P3ak Privacy Policy
Last Updated: 11 July 2025
Table of Contents
- Introduction
- Definitions
- Scope & Applicability
- Categories of Personal Data We Collect
- Sources of Personal Data
- Legal Bases for Processing (GDPR & POPIA)
- How We Use Personal Data
- Automated Processing & AI‑Generated Content
- Cookies & Similar Technologies
- Sharing & Disclosure of Personal Data
- International Data Transfers
- Data Retention & Deletion
- Security Measures
- Your Rights & Choices
- Children’s Privacy
- Third‑Party Services & Links
- Changes to This Policy
- Contact Us
- Effective Date
1. Introduction
P3ak ("P3ak", "we", "us", or "our") operates mybusinessdraft.com (the "Platform"), an AI‑powered service that converts user business ideas into comprehensive business plans. Protecting your privacy is fundamental to our mission. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you interact with the Platform, and outlines your rights under applicable laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), South Africa’s Protection of Personal Information Act (POPIA), and other worldwide data‑protection regulations.
By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Definitions
| Term | Meaning |
|---|---|
| “Personal Data” | Information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, to a natural person. |
| “Processing” | Any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or deletion. |
| “Controller” | The natural or legal person that determines the purposes and means of the Processing of Personal Data (P3ak for purposes of this Policy). |
| “Processor” | A third party that Processes Personal Data on behalf of the Controller. |
| “Anonymous ID” | A unique, randomly generated identifier stored in cookies or local storage to track anonymous users. |
3. Scope & Applicability
This Policy applies to all visitors, anonymous users, registered users, purchasers of credits, and administrators who access or use the Platform, as well as to all related services, communications, and interactions with P3ak.
4. Categories of Personal Data We Collect
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Name, email address, password hash, Google OAuth ID, profile image, verification tokens, role | Account creation, authentication, account recovery |
| Business Plan Data | Business idea, questionnaire answers, generated plan content, plan versions | Service provisioning, plan storage, content regeneration |
| Commerce Data | Paddle transaction IDs, status, amount, currency, quantity, customer email | Payment processing, fraud prevention, accounting |
| Usage Data | IP address, browser type, device information, cookies, page interactions, UUID‑based anonymous ID | Service analytics, performance monitoring, abuse detection |
| Session Data | JWT tokens, session expiry, refresh timestamps | Authentication, security, session management |
| Feedback Data | Comments, ratings, support queries | Product improvement, customer support |
| Generated Content Metadata | AI model name, prompt templates, country code | Localization, quality assurance |
| Financial Projections & Charts | Generated financial data, visualizations | Document export, user analytics |
Special Categories of Data. The Platform is not intended to collect sensitive personal data (e.g., health information, political opinions). Users should refrain from submitting such information.
5. Sources of Personal Data
- Directly from You: Information you provide through forms, questionnaires, or uploads.
- Automatically Collected: Data captured via cookies, local storage, browser logs, and Vercel Analytics.
- Third‑Party Services: Data received from payment processor Paddle, authentication provider Supabase (Google OAuth), and file‑storage provider UploadThing.
6. Legal Bases for Processing (GDPR & POPIA)
We rely on the following legal bases:
- Contractual Necessity – To provide the services you request (e.g., generating a business plan, processing a credit purchase).
- Legitimate Interests – To improve the Platform, ensure security, and prevent fraud. We balance these interests against your rights.
- Consent – For optional cookies, marketing communications, and when linking anonymous data to a registered account. You may withdraw consent at any time.
- Compliance with Legal Obligations – To meet tax, accounting, and regulatory requirements.
- Vital Interests or Public Task – Rarely, to protect the vital interests of users or comply with law‑enforcement requests.
7. How We Use Personal Data
- Service Delivery: Creating and storing business plans; allowing edits, exports, and sharing.
- Payment Processing: Managing credit purchases and assigning credits.
- AI Processing: Sending questionnaire answers to our FastAPI backend for AI generation of plan content.
- Product Improvement: Analyzing aggregated usage to refine prompts and questionnaires.
- Security & Abuse Prevention: Detecting fraud, spam, and unauthorized access.
- Communications: Sending transactional emails (verification, receipts, credit usage) and responding to support requests.
- Legal Compliance: Maintaining records for auditing and tax authorities.
We do not sell Personal Data and do not use it for automated decision‑making with legal or similarly significant effects without your explicit consent.
8. Automated Processing & AI‑Generated Content
When you request plan generation, your inputs are transmitted to an AI model hosted by P3ak or trusted sub‑processors. The model automatically generates narrative text and financial projections, which are returned to our database and displayed to you. We monitor model outputs to improve accuracy but do not use your plan content for unrelated advertising or profiling.
9. Cookies & Similar Technologies
We use:
- Essential Cookies (e.g.,
anonymous_id, NextAuth session cookies) – Required for Platform functionality. - Analytics Cookies (Vercel Analytics) – Help us understand usage patterns; set only with your consent where required.
- Functional Cookies – Remember choices (e.g., language, country selection).
Cookie consent banners are presented to EEA, UK, and South‑African visitors in compliance with GDPR, ePrivacy Directive, and POPIA. You can adjust preferences in the Cookie Settings panel or via your browser.
10. Sharing & Disclosure of Personal Data
We share Personal Data only with:
| Recipient | Role | Safeguards |
|---|---|---|
| Supabase, Inc. | Authentication & Database Processor | SCCs; ISO 27001 certified |
| Paddle.com Market Ltd. | Payment Processor | PCI‑DSS compliance; SCCs |
| UploadThing LLC | File Storage Processor | Encrypted transport & storage |
| Vercel Inc. | Hosting & Analytics Processor | SCCs; ISO 27001 |
| FastAPI Hosted Service | AI Processing Sub‑processor | Encrypted transport; contractual data‑processing agreement |
| Governmental or Law‑Enforcement Authorities | Legal Compliance | Disclosed only pursuant to valid legal request |
We require all processors to sign Data Processing Agreements (DPAs) that include confidentiality, security, and international transfer clauses.
11. International Data Transfers
P3ak is headquartered in South Africa but utilizes infrastructure in the United States and the European Economic Area. When transferring Personal Data across borders, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Addendum for UK users.
- POPIA Sections 72(1)(d) & (2) transfer mechanisms.
- Adequacy decisions where applicable.
12. Data Retention & Deletion
| Data Category | Retention Period |
|---|---|
| Account Data | While account is active + 6 years for tax/legal purposes |
| Business Plans | Until user deletes plan or closes account; backups retained 30 days |
| Commerce Data | 7 years (statutory accounting) |
| Usage Logs | 12 months (aggregated thereafter) |
| Anonymous IDs | 12 months unless renewed by new session |
You may delete individual plans or close your account at any time from the dashboard. Upon verified request, we will permanently erase or anonymize Personal Data, subject to statutory retention obligations.
13. Security Measures
- Encryption in transit (TLS 1.3) and at rest (AES‑256).
- Role‑based Access Control and least‑privilege permissions.
- Continuous Monitoring using Vercel and Supabase security alerts.
- Automatic Backups with tested restoration procedures.
- Vulnerability Management with routine penetration testing.
- Incident Response Plan with 72‑hour breach notification commitment (GDPR Art. 33, POPIA s.22).
14. Your Rights & Choices
Depending on your jurisdiction, you may have the right to:
| Right | GDPR | CCPA/CPRA | POPIA | How to Exercise |
|---|---|---|---|---|
| Access | ✓ | ✓ | ✓ | Email privacy@mybusinessdraft.com |
| Rectification | ✓ | — | ✓ | Account settings or email support |
| Deletion | ✓ | ✓ (Deletion) | ✓ (Erasure) | Dashboard deletion tools or email |
| Data Portability | ✓ | ✓ | ✓ | Export button in dashboard |
| Restrict Processing | ✓ | — | ✓ | Email request |
| Object / Opt‑Out | ✓ | ✓ (Opt‑Out) | ✓ | Cookie banner / email |
| Automated Decision Review | ✓ | — | ✓ | Email request |
| Lodge Complaint | ✓ (Supervisory Authority) | — | ✓ (Regulator) | Contact local authority |
We will verify your identity before fulfilling requests and respond within one month (GDPR) or 45 days (CCPA).
15. Children’s Privacy
The Platform is not directed at children under 16 (or lower age permitted by local law). We do not knowingly collect Personal Data from minors. If you believe a child has provided us with Personal Data, please contact us, and we will delete it immediately.
16. Third‑Party Services & Links
Our Platform may contain links to third‑party sites or plugins. P3ak is not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any Personal Data.
17. Changes to This Policy
We may update this Privacy Policy to reflect changes in law, technology, or our practices. We will post the revised Policy with a new “Last Updated” date and, where required, seek your consent for material changes.
18. Contact Us
For questions, requests, or complaints regarding this Privacy Policy or our privacy practices, contact:
Data Protection Officer
P3ak (Reg. No. [insert])
Email: privacy@mybusinessdraft.com
Postal: 123 Innovation Drive, Cape Town, 8000, South Africa.
19. Effective Date
This Policy is effective as of 11 July 2025 and supersedes all prior versions.
Self‑Audit & Assumptions
- Assumptions Made
- Paddle, Supabase, UploadThing, Vercel, and FastAPI hosts are GDPR‑compliant and provide SCCs.
- Cookie consent banner and preference center will be implemented before launch.
- Data Protection Officer contact details are placeholders pending client confirmation.
- Missing Information
- Legal entity registration number for P3ak.
- Precise on‑premises vs. cloud hosting regions for FastAPI backend.
- Whether marketing emails beyond transactional will be sent.
- Recommended Legal Review
- Verify SCCs and transfer mechanisms with each sub‑processor.
- Confirm POPIA Information Officer appointment and registration with the Information Regulator.
- Conduct Data Protection Impact Assessment (DPIA) for AI processing.