Privacy policy

Clear Contracts, Inc ("West Palm AI", "we", "us", or "our") operates the website at https://westpalmai.com and the related consulting and education services. This policy explains what personal data we collect when you use those services, why we collect it, and how you can exercise your rights over that data.

This policy applies to visitors of the marketing site, newsletter subscribers, lead-form respondents, course purchasers, and verified-certificate recipients. It does not apply to data we receive when one of our customers uses West Palm AI on behalf of their own end users under a separate consulting engagement — that data is governed by the engagement contract.

We collect personal data in three ways:

1. Data you give us directly. When you sign up for an account, subscribe to the newsletter, submit a lead form, RSVP to an event, or purchase the course, you supply your email address and (for purchases) your name and billing details. The lead form for build engagements asks about the workflow you want help with — that's free-form text you write.
2. Data your browser sends us. When you load a page on https://westpalmai.com, your browser supplies its IP address, user-agent string, and the URL you requested. Our server logs these for security, debugging, and rate-limit enforcement.
3. Data our service providers collect with your consent. If you grant analytics consent through the cookie banner, our analytics processor (see §Who we share data with) records page-view events and interaction signals. Without consent, no analytics events are emitted.

We do not knowingly collect data from anyone under 18; see §Children.

The legal basis for each collection purpose under GDPR Art. 6 and the equivalent UK GDPR provision:

• Contract performance (Art. 6(1)(b)) — providing the services you purchased: course access, certificate issuance, customer support, billing.
• Legitimate interest (Art. 6(1)(f)) — site security (rate-limit counters, fraud screening), service operation (error monitoring, performance telemetry), and direct responses to lead-form submissions where we believe the requester is asking us to contact them.
• Consent (Art. 6(1)(a)) — non-essential analytics and the newsletter subscription. Consent is opt-in; you can withdraw it at any time without affecting prior lawful processing.
• Legal obligation (Art. 6(1)(c)) — tax records for course purchases.

For users in the United States, CCPA applies; we treat our collection purposes as the disclosures required by Cal. Civ. Code § 1798.100(b).

We use 11 third-party processors to operate the service. The table below names each one, the data category it receives, where the processing happens, and the legal mechanism for any international transfer. We do not sell or "share for cross-context behavioral advertising" your personal data within the meaning of CCPA § 1798.140(ad).

We do not transfer personal data to processors that are not listed below. Adding a new processor requires updating this policy and (for material additions) re-notifying subscribers.

Retention periods by data category:

• Account data (email, password hash, verification status): for the lifetime of the account. Closing the account triggers anonymization per §Your rights.
• Course purchases: 7 years from the date of purchase, as required by tax and accounting record-retention rules. Anonymization is applied to the user identifier; the financial record itself is retained.
• Course progress and certificates: for the lifetime of the account. Certificates remain publicly verifiable by slug after account closure unless the user explicitly requests removal of the recipient name.
• Newsletter subscriptions: until you unsubscribe. Unsubscribed records are kept for 30 days then deleted.
• Lead form submissions (events, build inquiries): 18 months from submission for follow-up tracking, then anonymized.
• Server logs and rate-limit counters: 30 days.
• Salted IP hashes (lead anti-spam): 18 months.

If you request erasure, the timelines above are superseded by the procedure in §Your rights.

All processors listed in §Who we share data with are headquartered in the United States. When you use the service from outside the United States, your personal data is transferred to those processors. Each transfer relies on the legal mechanism noted in the processor table — most commonly Standard Contractual Clauses adopted by the European Commission, supplemented where applicable by participation in the EU-U.S. Data Privacy Framework.

We do not transfer personal data to any processor in a jurisdiction lacking an adequacy decision or an alternative Art. 46 safeguard.

Under GDPR (and the equivalent UK GDPR provisions) you have the right to:

• access your personal data and receive a copy in a portable format
• rectify inaccurate data
• request erasure ("right to be forgotten")
• restrict or object to processing
• withdraw consent for any consent-based processing

Under CCPA, California residents have the right to know, delete, correct, and limit the use of sensitive personal information; you may also opt out of any "sale" or "sharing" — though, as noted in §Who we share data with, we do not sell or share personal data within CCPA's meaning.

To exercise any of these rights, email support@westpalmai.com with your account email and a description of the request. We will acknowledge within 5 business days and complete the request within 30 days, the legal ceiling. We may ask you to verify your identity if the request comes from an email other than the one on file.

Erasure is implemented as anonymize-in-place: account row retained with email scrubbed; financial records retained for tax-law compliance with the user reference nulled; lead form and event RSVP submissions have name + email + IP-hash nulled with the row id and timestamp preserved (so we can prove the row's age against the retention policy). External processors are notified individually per the processor-side erasure procedure; this can take additional time depending on the processor's SLA.

West Palm AI sets a small number of cookies. None of them are used for cross-site advertising.

Essential cookies (set without consent because the service cannot operate without them):

• __Host-csrf — CSRF protection token for form submissions. HttpOnly, SameSite=Lax, Secure.
• __Secure-authjs.session-token (and related Auth.js session cookies) — present only when you are signed in. HttpOnly, SameSite=Lax, Secure.
• aio_consent — records your analytics-consent choice. HttpOnly, SameSite=Lax, Max-Age 180 days.

Optional cookies (set only after you grant analytics consent):

• PostHog session identifier and event-batching state. Cleared when you withdraw consent.

A banner appears on your first visit asking you to accept or decline analytics. If you decline, no analytics cookies are set and no events are emitted to our analytics processor. You can withdraw consent at any time using the button at the bottom of this page. Once withdrawn, analytics events stop immediately.

The cookie list is also rendered on this page; the source of truth lives in our application code. A material change to this list requires a policy update and a re-version of the consent banner.

West Palm AI is intended for ops professionals; we do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, email support@westpalmai.com and we will delete the account and associated data on confirmation.

Material changes to this policy will be communicated by email to registered users and by a banner on https://westpalmai.com for at least 30 days following the change. The "Last updated" date at the top of this page reflects the most recent edit, and the "Effective" date marks when the new terms apply.

Non-material changes (typo corrections, clarifications, formatting) take effect immediately on publication and only update the "Last updated" date.

For privacy-related questions or to exercise the rights described in §Your rights, email support@westpalmai.com. We do not currently maintain a postal address for service of legal notices unrelated to a specific course or consulting engagement; if you require one, request it in your initial email.

The data controller for purposes of GDPR is Clear Contracts, Inc.