Privacy Policy
Controller and contact
StateTilt (“StateTilt”, “we”, “us”) is the controller of personal data described in this policy. For privacy questions or to exercise your data-subject rights, contact privacy@statetilt.com. StateTilt operates as an analytics-and-research publisher; we do not handle subscriber funds, custody crypto-assets, or facilitate transactions.
Data we collect
We collect only the data needed to operate the service. Categories:
Pre-launch note. The categories below describe the data flows the service will operate at and after operational launch. Pre-launch (current state), only the categories operated today — account information through Clerk, communication data through Resend, and operational logs — are active. Lemon Squeezy billing flows and Telegram bot delivery activate at operational launch; the policy describes them in advance so subscribers can see the full data picture before the paid tier opens.
- Account information. Email address, display name, and authentication identifiers managed through our authentication provider, Clerk. Passwords are hashed by Clerk and never visible to StateTilt.
- Billing information. Payment-method tokens, billing address, tax-residency indicators, and transaction records collected and stored by Lemon Squeezy acting as merchant of record. StateTilt receives a record that a given subscriber is in good standing; StateTilt does not store card numbers or full billing details.
- Communication data. Telegram chat identifier when a subscriber opts to receive notifications via Telegram, and email-delivery events (sent, opened, bounced, unsubscribed) reported by our transactional email vendor, Resend.
- Operational logs. Network address, browser user-agent string, request timestamps, and request paths captured by our hosting infrastructure for security, abuse prevention, and debugging.
Legal bases (GDPR Article 6)
We rely on the following legal bases under GDPR Article 6:
- Contract. Account, billing, and core service-delivery data are processed to perform the subscription contract and respond to user requests.
- Legitimate interests. Operational logs and abuse-prevention records are processed in our legitimate interest in keeping the service secure, available, and free of misuse.
- Consent. Optional marketing emails and bot-channel notifications are processed only with the subscriber's explicit opt-in. Consent may be withdrawn at any time via the unsubscribe link or by writing to the privacy contact above.
- Legal obligation. Tax, accounting, and consumer-protection records may be retained where applicable law requires.
Sub-processors
StateTilt uses the sub-processors listed below. Each is bound by a Data Processing Agreement that requires processing only on StateTilt's documented instructions, consistent with GDPR Article 28. Authoritative sub-processor lists are maintained by each vendor at the URLs given.
Lemon Squeezy and Telegram are listed because they form part of the post-launch data flow; pre-launch they are not actively processing subscriber data.
- Clerk — authentication and account management. DPA · Subprocessors.
- Lemon Squeezy — merchant of record for subscription billing, tax collection, and refund handling. Lemon Squeezy may engage further sub-processors as described in its then-current published documentation. DPA.
- Resend — transactional and marketing email delivery. DPA · Subprocessors.
- Telegram — message delivery for subscribers who opt in to bot notifications. Telegram's privacy terms apply when interacting with the StateTilt bot. Privacy.
- Railway — application hosting in the United States. DPA.
- Healthchecks.io — uptime and cron-job monitoring; receives system status pings, no subscriber content. Privacy.
Subscribers can request the current sub-processor list at any time via the privacy contact above. We notify subscribers of material sub-processor changes in advance through the channel they have registered with.
Data retention
Account data is retained for the duration of the subscription and for the period required by billing, tax, and consumer-protection law after cancellation. Marketing-list entries are retained until unsubscribe. Operational logs use a 90-day retention window before automated deletion, except where a longer period is required to investigate a security incident or comply with a lawful request.
International transfers
StateTilt is hosted on Railway infrastructure in the United States. For subscribers located in the European Economic Area, the United Kingdom, or other jurisdictions with cross-border-transfer requirements, transfers to the United States are made subject to the European Commission's Standard Contractual Clauses or an equivalent mechanism (such as the EU-US Data Privacy Framework where the recipient is certified). Vendor DPAs linked above describe the safeguards applied by each sub-processor.
Your rights (GDPR Articles 15-22)
Subscribers in the European Economic Area, the United Kingdom, and equivalent jurisdictions have the rights to access, rectification, erasure, restriction of processing, data portability, and objection, as set out in GDPR Articles 15-22. Subscribers may also withdraw consent for processing based on consent at any time and lodge a complaint with a supervisory authority, including the relevant data-protection regulator in their jurisdiction.
To exercise a right, write to privacy@statetilt.com. We respond within the period required by applicable law and without undue delay.
Notice for California residents (CCPA / CPRA)
California residents have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act, codified at §§ 1798.100-199 of the California Civil Code. These include the rights to know what personal information we collect, to access and delete that information, to correct inaccuracies, to opt out of any “sale” or “sharing” of personal information, and to limit the use of sensitive personal information. StateTilt does not engage in the “sale” of personal information for monetary consideration as that term is used in the California statute, and does not share personal information for cross-context behavioural advertising. To exercise a California right, write to the privacy contact above and identify your request.
Children
The service is not directed to children. StateTilt does not knowingly collect personal information from anyone under 18. If a parent or guardian believes that a child under 18 has provided personal information, they should contact the privacy address above and we will delete the information promptly. For European Economic Area, United Kingdom, and equivalent jurisdictions, GDPR Article 8 and applicable national child-data thresholds apply with respect to processing of children's personal information; in any case the service is not directed at minors.
Security
StateTilt applies technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit, access controls on production systems, and regular review of sub-processor security posture. No system is perfectly secure; subscribers should keep their credentials confidential and report suspected compromise immediately.
Changes to this policy
We may update this policy to reflect changes in the service, in our sub-processors, or in applicable law. Material changes will be announced via the channel a subscriber has registered with and posted on this page with a revised “Last updated” date. Continued use of the service after a revision's effective date constitutes acceptance of the revised policy.
Version 1.0 of this Privacy Policy is subject to revision following professional review at the launch milestone. For privacy enquiries or to exercise your rights, write to privacy@statetilt.com.