The PM Toolkit

Privacy Policy

Last updated: March 2026 · Effective immediately upon acceptance

Plain language summary: The PM Toolkit is a private workspace. Your project ideas, research, and generated content belong to you. We do not sell your data, use it to train AI models, or make it accessible to other users. You can delete your data at any time.

1. Introduction

The PM Toolkit ("we," "our," or "us") operates thepmtoolkit.app. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our Service.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: When you register, we collect your name and email address via email/password sign-up or Google OAuth. If you sign in via Google, we receive your name, email address, and profile image from Google in accordance with Google's OAuth permissions.
  • Persona & Onboarding Data: During onboarding and in settings, you may provide your job title, years of experience, company name, industry, target customer type, and preferences. This information is used solely to personalize AI-generated outputs within your account.
  • Project Data: Project names, descriptions, research inputs, and AI-generated artifacts you create within the Service. This data is private to your account.
  • Payment Information: Payment details are collected and processed directly by Stripe, our payment processor. We do not store, see, or have access to your full credit card number. We receive only transaction confirmations and subscription status from Stripe.
  • Support Communications: If you contact us by email, we retain those communications to respond to your inquiry and improve our support.

2.2 Information Collected Automatically

  • Usage Data: We track feature usage, AI generation events, and approximate token consumption for billing accuracy, plan enforcement, and product improvement. We do not log the content of your AI generations for analytical purposes.
  • Authentication Data: Secure session tokens are used to maintain your signed-in state. Authentication is managed through Supabase and expires automatically.
  • Log Data: Our servers automatically record IP address, browser type, device type, and request timestamps for security monitoring, debugging, and abuse prevention. Log data is not linked to your project content.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing, operating, maintaining, and improving the Service
  • Personalizing AI-generated content based on your persona and project context
  • Processing payments, managing your subscription, and enforcing plan limits
  • Sending transactional emails related to your account (receipts, plan changes, security alerts) via Resend
  • Monitoring usage patterns at an aggregate level to improve product features
  • Detecting, investigating, and preventing fraudulent transactions, abuse, and security incidents
  • Complying with applicable legal obligations

We do not use your project data or generated content for advertising, profiling, or any purpose unrelated to delivering the Service to you.

4. AI Processing & Third-Party Providers

4.1 How AI Processing Works

When you generate AI content within the Service, relevant portions of your project data, persona context, and prompts are transmitted to third-party AI API providers to generate a response. The response is returned to your account and stored privately.

We transmit only the minimum information necessary for each generation request. We do not transmit your full account history, payment information, or unrelated project data to AI providers.

4.2 AI Training Policy

Your project inputs and generated content are not used to train AI models. We use the Anthropic and OpenAI APIs under data processing terms that prohibit your data from being used for model training by those providers. We do not opt in to any data sharing programs that would expose your content to AI training pipelines.

In plain terms: When you type an idea into The PM Toolkit, that idea is processed to generate your report — and that's it. It does not become part of any AI's future training data.

4.3 Third-Party AI Providers

We currently use the following AI providers. Each processes data under their respective API data use policies:

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We do not share your project data, ideas, or generated content with other users or third parties except as described below.

We may share information with:

  • Infrastructure & Service Providers: Stripe (payment processing), Supabase (database and authentication), Railway (backend hosting), Resend (transactional email), Anthropic and OpenAI (AI generation), and Serper (web search). Each provider is bound by data processing agreements and their own privacy policies.
  • Legal Requirements: When required by applicable law, regulation, valid legal process, or enforceable government request. We will notify you of such requests where legally permitted.
  • Safety & Security: To protect the rights, property, or safety of The PM Toolkit, our users, or the public — for example, to prevent fraud or respond to a security incident.
  • Business Transfers: In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you prior to such a transfer and provide options where required by law.

We never: Sell your data to advertisers, share your project content with other users, use your data to target you with ads, or expose your ideas to competing products.

6. Data Security

We implement industry-standard technical and organizational security measures, including:

  • TLS/HTTPS encryption for all data transmitted between your browser and our servers
  • Encryption of data at rest within our database infrastructure
  • Row-level security (RLS) enforced at the database level, ensuring your data can only be accessed by your authenticated session
  • Secure, expiring session tokens for authentication — we do not use persistent plain-text credentials
  • Access controls limiting internal access to production data
  • Security headers including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy

No method of transmission or storage is 100% secure. While we implement strong protections, we cannot guarantee absolute security. If you believe your account has been compromised, contact [email protected] immediately.

7. Data Retention and Deletion

7.1 Active Accounts

We retain your account information, persona data, and project data for as long as your account remains active and for a reasonable period thereafter to allow for account recovery. Usage logs are retained for up to 12 months for billing verification and security purposes.

7.2 Project Deletion

You may delete individual projects at any time from within your account. When you delete a project, all associated data — including project descriptions, research inputs, and generated artifacts — is permanently removed from our active systems. No recoverable copies are retained after deletion is confirmed.

7.3 Account Deletion

You may request full account deletion at any time by contacting [email protected]. Upon receiving your request, we will permanently delete your account, all associated project data, generated artifacts, persona information, and profile data within 30 days. This action is irreversible.

We may retain minimal records (such as transaction history) where required by applicable law or for legitimate fraud prevention purposes, for no longer than legally required.

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Deletion: Request permanent deletion of your personal information
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to certain types of processing of your personal information
  • Restriction: Request that we restrict processing of your data in certain circumstances

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

If you are located in the European Economic Area (EEA), United Kingdom, or California, additional rights and protections may apply under GDPR, UK GDPR, or CCPA respectively.

9. Cookies and Tracking

We use only essential, strictly necessary cookies to maintain your authentication state. Specifically:

  • A single session cookie is set when you sign in, which maintains your authenticated session. This cookie is HTTP-only, uses SameSite protection, and expires automatically.
  • No advertising cookies are used.
  • No third-party tracking or analytics cookies are used.
  • No cross-site tracking is performed.

Because we use only essential cookies, cookie consent banners are not required. If this changes, we will update this policy and implement appropriate consent mechanisms.

10. Children's Privacy

The Service is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly.

If you believe a child under 16 has provided us with personal information, please contact [email protected].

11. International Data Transfers

The PM Toolkit is operated from the United States. Your data may be processed and stored in the United States or other countries where our service providers operate — including Supabase (US/EU), Anthropic (US), OpenAI (US), Stripe (US), and Railway (US).

By using the Service, you acknowledge that your data may be transferred to and processed in countries with different data protection laws than your jurisdiction. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses for EEA users) for international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

  • We will notify you via email and/or in-app notification at least 14 days before the change takes effect
  • We will update the "Last updated" date at the top of this page
  • For significant changes affecting your rights, we may ask for your renewed consent

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

13. Contact

For privacy-related questions, data requests, or to exercise your rights under this policy, please contact us:

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 days.