Privacy policy
Personalize (personalize.run) is a service operated by Capital Thought, LLC, a Texas limited-liability company. References to "we," "us," or "our" in this policy mean Capital Thought, LLC unless otherwise stated. The Personalize service lets operators draft outbound email sequences and send them through their own Gmail account; recipients are people the operators are emailing. This policy describes what data we collect, why, where it lives, and how to make us delete it.
Plain language. No "we value your privacy" filler. If a sentence here is unclear, email dpo@capitalfactory.com and we will fix it.
1. Who operates Personalize
Personalize is operated by Capital Thought, LLC, a limited-liability company organized under the laws of the State of Texas. Capital Thought, LLC is the data controller for the personal data described in this policy and the contracting party for any operator who signs up at personalize.run.
Capital Thought, LLC is a separate legal entity from Capital Factory. Capital Factory is an early customer of Personalize, not its operator. Josh Baer is the founder of both entities; that relationship is disclosed here for completeness and is not a representation of joint operation.
2. Who this applies to
- Operators — people who sign up for an account at
personalize.run, connect their Gmail, and send mail through us. - Recipients — people whose email addresses an operator adds to a sequence so we can send them mail on the operator's behalf.
Operators are responsible for getting CAN-SPAM-compliant consent (or a qualifying business relationship) from their recipients before adding them. Capital Thought, LLC does not verify that consent itself; we enforce the downstream gates (one-click unsubscribe, suppression, footer with the operator's physical address).
3. What we collect from operators
- Email address. Used as your account identifier. We don't issue separate usernames.
- Gmail OAuth refresh token. Encrypted at rest in Cloudflare KV, scoped per operator. Used only at send time to mint a short-lived access token. You can revoke it from
/settings/integrationsor directly from your Google Account. - Display name. What recipients see in the From field; defaults to your email local-part, editable.
- Physical mailing address. Required by CAN-SPAM; auto-injected into every tracked send's footer. You enter this during onboarding.
- Notification phone number (optional). E.164 format. Used only for approval-request iMessage / SMS fanout on launches above the human-approval tier.
- Stripe customer ID. Returned to us by Stripe on first checkout; used to look up subscription state. We don't store your card; Stripe does.
- IP address + user agent at consent moments (signup, OAuth grant, ToS acceptance, every approval header use). Retained on the audit-log row only.
- Audit log. Every action you take through the agent or web UI: which sequence, what action verb, timestamps, error codes. No email body content; no recipient PII beyond a recipient UUID.
4. What we collect from recipients
- Email address. Supplied by the operator who added you. Required to send you mail.
- Name and any template variables (e.g., company, role, custom merge fields). Supplied by the operator.
- Engagement events — opens (1×1 tracking pixel) and clicks (link rewrite). Tracking is opt-in per sequence; gov/mil domains are auto-opted-out and never tracked. Bot-shaped opens (Apple Mail Privacy Protection prefetches, scanner UAs) are filtered out before they hit your record.
- Unsubscribe state. If you unsubscribe via the one-click link or reply STOP, your address is added to the operator's suppression list (and, for hard-policy categories, the tenant-wide list).
If your address is in our system as a recipient and you want it removed, email dpo@capitalfactory.com from the address you want removed and we will delete it within 7 days. You don't need an account.
5. Gmail data we read
Personalize requests three Google OAuth scopes from operators. We list them by name so an OAuth reviewer can audit them against the live behavior:
https://www.googleapis.com/auth/gmail.send— required for the product's core function. Every send is the result of an explicit operator action (a sequence launch, a manually-approved test, or a scheduled stage in a sequence the operator created and approved). We do not send mail you did not initiate.https://www.googleapis.com/auth/gmail.metadata— required for delivery-failure detection. Read-only, headers-only. We list messages matchingfrom:mailer-daemon OR from:postmaster newer_than:7d, fetch RFC 822 headers (From, Subject, Date, In-Reply-To, References, Message-Id) viausers.messages.get?format=metadata, parse the In-Reply-To / References headers to correlate the bounce back to a specific outbound send, and update our internal state. Same flow for FBL (Feedback Loop) complaint notifications.https://www.googleapis.com/auth/userinfo.email— required to identify the authenticated operator. We receive your verified email address and a Google-issuedsubclaim (used for re-auth). We do not requestuserinfo.profile,openid, or any other identity scope.
We do not read message bodies, attachments, or recipient lists from your inbox. The gmail.metadata scope returns headers only by design; the API itself rejects body and attachment requests under that scope. There is no code path in Personalize that asks Gmail for body content. ("We" here means Capital Thought, LLC, the operator of Personalize — see §1.)
6. Google API Services User Data Policy compliance
Personalize is operated by Capital Thought, LLC. Personalize's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Concretely, that means Capital Thought, LLC uses Google user data only to provide and improve user-facing features visible in this app (sending email, detecting bounces, identifying the operator). We do not transfer Google user data to third parties except as necessary to provide or improve those features (e.g., the database that stores your audit log). We do not use Google user data for advertising. We do not allow humans to read it except (a) with your explicit consent, (b) for security or legal reasons, or (c) when the data has been aggregated and anonymized.
Capital Thought, LLC does not use the data we receive from Google APIs for AI or ML training, nor do we resell it to third parties.
7. Why we read Gmail metadata (and why not gmail.readonly)
We considered gmail.readonly and explicitly rejected it. gmail.readonly would let us read message bodies, attachments, and recipient lists — none of which Personalize needs. Bounce detection works from headers alone (the failure type, the original Message-Id we sent, and the timestamp are all in headers). Choosing gmail.metadata instead is a deliberate data-minimization decision, not a future expansion path. The product roadmap does not include any feature that would require body access.
8. Where data lives
- Database: Supabase, AWS region
us-east-1(Northern Virginia). Per-table row-level security; service-role keys held only by the Worker. - Compute: Cloudflare Workers, deployed globally at the edge. Database queries route to
us-east-1; ephemeral request state stays on the responding edge node. - Encrypted secrets: Cloudflare KV (refresh tokens, encrypted at rest with libsodium secretbox under a per-operator key derived from a master KMS key).
- Backups: Supabase point-in-time recovery, encrypted at rest, retained per Supabase's standard policy.
The service is US-only at launch. EU data residency is not currently supported; if you are in the EU and that's a blocker for you, we'll tell you so before you sign up. See the Terms for the corresponding contractual commitment.
9. How long we keep data
- Operator account data: kept indefinitely while your account is active. On a deletion request, soft-deleted for 30 days (recoverable in case you change your mind), then hard-deleted by a daily cron.
- Recipient data: kept until the owning operator deletes the recipient or the sequence containing them. Suppression entries persist after deletion (Capital Thought, LLC has to remember not to email someone who unsubscribed).
- Audit log: retained 7 years. This is the legal record of who did what; we do not purge it on user request, but it never contains email body content or recipient PII beyond an opaque UUID.
- Bounce notifications: the bounce headers are read, used to update recipient state, and discarded. We don't keep copies of MAILER-DAEMON messages.
10. Deletion and export
- Export everything:
GET /api/operator/exportreturns a JSON dump of every record tied to your account — sequences, recipients, sends, audit log, billing snapshots. - Delete everything:
POST /api/operator/deletebegins the 30-day soft-delete window. During those 30 days you can sign back in and cancel; after, the cron hard-deletes. Capital Thought, LLC also deletes your Gmail refresh token immediately at the API layer and revokes it viahttps://oauth2.googleapis.com/revoke. - Recipients (no account): if you're a recipient of a sequence and want your address removed, email dpo@capitalfactory.com from that address. Removed within 7 days. We don't require you to prove anything beyond control of the address.
11. Sub-processors
Capital Thought, LLC is the data controller. The vendors below are processors operating on our behalf under each vendor's Data Processing Addendum (DPA) or equivalent terms. Each receives the minimum data they need to do their job:
- Supabase — the database. Receives operator records, recipient records, audit log, suppression list.
- Cloudflare — Workers compute and KV. Receives every API request; KV holds encrypted Gmail refresh tokens.
- Stripe — billing. Receives your billing email, name, address, and card data (Stripe holds the card; we never see it).
- Postmark — transactional email from Capital Thought, LLC to operators (magic links, signup confirmations, billing receipts, deletion-window reminders). Does not send mail to your recipients — that goes through your own Gmail.
If we add or remove a sub-processor we'll update this list.
12. Cookies
One Supabase session cookie scoped to Domain=.personalize.run for keeping you signed in. That's it. No tracking cookies, no third-party analytics on the marketing page, no advertising pixels. The agent surface (/agents.md, /.well-known/mcp.json) is unauthenticated and sets no cookies at all.
13. State-law rights (California and others)
If you're a California resident, the CCPA gives you the right to know what data Capital Thought, LLC collects, request its deletion, and not be discriminated against for exercising those rights. The same goes for residents of states with similar laws (Colorado, Virginia, Connecticut, Utah, etc.) under their respective statutes.
We honor those rights uniformly — whether or not you're in a covered jurisdiction. Email dpo@capitalfactory.com with your request, or just hit the export and delete endpoints in §10 directly. Capital Thought, LLC will not retaliate against, charge differently, or deny service to anyone for exercising a privacy right.
14. Children
Personalize is not directed to anyone under 18. Capital Thought, LLC does not knowingly collect data from children. If you believe we have, email dpo@capitalfactory.com and we will delete it.
15. Changes to this policy
If Capital Thought, LLC changes this policy in a material way (new data we collect, new sub-processor, scope expansion), we will email every active account holder before the change takes effect. The Effective date and Last updated line at the top of this page get bumped on every revision; the version is also exposed programmatically for change-detection tooling.
16. Contact
Privacy requests, data-subject-access requests, deletion requests, or questions about this policy go to Capital Thought, LLC via:
- dpo@capitalfactory.com — canonical privacy alias for Capital Thought, LLC; the destination for every right under this policy.
- hello@capitalfactory.com — general support inbox; fallback if
dpo@is unavailable.
For EU data subjects: Capital Thought, LLC does not currently have an EU representative under Article 27 GDPR because the service is US-only at launch. If we begin offering EU data residency we will appoint one and update this section.