Privacy Policy

1. Information we collect

Information you provide

• Account & identity. When you sign up we receive your email address and a user identifier from our authentication provider, Auth0. We do not collect or store your password — Auth0 handles authentication.
• Content you submit. Business ideas, product descriptions, target-audience and market details, custom persona descriptions and uploads, resume text you provide for idea discovery (we extract skills and do not retain the uploaded file), what-if scenarios, and messages you send when interviewing simulated personas.
• Survey responses. Optional post-launch outcome feedback (e.g. whether you launched, sign-up ranges, and free-text comments).
• Payment information. When you buy credits, our payment processor (Stripe) handles your card details. We do not see or store full card numbers; we retain a Stripe customer identifier and your credit transaction history.

Information collected automatically

• Usage & account state. Your tier, credit balance and ledger, simulation counts and configuration, and timestamps needed to operate the Service.
• Authentication cookie. A secure, HTTP-only session cookie set by Auth0 to keep you signed in.
• Conversion-measurement cookie. We use Google Tag Manager to load a Google Ads tag that measures conversions (for example, account sign-ups) so we can tell whether our advertising works. It sets a cookie and sends Google a pseudonymous cookie/device identifier — not your name or the idea content you submit. We use Google solely as a service provider for this measurement: ad personalization and remarketing are disabled and Google’s Restricted Data Processing is enabled, so this data is not used to track you across other websites and is not sold or shared. You can block it with your browser’s cookie controls.

Information from third parties

To “ground” simulations and idea discovery, we retrieve publicly available discussion content (for example from Reddit, Hacker News, and Stack Exchange) and public web search results based on keywords derived from your idea. This material is public and used to inform your reports; you can turn grounded personas off in Settings.

2. How we use information

• Provide, operate, and improve the Service and generate your reports.
• Run simulations, which requires sending your idea content to our AI provider.
• Process credit purchases and maintain your balance.
• Send transactional and service email (e.g. welcome, “report ready,” and optional outcome follow-ups you can opt out of).
• Maintain security, prevent abuse, and meet legal obligations.
• Analyze aggregate, de-identified outcomes to improve our prediction accuracy.

3. How we share information

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising (as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA). We have not sold or shared personal information in the preceding 12 months. Our Google Ads conversion measurement (Section 1) runs with remarketing and ad personalization disabled and Restricted Data Processing enabled, so Google acts as a service provider on our behalf rather than receiving the data for its own advertising.

We share information only with service providers that process it on our behalf to run the Service, under contracts that limit their use of it:

We may also disclose information to comply with law or legal process, to protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice where required).

4. AI processing of your content

Running a simulation sends your idea and related content to our AI provider (OpenAI) to generate personas, reactions, and reports. We send this content under our service agreement for the purpose of providing the Service. Reports are AI-generated predictions, not guarantees — see our Terms of Service.

5. Public links you create

If you create a shareable report link, or respond via a post-launch outcome email link, those links are accessible to anyone who has the URL without signing in. Only share them with people you trust. You can revoke a report share link at any time.

6. Data retention

We keep your account information and content for as long as your account is active. When you delete your account, we delete the associated data from our databases, and we make a best-effort purge of related files (report PDFs, persona images, and simulation state) from object storage. Some operational records are kept only briefly (for example, request de-duplication keys are deleted within about 24 hours). We may retain limited records where required for legal, accounting, or fraud-prevention purposes, and de-identified or aggregated data that can no longer reasonably identify you.

7. Security

We use reputable infrastructure providers and access controls to protect your information. Authentication is delegated to Auth0 and payment card data is handled by Stripe. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your privacy rights

Depending on where you live (including California residents under the CCPA/CPRA), you may have the right to:

• Know / access the personal information we hold about you and how we use and disclose it.
• Delete your personal information. You can delete your entire account self-serve from Settings → Delete account, or email us for help.
• Correct inaccurate personal information.
• Opt out of sale/sharing — not applicable, because we do not sell or share personal information.
• Non-discrimination for exercising your rights.

To exercise these rights, use the in-app controls or email thequandary@corralimited.com. We will verify your request using your account email and respond within the timeframe required by law (generally 45 days). You may use an authorized agent to submit a request on your behalf where permitted.

Categories collected (CCPA). In the past 12 months we have collected the following categories of personal information: identifiers (e.g. email, account ID); commercial information (e.g. purchases, credit balance); internet or other electronic network activity (usage related to operating the Service); professional or employment-related information (e.g. resume details you provide for idea discovery); and other content you choose to submit (which may include images you upload). The categories of sources are you, your activity within the Service, and publicly available sources. We collect this information for the business purposes described above and disclose it only to the categories of third parties (service providers) listed in Section 3. We do not collect “sensitive personal information” as defined by the CPRA, and we do not use automated decision-making technology to make decisions that produce legal or similarly significant effects about you.

9. Children

The Service is not directed to children under 13 (or under 16 where applicable), and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

10. U.S.-based processing

We operate in the United States and our service providers are primarily U.S.-based. If you access the Service from outside the U.S., you understand your information will be processed in the United States.

11. Changes to this policy

We may update this policy from time to time. We will change the “Last updated” date above and, for material changes, provide additional notice where required.

12. Contact us

Questions or requests? Email Corra LLC at thequandary@corralimited.com.