Privacy Policy

1. Introduction

Welcome to AskEveryone ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we collect, use, and share your information. This Privacy Policy explains our data practices and your rights regarding your personal information.

By using AskEveryone, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: When you sign in via Google or Apple, we receive your email address, name, and profile picture from these providers.
• Response Content: The text responses you submit to weekly questions (10-5000 characters).
• Optional Demographics: Age range, country, and region (if you choose to provide them).
• Voice Recordings: If you use our voice response feature, we collect audio recordings and their transcriptions. You must explicitly consent to voice recording usage. Your voice may be used after audio manipulation in audio versions of our results as sample responses from real humans.
• Email Subscriptions: If you subscribe to our newsletter, we collect your email address, subscription preferences, and referral source.

2.2 Information Collected Automatically

• Rate Limiting Data: IP addresses are used temporarily in-memory for rate limiting to prevent spam. This data is never persisted to our database and is cleared after the question closes.
• Usage Data: Aggregate statistics about question views and response counts (not linked to individuals for public questions).
• Cookies: Session cookies to maintain your authentication state if you choose to sign in. See our Cookie Policy for details.

2.3 Information from Third Parties

• OAuth Providers: Google and Apple provide authentication information when you sign in.
• AI Services: We use AI services to analyze aggregate response content for sentiment and insights. Voice transcription is performed locally in your browser—your audio is not sent to third-party services for transcription.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve AskEveryone's question and response platform.
• Authentication: To verify your identity and manage your account.
• Spam Prevention: To detect and prevent duplicate or fraudulent responses using temporary in-memory rate limiting.
• Analytics: To generate aggregate statistics, sentiment analysis, and insights about responses (without identifying individual users publicly).
• Voice Transcription: To convert voice responses into text using in-browser transcription technology.
• Voice Presentation: To use your voice recordings, potentially after audio manipulation, in audio versions of our results as sample responses from real humans (with your consent).
• Email Communications: To send newsletters, question notifications, and service updates if you've subscribed.
• Legal Compliance: To comply with legal obligations, resolve disputes, and enforce our agreements.
• Research: To conduct research on public opinion trends while maintaining user privacy protections.

4. Response Anonymity

4.1 Public Questions (True Anonymity)

What this means for public questions:

• No Login Required: You can respond to public questions without signing in.
• No Identity Link: We do not store any connection between your response and your identity—not your user ID, IP address, or device fingerprint.
• Random Identifiers: Each response receives a random UUID that cannot be traced back to you.
• In-Memory Rate Limiting: IP addresses are used only temporarily in memory to prevent spam, then discarded. They are never stored in our database.
• Cannot Comply with Identification Requests: If compelled by legal process to identify who submitted a specific response, we cannot provide that information because it does not exist.

4.2 Creator Questions (Opt-in Tracking)

When responding to questions from creators (Asks), you have a choice:

• Respond Anonymously: Same protections as public questions—no link to your identity.
• Respond as Returning Audience: If you opt in, the creator can see that the same person answered multiple questions over time, but cannot see who you are. This helps creators understand how their audience's views evolve. This tracking is scoped per-creator—different creators cannot link your responses across their questions.

4.3 Limitations and Accepted Risks

• Self-Identification: If you include personally identifiable information in your response text, you may be identified by that content.
• Writing Style Analysis: Sophisticated analysis of writing patterns (stylometry) could theoretically be used to correlate responses with other public writing. This is a risk we accept—what you write is your choice.
• Voice Characteristics: If you submit a voice response with consent to use your voice, voice characteristics could potentially be recognizable.

5. Information Sharing and Disclosure

5.1 Service Providers

We share your information with third-party service providers who perform services on our behalf:

• Google Cloud SQL: Database hosting for response data (not linked to user identities for public questions).
• AI Services: AI-powered sentiment analysis and question generation. Note: Voice transcription is performed locally in your browser and is not sent to third-party services.
• Cloudflare: Bot protection (Turnstile) to prevent spam. Cloudflare Turnstile is privacy-focused and does not track users across sites.
• Resend: Email delivery service for newsletters, notifications, and transactional emails.
• Vercel: Hosting and deployment platform.
• Google/Apple: Authentication providers for OAuth sign-in (only used if you choose to sign in).

5.2 Aggregate Data

We may publicly share aggregate, anonymized statistics about responses (e.g., "75% of respondents said...") that do not identify individual users.

5.3 Legal Requirements

We may disclose information if required by law, court order, or governmental authority. However, for responses to public questions, we have no technical capability to identify who submitted any specific response—we cannot provide identification information because it does not exist in our systems.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.

6. Data Retention

We retain your information for the following periods:

• Account Data: Retained while your account is active and for up to 90 days after account deletion.
• Responses: Retained indefinitely for historical analysis and research. Note: Anonymous responses to public questions cannot be deleted upon request because they are not linked to any identity—we have no way to identify which responses are yours. This is a feature of our principled anonymity design, not a limitation.
• Voice Recordings: Retained until transcribed and, if selected for audio results, until published. Original recordings are deleted within 30 days after their purpose is fulfilled, unless you request earlier deletion.
• Email Subscriber Data: Retained while you're subscribed and for up to 1 year after unsubscribing for compliance purposes.
• Analytics Data: Aggregate analytics retained indefinitely; individual event data deleted after 2 years.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. Contact us at privacy@askeveryone.io to request your data export.

7.2 Correction and Update

You can update your profile information through your account settings or by contacting us.

7.3 Deletion

You can request deletion of your account and associated data by contacting us at privacy@askeveryone.io. Note that we may retain certain information as required by law or for legitimate business purposes.

7.4 Email Unsubscribe

You can unsubscribe from marketing emails by clicking the "Unsubscribe" link in any email or by managing your preferences in your account settings.

7.5 Do Not Sell My Personal Information (California Residents)

We do not sell your personal information as defined under the California Consumer Privacy Act (CCPA). California residents have additional rights under CCPA - see Section 9 below.

7.6 Opt-Out of Voice Recording

Voice recording is entirely optional. You can choose to submit text-only responses at any time.

8. Data Security

We implement reasonable security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit using HTTPS/TLS
• Encryption of data at rest in our database
• Row-level security policies to restrict data access
• OAuth 2.0 authentication instead of password storage
• Regular security audits and updates
• Limited employee access to personal data
• File size limits and validation for uploads

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. State Privacy Rights

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of personal information collected, used, and shared.
• Right to Delete: Request deletion of your personal information.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell).
• Right to Limit: Limit use of sensitive personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

9.2 Virginia, Colorado, Connecticut, and Utah Residents

Residents of these states have similar rights under their respective state privacy laws. Contact us to exercise these rights.

9.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@askeveryone.io. We will respond to your request within 45 days.

10. European Economic Area (EEA) and UK Residents (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR.

10.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (authentication, response submission).
• Legitimate Interests: Processing for spam prevention, security, and service improvement, where our interests do not override your rights.
• Consent: For voice recordings and optional email communications, which you may withdraw at any time.
• Legal Obligations: Processing required to comply with applicable laws.

10.2 Your GDPR Rights

Under the GDPR, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection authority (supervisory authority).

10.3 International Data Transfers

Your data may be transferred to and processed in the United States by our service providers (Google Cloud, Vercel, Resend). These transfers are conducted using appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with our service providers
• Encryption of data in transit and at rest

10.4 How to Exercise Your Rights

To exercise your GDPR rights, contact us at privacy@askeveryone.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

10.5 Data Protection Officer

For GDPR-related inquiries, you may contact us at privacy@askeveryone.io.

11. Children's Privacy

The minimum age to use AskEveryone depends on where you live:

• United States: 13 years old
• European Union/EEA: 16 years old (or your country's age of digital consent, which ranges from 13-16)
• United Kingdom: 13 years old
• Other countries: The minimum age for digital services in your country, or 13, whichever is higher

We do not knowingly collect personal information from anyone under these age limits. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@askeveryone.io, and we will delete such information.

Users who meet the minimum age but are under 18 (or the age of majority in their country) must have parental consent to use our services.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country.

Our service providers (Google Cloud, Resend, Vercel) may process data in the United States and other jurisdictions. By using AskEveryone, you consent to the transfer of your information to these locations. Note that voice transcription is performed locally in your browser and is not transferred to third-party services.

13. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

We encourage you to review this Privacy Policy periodically. Your continued use of AskEveryone after changes are posted constitutes your acceptance of the updated policy.

15. Google OAuth Disclosure

AskEveryone's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

We only request the following scopes from Google:

• Email address
• Basic profile information (name, profile picture)

We use this information solely for authentication and will not use it for any other purpose without your explicit consent.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

17. Compliance Certifications

AskEveryone is committed to complying with applicable data protection regulations, including:

• General Data Protection Regulation (GDPR) and UK GDPR
• California Consumer Privacy Act (CCPA)
• Children's Online Privacy Protection Act (COPPA)
• CAN-SPAM Act
• Google Play Developer Policy
• Apple App Store Review Guidelines
• State privacy laws (Virginia, Colorado, Connecticut, Utah)