Privacy Policy
Last updated: May 10, 2026
1. Introduction
This Privacy Policy explains how Andy Lee (“we,” “us,” “Afferent”) collects, uses, and protects information when you visit afferental.com or use the Afferent productivity application (collectively, the “Service”).
By using the Service, you consent to the practices described in this policy.
2. Information We Collect
2.1 Information you provide
- Email address when you sign up for the newsletter or, in the future, create an account.
- Planner content you create within the Service — daily entries, journal entries, goals, schedules, habits, and similar data.
- Communications you send us via email at afferent.contact@gmail.com.
2.2 Information collected automatically
- IP address for rate limiting (stored briefly via Upstash Redis with a 60-second TTL).
- Server logs — basic request data including timestamp, page accessed, and user-agent (handled by Vercel).
- Aggregate analytics via Vercel Web Analytics — privacy-friendly, no third-party cookies, collects pageviews and referrers but not personally identifiable information.
2.3 Information from third parties
We do not currently purchase or receive personal data from third parties.
3. How We Use Your Information
We use the information we collect to:
- Operate the Service — display your planner data back to you, store entries, sync across devices once authentication is enabled.
- Send transactional email — newsletter welcome, future password reset, account notifications via Resend.
- Send the newsletter — only to addresses that explicitly subscribed. You may unsubscribe at any time using the link in any newsletter email or by emailing afferent.contact@gmail.com.
- Prevent abuse — IP-based rate limiting on form submissions.
- Improve the Service — aggregate analytics on which pages are visited.
- AI Features (when offered, opt-in only) — process journal and planner content through third-party AI providers solely to provide AI Features to you.
We do not:
- Sell or rent your personal information to anyone.
- Show third-party advertising.
- Use your User Content to train AI models without your explicit, separate consent.
4. Third-Party Processors (Subprocessors)
We rely on the following providers. Each has access only to the data necessary to perform its function:
| Provider | Purpose | Data |
|---|---|---|
| Supabase | Database & (future) authentication | Email, planner data, account metadata |
| Resend | Transactional & newsletter email | Email address, message content |
| Upstash | Rate-limiting | IP address (60-second TTL) |
| Vercel | Hosting + Web Analytics | Server logs, aggregate pageview data |
| (Future) OpenAI / Anthropic | AI Features | Journal/planner content (opt-in, Elite tier) |
Each subprocessor maintains its own privacy policy. Your use of the Service is also subject to those policies.
5. Data Retention
- Newsletter subscribers: retained until you unsubscribe.
- Account data and User Content (when accounts launch): retained while your account is active. After deletion, primary records are removed within 30 days; encrypted backups may persist up to 90 days before being permanently overwritten.
- Rate-limit data: discarded automatically after 60 seconds (Redis TTL).
- Server logs: typically retained 30 days.
- Aggregate analytics: retained indefinitely in non-identifiable form.
You may request deletion of your data at any time at afferent.contact@gmail.com.
6. Cookies and Local Storage
The Service uses browser localStorage to save your planner data on your device. This is essential for the Service to function and is not shared with any third party.
We do not use third-party advertising cookies, tracking pixels, or fingerprinting.
When authentication launches, we will use a small number of essential session cookies to keep you logged in. We will update this policy at that time.
Vercel Web Analytics is cookieless.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access — request a copy of the data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion — request deletion of your data, subject to legal retention requirements.
- Export — request a portable copy of your data.
- Objection / Restriction — object to or restrict certain processing.
- Withdrawal of consent — withdraw consent for processing where consent is the legal basis (e.g., newsletter, AI Features).
- Lodge a complaint — file a complaint with your local data protection authority.
To exercise any of these rights, email afferent.contact@gmail.com. We will respond within 30 days.
California (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.
European Economic Area, UK, Switzerland (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, our legal bases for processing your personal data include:
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to operate, secure, and improve the Service.
- Consent — for newsletter signups and AI Features.
- Legal obligation — where required by applicable law.
You may withdraw consent at any time without affecting the lawfulness of prior processing.
8. International Data Transfers
The Service is operated from the United States. Our subprocessors (Supabase, Resend, Upstash, Vercel) primarily store data in the US.
If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.
We rely on standard contractual clauses or equivalent safeguards where required by applicable law.
9. Data Security
We implement reasonable technical and organizational measures to protect your data, including:
- Encryption of data in transit using TLS/HTTPS.
- Access controls on personal data with the principle of least privilege.
- Server-side handling of authentication credentials.
- Abuse prevention on public endpoints.
We intentionally do not publish detailed implementation specifics. No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the appropriate authorities as required by applicable law.
10. Children’s Privacy
The Service is not directed to children under 13 (or 16 in the EEA where applicable). We do not knowingly collect personal information from children under those ages. If you believe we have, contact us immediately at afferent.contact@gmail.com so we can delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced by updating the “Last updated” date and, where appropriate, by email or in-app notice. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
Questions about your privacy or this policy? Email afferent.contact@gmail.com.
— Andy Lee, Afferent