Privacy Policy

The Straight Talk

At CTO Monster, we're direct about everything—including how we handle your data. This privacy policy explains what information we collect, why we collect it, and what we do with it. No corporate BS, just the facts.

What We Collect

Information You Give Us

• Contact Information: Name, email address when you request a scope report or book a consultation
• Project Details: Project descriptions, URLs, and status information you provide for analysis
• Booking Information: Consultation scheduling details, timezone preferences, and payment information (processed securely through Stripe)

Information We Collect Automatically

• Usage Data: IP address, browser type, pages visited, time spent on pages
• Analytics: We use analytics to understand how people use our service and improve it
• Cookies: Essential cookies for site functionality and session management

How We Use Your Data

We use your information to:

• Generate AI-powered project scope reports using Google Gemini API
• Send you scope reports and consultation confirmations via email (Resend)
• Schedule and manage your consultation bookings
• Improve our service through analytics and user feedback
• Respond to your inquiries and provide customer support
• Send internal notifications (we use Telegram for team alerts)
• Comply with legal obligations and enforce our terms

AI & Data Processing

Here's the deal: When you submit a project description, we send it to Google's Gemini AI API for analysis. Google processes this data according to their own privacy policies and terms of service.

We also scrape publicly accessible URLs you provide to gather context for better analysis. This data is processed temporarily and cached for 24 hours to improve performance.

Important: Don't submit confidential, proprietary, or sensitive information in your project descriptions. Our AI analysis is processed through third-party APIs and isn't suitable for trade secrets or confidential business information.

Data Storage & Security

Where your data lives:

• Scope reports are cached in Redis (Upstash) for 24 hours
• Email delivery is handled by Resend
• Booking data is stored securely and backed up regularly
• Payment processing is handled entirely by Stripe (we never store your payment details)

We implement industry-standard security measures including HTTPS encryption, secure API keys, rate limiting, and input sanitization to protect your data. However, no system is 100% secure—use common sense and don't share sensitive information you wouldn't want potentially exposed.

Who We Share Your Data With

We're not in the business of selling your data. We only share information with:

• Service Providers: Google (Gemini AI), Resend (email), Stripe (payments), Upstash (caching), Cloudflare (hosting & CDN)
• Legal Requirements: If required by law, court order, or government regulation
• Business Transfers: If CTO Monster is acquired or merged, your data may transfer to the new owner

We do NOT: Sell your data to advertisers, share it with marketing companies, or use it for purposes unrelated to providing our service.

Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Opt-Out: Unsubscribe from marketing emails at any time
• Data Portability: Request your data in a portable format

To exercise these rights, email us at dan@cto.monster. We'll respond within 30 days.

Cookies & Tracking

We use essential cookies to make the site work properly (session management, form data, etc.). We don't use intrusive tracking or third-party advertising cookies.

You can disable cookies in your browser, but some features may not work correctly.

International Data Transfers

CTO Monster operates from the United States (Orlando, FL). If you're accessing our service from outside the US, your data will be transferred to and processed in the United States. We comply with applicable data protection laws including GDPR for European users.

Children's Privacy

Our service is not intended for anyone under 18. We don't knowingly collect data from children. If you're a parent and believe your child has provided us with personal information, contact us immediately and we'll delete it.

Data Retention

• Scope Report Cache: 24 hours (then automatically deleted)
• Email Communications: Until you request deletion or unsubscribe
• Booking Records: 7 years for tax and legal compliance
• Analytics Data: Aggregated and anonymized after 26 months

Changes to This Policy

We may update this privacy policy from time to time. When we do, we'll update the "Last updated" date at the top and notify you if the changes are significant (via email or a prominent notice on the site).

Your continued use of CTO Monster after changes means you accept the updated policy.

Contact Us

Questions about this privacy policy? Want to exercise your data rights? Just want to talk tech?

GDPR & California Privacy Rights

For European Users (GDPR): You have additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.

For California Users (CCPA): California residents have the right to know what personal information is collected, request deletion, opt-out of sales (we don't sell your data), and non-discrimination for exercising privacy rights.