Privacy Policy

Last Updated: December 9, 2025

Privacy at a Glance

Your privacy matters to us. Here's what you need to know:

• What We Collect: Email, company info, automation details, payment info, tool credentials
• Why We Collect It: To build your automation, process payment, provide support
• Who We Share With: Stripe (payment), Hetzner (hosting), service providers only
• Your Rights: Access, correction, deletion, opt-out of marketing (GDPR/CCPA compliant)
• Data Security: Encrypted storage, secure transmission, limited access
• Retention: Active subscriptions duration, 30 days after termination, financial records 7-10 years

1. Introduction

Automation Elves is a holiday campaign operated by Zero to MVP. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use automationelves.com and our services.

We are committed to transparency and compliance with applicable data protection laws, including:

• GDPR (General Data Protection Regulation) for users in the European Union
• CCPA (California Consumer Privacy Act) for California residents
• PIPEDA (Personal Information Protection and Electronic Documents Act) for Canadian users

By using our service, you consent to the data practices described in this policy.

2. Information We Collect

2.1. Information You Provide Directly

When you submit a request through automationelves.com, you provide:

• Contact Information: Email address
• Company Information: Company name, business description
• Automation Request: Description of the automation you want, tools involved
• Referral Source: How you heard about us (optional)
• Showcase Preferences: Whether we can share your automation anonymously or with your company name

2.2. Payment Information

Payment processing is handled by Stripe. We collect:

• Payment Method: Last 4 digits of card, expiration date, card brand (stored by Stripe)
• Billing Information: Billing address (if provided)
• Transaction Records: Payment amount, date, authorization status

We do NOT store your full credit card number, CVV, or raw payment card data. Stripe handles all sensitive payment information and is PCI DSS compliant.

2.3. Tool Access Credentials

To build your automation, you provide access to third-party tools, which may include:

• API Keys and Tokens: For services like Slack, Shopify, Stripe, HubSpot, etc.
• OAuth Credentials: Access tokens granted through OAuth flows
• Service Account Details: Usernames, passwords, or service account keys (less common)

These credentials are encrypted at rest in our database (RavenDB) and transmitted over secure HTTPS connections.

2.4. Automatically Collected Information

When you visit automationelves.com, we automatically collect:

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, time spent on site, referring URL
• IP Address: For security, fraud prevention, and approximate geolocation
• Cookies and Tracking: See Section 10 for details

2.5. Automation Execution Data

When your automation runs, we log:

• Execution Metadata: Trigger events, action results, timestamps
• Error Logs: Stack traces, error messages (sanitized to remove sensitive data)
• Performance Metrics: Execution time, API latency

We do NOT log the full content of data passing through your automation (e.g., customer names, email bodies) unless necessary for debugging, and such logs are deleted within 30 days.

3. How We Use Your Information

3.1. Primary Purposes

We use your information to:

• Provide the Service: Build, deploy, monitor your automation
• Process Payments: Authorize and capture payments via Stripe
• Communicate with You: Send confirmation emails, status updates, preview links
• Customer Support: Respond to questions, troubleshoot issues
• Deliver Your Automation: Connect to your tools, execute workflows

3.2. Legal Basis for Processing (GDPR)

For EU users, we process your data under the following legal bases:

• Contractual Necessity: To fulfill our agreement with you (build your automation)
• Legitimate Interest: Fraud prevention, security, service improvement
• Consent: Marketing communications (you can opt out)
• Legal Obligation: Tax records, fraud prevention, law enforcement requests

3.3. Secondary Purposes

With your consent or where permitted by law, we may also use your information for:

• Marketing: Send you information about TaskForce or future campaigns (you can opt out)
• Analytics: Understand how our website is used, improve user experience
• Public Dashboard: Display anonymized automation summaries (if you consented)
• Case Studies: Feature your story (only with explicit opt-in and approval)

4. How We Share Your Information

4.1. Service Providers

We share your information with trusted third-party service providers who help us operate:

(a) Infrastructure and Hosting:

Hetzner Online GmbH (Germany)

• Purpose: Cloud infrastructure, server hosting, data storage
• Data Processed: All customer data stored on our infrastructure
• Location: European Union (Germany)
• Safeguards: GDPR-compliant, ISO 27001 certified
• Privacy Policy: https://www.hetzner.com/legal/privacy-policy

(b) Error Monitoring and Performance:

Sentry (Functional Software, Inc.) - United States

• Purpose: Error tracking, performance monitoring, debugging
• Data Processed: Error logs, stack traces, limited metadata
• Privacy Policy: https://sentry.io/privacy/

(c) Payment Processing:

Stripe, Inc. - Ireland/United States

• Purpose: Payment processing, subscription management, invoicing
• Data Processed: Payment information, billing details, transaction history
• Safeguards: PCI-DSS Level 1, GDPR-compliant
• Privacy Policy: https://stripe.com/privacy

(d) Advertising and Marketing:

Google LLC - United States/Ireland

• Purpose: Conversion tracking, advertising measurement (Google Ads via Google Tag Manager)
• Data Processed: Device identifiers, IP addresses, browsing behavior, conversion events
• Safeguards: EU-US Data Privacy Framework participant, Standard Contractual Clauses available
• Privacy Policy: https://policies.google.com/privacy
• Opt-Out: US visitors can opt out via "Your Privacy Choices" link in the website footer

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2. Public Dashboard (Anonymized)

By default, we share anonymized summaries of your automation on our public dashboard:

• Industry: E.g., "E-commerce," "Agency," "SaaS"
• Automation Type: E.g., "Order placed -> Slack + Sheet"
• Tools: E.g., "Shopify, Slack, Google Sheets"

Your company name is NOT included unless you explicitly opted in during signup.

4.3. Named Showcase (Opt-In Only)

If you opted in to named showcase, we may share:

• Your company name
• Your company logo (with approval)
• Automation details with attribution

You can opt out at any time by emailing hello@automationelves.com. Upon opt-out, we will stop using your information in new materials. Materials already published may remain as they were created under the license you granted. See our Terms of Service for details.

4.4. Legal Requirements

We may disclose your information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations (subpoenas, court orders)
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Protect the rights or safety of others

4.5. Business Transfers

If Zero to MVP is involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. You will be notified via email and/or a prominent notice on our website.

4.6. We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Data Security

5.1. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted over HTTPS/TLS
• Encryption at Rest: Credentials and sensitive data encrypted in database
• Access Controls: Least-privilege access; only engineers working on your automation can access credentials
• Secure Infrastructure: Hosted on reputable cloud providers with security certifications
• Regular Audits: Periodic security reviews and dependency updates

5.2. What You Can Do

Help us protect your data by:

• Using strong, unique passwords for your tool accounts
• Enabling two-factor authentication where available
• Limiting API key permissions to only what's necessary
• Rotating credentials if you suspect a compromise

5.3. Data Breach Notification

If we discover a data breach that affects your information, we will:

• Notify affected users within 72 hours (GDPR requirement)
• Describe what data was affected and what we're doing about it
• Provide guidance on protective steps you can take
• Notify relevant authorities if required by law

5.4. Limitations

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

6. Data Retention

6.1. Retention Periods

We retain your data for the following periods:

• Active Subscriptions: Duration of your active subscription
• After Termination: 30 days, then deleted (unless you extend monitoring or request earlier deletion)
• Tool Credentials: Until automation is deleted or 30 days after termination
• Execution Logs: 30 days (then automatically deleted)
• Support Communications: 3 years for quality assurance and dispute resolution
• Email Communications: Duration of the business relationship plus 2 years
• Financial Records: 7 years (US) or 10 years (EU/Greece) for tax and accounting compliance

6.2. Deletion Process

When data is deleted:

• Personal information is permanently removed from our active systems
• Credentials are purged from encrypted storage
• Backups containing your data are overwritten within 90 days (standard backup rotation)

6.3. Exceptions

We may retain certain information longer if required by:

• Legal obligations (tax records, legal disputes)
• Legitimate business needs (fraud prevention, security investigations)
• Your consent or request

7. Your Rights (GDPR/CCPA)

7.1. Rights for EU Users (GDPR)

If you are in the European Union, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your data (subject to legal retention requirements)
• Right to Restriction: Limit how we process your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interest or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time (does not affect lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2. Rights for California Residents (CCPA)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out of Sale: We do not sell personal information, so this does not apply
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.3. How to Exercise Your Rights

To exercise any of these rights, email us at hello@automationelves.com with:

• Your full name and email address
• Description of your request
• Verification information (to confirm your identity)

We will respond within 30 days (GDPR) or 45 days (CCPA). If we need more time, we will notify you and explain why.

7.4. Verification Process

To protect your privacy, we may ask you to verify your identity before processing requests. This may include:

• Confirming your email address (we'll send a verification code)
• Matching information you provide with records we have on file
• Requesting additional identification for sensitive requests

8. International Data Transfers

8.1. Where Your Data Is Stored

Your data may be stored and processed in:

• European Union (Hetzner servers in Germany)
• United States (Stripe, hosting providers)
• Other jurisdictions where our service providers operate

8.2. Safeguards for EU Data

For data transferred outside the EU, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with service providers located outside the EU/EEA
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission

8.3. Your Consent

By using our service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

9. Children's Privacy

Automation Elves is not intended for use by individuals under the age of 18 (or 16 in the EU). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at hello@automationelves.com. We will promptly delete such information from our systems.

10. Cookies and Tracking Technologies

10.1. Types of Cookies We Use

Cookies are small text files stored on your device when you visit our website.

(a) Strictly Necessary Cookies:

• Purpose: Essential for the website to function, enable payment processing, maintain security
• Examples: Session cookies, Stripe payment cookies
• Duration: Session cookies (deleted when you close browser) or persistent cookies (up to 1 year)
• Legal Basis: Necessary for contract performance (no consent required)

(b) Analytics and Marketing Cookies:

Google Ads (Google LLC):

• We use Google Ads (via Google Tag Manager) for conversion tracking and advertising measurement
• Tracks conversions when visitors complete actions on our website
• Used for remarketing to show relevant ads to previous visitors
• Data collected: Device identifiers, IP addresses, browsing behavior, conversion events
• Legal Basis:
  • Non-US visitors: Consent (when you click "Accept All" on cookie banner)
  • US visitors: Legitimate interest with opt-out option via "Your Privacy Choices" footer link
• Duration: Up to 90 days
• CPRA Note: For California residents, this activity constitutes "sharing" under CPRA. All US visitors can opt out via "Your Privacy Choices" link in the website footer

10.2. Cookie Consent

(a) For US Visitors: We use analytics and advertising cookies by default to improve your experience and measure advertising effectiveness. You can opt out at any time by clicking "Your Privacy Choices" in the website footer. When you opt out, we stop using analytics and advertising cookies and only keep essential cookies needed for payment processing.

(b) For Non-US Visitors: When you first visit our website, you will see a cookie consent banner with two options:

• Essential Only: Only cookies required for payment processing. No analytics or advertising cookies.
• Accept All: Essential cookies (payment processing), plus analytics cookies (to improve your experience) and advertising cookies (conversion tracking).

Essential cookies for payment processing (Stripe) are always used as they are required for the service to function.

You can change your preferences at any time by clearing your browser data and revisiting the site.

10.3. Browser Controls

You can control cookies through:

• Browser Settings: Most browsers allow you to refuse cookies or delete cookies. Instructions for common browsers:
  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Preferences > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Privacy > Cookies
• Do Not Track: Some browsers support "Do Not Track" (DNT) signals. Currently, there is no universal standard for DNT. We do not alter our practices in response to DNT signals, but we provide cookie opt-out mechanisms.

Note: Blocking cookies may affect functionality of our Services.

11. Marketing Communications

11.1. What We Send

With your consent or where permitted by law, we may send you:

• Transactional Emails: Request confirmations, status updates, preview notifications (you cannot opt out of these)
• Marketing Emails: Information about TaskForce, future campaigns, strategy call offers (you CAN opt out)

11.2. Opt-Out

To unsubscribe from marketing emails:

• Click the "Unsubscribe" link at the bottom of any marketing email
• Email hello@automationelves.com with subject "Unsubscribe"
• We will process your request within 10 business days

You will continue to receive transactional emails related to your automation (required for service delivery).

12. Third-Party Links

Our website may contain links to third-party websites (e.g., TaskForce, tool providers like Stripe or Slack). We are not responsible for the privacy practices of these external sites.

We encourage you to review the privacy policies of any third-party sites you visit.

13. California "Shine the Light" Law

California residents can request information about personal information we disclose to third parties for their direct marketing purposes.

Since we do not share personal information with third parties for their marketing purposes, this request may not yield any information. However, you can still submit a request to hello@automationelves.com.

14. Changes to This Privacy Policy

14.1. Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do:

• We will update the "Last Updated" date at the top
• For material changes, we will email active customers
• We will post a notice on the website for 30 days

14.2. Your Consent

Continued use of our service after changes constitutes acceptance of the updated policy. If you do not agree to the changes, you may request deletion of your data and discontinue use of the service.

15. Contact Us and Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

15.1. Data Protection Officer

Zero to MVP PC has determined it is not required to appoint a Data Protection Officer under GDPR Article 37, as our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data. For data protection inquiries, please contact legal@taskforce.tech.

15.2. Supervisory Authorities

For GDPR-related inquiries, you may also contact your local data protection authority:

• EU Residents: List of EU Data Protection Authorities
• UK Residents: Information Commissioner's Office (ICO)

16. Summary of Key Points

Categories of Personal Information Collected (CCPA)

• Identifiers: Email, company name, IP address
• Commercial Information: Payment records, transaction history
• Internet Activity: Browsing behavior, usage data
• Professional Information: Company type, business description

Sources of Personal Information

• Directly from you (form submissions, emails)
• Automatically (cookies, analytics)
• From third parties (Stripe payment data)

Business Purposes for Collection

• Provide and deliver the service
• Process payments
• Communicate with you
• Improve our services
• Comply with legal obligations
• Prevent fraud and enhance security

Third Parties We Share With

• Hetzner (infrastructure and hosting)
• Stripe (payment processing)
• Sentry (error monitoring)
• Google Ads (advertising and conversion tracking via Google Tag Manager)

Your Rights Summary

• Access your data
• Correct inaccurate data
• Delete your data
• Opt out of marketing
• Object to processing
• Data portability
• Withdraw consent
• Lodge a complaint with authorities

Legal Disclaimer: This Privacy Policy is designed to be transparent and compliant with GDPR, CCPA, and other major privacy regulations. However, it should not be considered a substitute for legal advice. If you have concerns about your privacy or data protection, please consult with qualified legal counsel.