Privacy Policy

Last updated: 2026-04-29 Effective: Upon publication

1. Overview

This Privacy Policy describes how hiTessera ("hiTessera," "the Site," "we," "us," or "our"), operated by Nikita Verkhozin (the "Operator"), collects, uses, and protects your personal information. By using the Site at hitessera.app, you consent to the practices described in this Policy.

2. What we collect

Information you provide

• Email address when you join the early-access waitlist.
• Reply content if you respond to our welcome email or other communications.

Information collected automatically

• IP address (used for rate-limiting protection against form abuse; not stored long-term in association with your email).
• UTM parameters and referrer information (where you came from — e.g., ?utm_source=newtubers).
• Page-view analytics via Vercel Analytics (aggregated, anonymized — no personally identifying tracking).

Information we do NOT collect

• We do not load Meta Pixel, TikTok Pixel, Google Ads remarketing, Snap Pixel, or any other ad-tech tracking on the Site.
• We do not collect mental-health data, mood data, journal entries, biometric data, location data, or any sensitive health information through this waitlist site.
• We do not collect information from anyone we know to be under 18.

3. How we use your information

• To send you the welcome email confirming your waitlist signup
• To send you future product updates about hiTessera (no more than one email every 2 weeks during the waitlist period)
• To respond to your replies if you write back
• To analyze aggregate signup patterns (which channels, which days, which sub-niches) to inform whether to build the product
• To prevent abuse of the signup form (rate limiting, duplicate detection)

We do not use your information to target ads, train machine-learning models, or for any purpose unrelated to building the future hiTessera product.

4. How we protect your information

• All data transmission uses HTTPS encryption (TLS 1.2+)
• Email addresses are stored in encrypted-at-rest Postgres (Neon)
• Access to subscriber data is limited to the Operator
• We do not sell, rent, or trade your personal information to third parties

5. Subprocessors

The Site relies on the following third-party services to operate. Each is contractually bound to data-protection obligations.

• Vercel — hosting and serverless function execution
• Neon — Postgres database storage
• Resend — transactional email delivery
• Cloudflare — DNS and registrar
• Upstash — Redis-based rate limiting
• Vercel Analytics — aggregated, anonymized page-view counting

We do not use Google Analytics, Mixpanel, Amplitude, PostHog, or any other ad-tech / behavioral analytics service.

6. Your rights

Regardless of where you live, you have the following rights regarding your data:

• Right to access: request a copy of the data we hold about you
• Right to delete: request deletion of your data at any time
• Right to correct: request correction of inaccurate data
• Right to unsubscribe: unsubscribe from email communications via the link in any email we send

To exercise any of these rights, email nikita@hitessera.app. We will respond within 30 days.

California residents

Under the California Consumer Privacy Act (CCPA) and California's Confidentiality of Medical Information Act (CMIA), California residents have additional rights including the right to know what personal information has been collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

European Union / European Economic Area residents

The Site is currently not available to EU/EEA residents pending implementation of GDPR-compliant consent infrastructure. If you have submitted information from the EU/EEA, please email nikita@hitessera.app to have your data deleted.

7. Data retention

• Email addresses and signup data are retained until you request deletion or until 24 months after the last interaction, whichever comes first
• Reply content is retained until you request deletion or until the project concludes
• IP addresses for rate-limiting are retained for 24 hours and then discarded
• Aggregated analytics (anonymized page-view counts) are retained per Vercel Analytics defaults (currently 1 month)

8. Crisis disclosures

If you reply to our communications with content suggesting a mental-health crisis, the Operator will respond with crisis-resource information (988, Crisis Text Line, The Trevor Project, 911) per the protocol in .planning/CLINICAL-LIABILITY.md. The Operator is not a clinician and will not provide clinical guidance. Crisis communications and the Operator's response are documented for safety and legal-compliance purposes; they are not shared with any third party except as required by law.

The Site is not a medical device or substitute for professional mental-health care. If you are in crisis, please contact 988, text HOME to 741741, or call your local emergency services.

9. Children's privacy

The Site is not intended for use by anyone under 18. We do not knowingly collect personal information from individuals under 18. If you believe a minor has submitted information, please email nikita@hitessera.app and we will delete it.

10. Cookies

The Site uses minimal first-party cookies for essential functionality (e.g., rate-limiting, basic session state if applicable). The Site does not use third-party advertising cookies, behavioral tracking cookies, or remarketing pixels. If we add any tracking cookies in the future, we will update this Policy and obtain consent where required.

11. International transfers

If you are located outside the United States, your information may be processed in the United States. The U.S. has different data-protection laws than other jurisdictions. By using the Site, you consent to this transfer.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and a notice on the Site. Your continued use after changes constitutes acceptance of the updated Policy.

13. Contact

Questions, data requests, or privacy concerns: nikita@hitessera.app

*Drafted from publicly observable privacy-policy patterns of Daylio, Stoic, and Wysa, plus CCPA/CMIA/GDPR baseline requirements. This is not a substitute for review by a licensed attorney; engage counsel before launching any paid product or accepting any user product data beyond email address. See .planning/CLINICAL-LIABILITY.md for the full clinical-liability framework.*