the minimum necessary for the minimum time required.

We don't sell your data. We don't rent it. We don't share it with advertisers, data brokers, or any secondary market. We do share data with the following service providers that we need to run the product. Each handles a narrow slice, and each is bound by a Data Processing Agreement where one is offered.

We may also disclose data when compelled by valid legal process (subpoena, court order, warrant). We push back on overbroad requests, narrow the scope where we can, and — if law doesn't prohibit it — notify the affected user so they can seek their own counsel.

We operate from the United States. Some of our sub-processors are global. When your data moves across borders — for example, a European subscriber creating an account hosted on US-regional Vercel infrastructure — we rely on Standard Contractual Clauses (SCCs) and the additional safeguards adopted by each sub-processor where applicable (including the EU-US Data Privacy Framework where a processor participates).

If you'd like a copy of the specific transfer mechanism covering your data, email privacy@aggregates.plus.

• Account data: for the lifetime of your account, plus 30 days after you delete it (a soft-delete grace window in case you change your mind). After the grace window ends, account data is purged from the primary database.
• Audit logs: 7 years, once Stripe is wired and there are financial-record obligations in play. Audit-log entries never include passwords, card numbers, or private keys — just the metadata around mutations (actor, timestamp, entity, before/after hashes).
• Backups: rolling 90 days. Deleted data is removed from backups as they rotate out of the 90-day window.
• Anonymised analytics: aggregated, non-identifying counts (total active creators, total newsletter signups) may be retained indefinitely for product-health reporting.
• Email logs: delivery metadata (status, opens, bounces) for 12 months, retained by our email sub-processor and purged when you unsubscribe.

• Access. Request a copy of the personal data we hold about you.
• Rectification. Correct anything that's wrong. Most account fields you can edit yourself from your settings — for the ones you can't, email us.
• Erasure / deletion. Delete your account and your personal data. Caveat: audit-log entries and financial records we're legally required to keep cannot be erased within the statutory retention period, but we'll narrow them to the minimum data required.
• Portability. Export a machine-readable copy (JSON) of your profile, content, subscribers, and ledger activity — the stuff you brought with you and the stuff you built here.
• Object / restrict. Object to processing based on legitimate interest, or restrict processing while a dispute is being resolved.
• Withdraw consent. Where we process based on your consent (newsletters, optional analytics), you can withdraw it at any time without affecting your account.
• No discrimination (US residents). We won't charge you more, give you worse service, or deny you access for exercising your rights.
• Lodge a complaint. You have the right to complain to your local data-protection authority. In the EU, start with the supervisory authority where you live, work, or where the issue occurred. In the UK, that's the ICO.

To exercise any of these rights, email privacy@aggregates.plus from the address on your account. We respond within 30 days. If we need more time or information, we'll tell you why within that window.

AGGREGATE+ is for users aged 18 or older (or the age of majority in your jurisdiction, whichever is greater). We don't knowingly collect data from minors. If you believe a minor has created an account, email privacy@aggregates.plus and we'll delete the account and associated data without delay.

• Encryption in transit. TLS on every request. HSTS enforced.
• Encryption at rest. Postgres volumes are encrypted by the database provider. Secrets live in Vercel's encrypted environment store.
• Least privilege. Service credentials are scoped to the narrowest permission set that works. Production database access is limited.
• Audit logs. Every mutation that moves money or changes access is written to an append-only audit log. We can reconstruct who did what, when, from where.
• Rate limiting. On every public endpoint. Tighter limits on auth and payment paths.
• No password storage. Passwords are hashed with modern parameters; we never see or store them in plaintext.

No system is perfectly secure. What we promise is transparency when something goes wrong (see next section) and genuine effort on the controls within our reach.

If we discover a security incident that compromises your personal data, we will notify affected users without undue delay — and, where the law requires it (GDPR art. 33/34, US state breach-notification statutes), within the statutory window. The notice will include what happened, what data was involved, what we've done, and what you can do.

We will not sit on bad news to make our quarter look cleaner. That's a promise worth more than the policy it's written in.

We may update this policy when the product changes, a new sub-processor is added, or a law changes. When we do, we update the “Last updated” date at the top. If the change is material — something that meaningfully expands the data we collect, the basis for processing, or who we share it with — we'll give you at least 30 days' notice by email and via a dashboard banner before the change takes effect.

Privacy questions, data-subject requests, or anything this policy doesn't answer: privacy@aggregates.plus.

Heads up: this policy is written for AGGREGATE+ in its current founder-operated form. It is not legal advice, and your own counsel should review it before you rely on it for an incorporated commercial launch. The governing-entity and dispute-resolution sections will be updated when the operating company is formed.