Privacy Policy

CASTELO (“we”, “our”, or “us”) operates the CASTELO platform, accessible at castelo.app. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services.

By using CASTELO, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Password (stored as a secure hash — we never see your plaintext password)
• Display name (optional)

Usage Data

As you use CASTELO, we automatically collect:

• Scenario responses and choices
• Progress and competency scores across leadership pillars
• Session activity, streak data, and daily queue interactions
• AI coach conversation history
• Device type, browser, and approximate location (country/region level)

Payment Information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card number or full payment details on our servers. We receive a billing token and basic subscription status from Stripe. You can review Stripe's privacy practices at stripe.com/privacy.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the CASTELO platform
• Personalize your daily scenario queue and progress tracking
• Process payments and manage subscriptions
• Send transactional emails (account verification, password reset, billing receipts)
• Send product updates and announcements (you can opt out at any time)
• Analyze aggregate usage patterns to improve content and features
• Comply with legal obligations

3. Third-Party Services

We use the following third-party services that may process your data:

• Supabase — database and authentication infrastructure
• Stripe — payment processing
• Vercel — application hosting and edge infrastructure
• Anthropic / OpenAI — AI coaching and scenario generation (your scenario responses may be sent to these services for processing)

We do not sell your personal information to third parties.

4. Data Retention

We retain your account data and progress history for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records).

5. Your Rights

Depending on your location, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and personal data
• Portability — request your data in a machine-readable format
• Opt-out of marketing — unsubscribe from non-transactional emails at any time

To exercise any of these rights, email us at privacy@castelo.app. We will respond within 30 days.

6. Cookies

We use essential session cookies to keep you logged in and remember your preferences. We do not use third-party advertising cookies. You can configure your browser to reject cookies, but some features of CASTELO may not work correctly without them.

7. Children's Privacy

CASTELO is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact us and we will delete it promptly.

8. Security

We implement industry-standard security practices including encryption in transit (TLS), encrypted storage of sensitive data, and regular security reviews. No system is 100% secure; if you discover a vulnerability, please disclose it responsibly to security@castelo.app.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we'll notify you by email or with a banner in the app. The “Last updated” date at the top of this page will always reflect the most recent revision.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

• Email: privacy@castelo.app