Privacy Policy

Last updated: June 2026

1. Overview and Controller Identity

This Privacy Policy describes how Harbinger Bros. LLC ("Company," "we," "us," or "our"), the operator of the Edithority platform, collects, processes, stores, and transfers personal data in connection with the use of the Editorial Audit, Algorithmic Optimization, AI Integrity Analysis modules, and the Blog (collectively, "the Service").

This policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

For purposes of the GDPR, the Company acts as the Data Controller with respect to account data and derived analysis data. With respect to submitted content (raw input), the Company acts as a Data Processor on behalf of the user, who retains authorship and any associated intellectual property rights.

Data Controller: Harbinger Bros. LLC
1309 Coffeen Avenue STE 1200
Sheridan, WY 82801, United States
Contact: support@laenethylabs.com

2. Categories of Data Processed

We distinguish between three categories of data, which are subject to different handling rules:

2.1 Account and Identity Data

•Email address and full name: Collected at registration for authentication, account management, and service communications. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
•Subscription and billing data: Active plan tier (Free, Essential, Premium, or Professional), billing cycle, and subscription status are stored for quota enforcement and account management. Payment card data is processed exclusively by our Merchant of Record (see Section 6) and is not stored on our servers.
•Usage preferences: Theme settings, custom marker weights, dashboard configuration, and template configurations stored per account.

2.2 Submitted Content (Raw Input Data)

•Text, documents, or URLs submitted for analysis. This data is processed transiently and is subject to deletion upon completion of analysis (see Section 4). It may temporarily reside in application memory, processing buffers, and infrastructure logs during the analysis pipeline.
•Language processing: Where submitted content is detected as non-English, it is temporarily translated into English for analysis purposes, and the resulting report is translated back into the original language. Neither the translated input nor the intermediate English version is retained beyond the processing session.

2.3 Blog and Publicly Accessible Content

•Blog content: The Edithority Blog publishes editorial articles that are publicly accessible without registration or login. No personal data is collected solely from reading Blog content. If you are logged in while accessing the Blog, your session cookie (strictly necessary) may be present, but no additional personal data is collected in connection with Blog visits.
•AI-assisted content generation: Blog posts are generated with AI assistance and reviewed by Edithority staff before publication. No user-submitted content is used in the generation of Blog posts.

2.4 Derived Data (Analysis Output)

•Analysis results, scores, and recommendations generated by the platform (e.g., marker scores, risk assessments, algorithmic readiness scores) are stored in your account and linked to your user identity. This data is retained until account deletion is requested.
•Export records: Metadata regarding report exports (timestamp, format, analysis ID) is retained for operational and audit purposes.

3. Data Flow and Processing Pipeline

The following describes the complete lifecycle of submitted content through the Service:

1.Input: The user submits content via text paste, file upload (PDF, DOCX, TXT), or URL. The content is transmitted over an encrypted TLS connection to Vercel's serverless infrastructure.
2.Language Detection and Translation: A language detection routine identifies the content language. If the content is not in English, it is temporarily translated to English using an AI processing subprocessor (see Section 6) to ensure analysis quality. The content exists in both original and translated form in memory during this step only.
3.Analysis Processing: The English-language content is submitted to AI inference endpoints operated by our subprocessors (Anthropic Claude API). Analysis modules (Editorial Audit, Algorithmic Optimization, AI Integrity) are executed. The content is processed in memory and is not persistently stored by subprocessors for their own purposes.
4.Report Generation and Back-Translation: Analysis output (scores, markers, recommendations) is generated. Where applicable, text output is translated back into the user's original language. This translation step also processes the derived data, not the original content.
5.Storage of Derived Data: The analysis results (derived data) are stored in the user's Supabase account database. The raw submitted content is deleted from the application database upon completion of the analysis pipeline.
6.Residual Technical Presence: Notwithstanding the deletion of content from the primary database, submitted content may temporarily persist in server-side memory, request buffers, or Vercel infrastructure logs for technically necessary durations. Such logs are configured to minimize content retention and are subject to automated rotation and deletion policies.

4. Content Deletion and Data Retention

4.1 Raw Content

Raw submitted content (the original text, document content, or URL-fetched material) is deleted from the primary application database upon successful completion of the analysis pipeline. This deletion is executed programmatically as part of the standard processing workflow.

Notwithstanding the above, raw content may exist transiently in: (i) server-side application memory during active processing; (ii) network-level or application-level request buffers; (iii) infrastructure logs, to the extent technically necessary for system operation, error tracing, and security monitoring. Such residual instances are subject to automated expiration and do not constitute long-term storage.

4.2 Derived Data

Derived data (analysis results, scores, recommendations, export metadata) is retained in the user's Supabase account for the duration of the active account relationship, or until the user requests deletion (see Section 5).

4.3 Account Data

Account and identity data is retained for the duration of the contractual relationship and for such additional period as required by applicable legal obligations (e.g., tax, accounting, or dispute resolution requirements), not to exceed seven (7) years unless otherwise required by law.

4.4 AI Training

Submitted content is not used by the Company for the purpose of training, fine-tuning, evaluating, or improving any machine learning or artificial intelligence model operated by the Company. With respect to subprocessors, the Company contracts only with providers whose terms of service explicitly prohibit the use of customer-submitted data for model training purposes. Users are advised to review the subprocessor list in Section 6 and the respective privacy terms of each provider for independent verification.

5. Data Subject Rights (GDPR and CCPA)

Depending on your jurisdiction, you may be entitled to exercise the following rights with respect to your personal data. Requests may be submitted to support@laenethylabs.com. We will respond within 30 calendar days of receipt of a verifiable request, in accordance with GDPR Art. 12 and CCPA requirements.

Right to Access (GDPR Art. 15 / CCPA)

You may request confirmation of whether we process personal data about you and, if so, a copy of that data, including the categories of data, purposes of processing, and any recipients.

Right to Rectification (GDPR Art. 16)

You may request correction of inaccurate personal data. Certain account data may be updated directly via your Profile settings.

Right to Erasure (GDPR Art. 17 / CCPA Right to Delete)

You may request deletion of your account and all associated personal data, including derived analysis data and settings. Deletion may be subject to retention obligations arising from applicable legal requirements (see Section 4.3).

Right to Restriction of Processing (GDPR Art. 18)

You may request that we limit processing of your data in specific circumstances, such as where the accuracy of data is contested or where processing is unlawful but you oppose erasure.

Right to Data Portability (GDPR Art. 20)

You may request a structured, commonly used, machine-readable copy of personal data you have provided to us where processing is based on consent or contract and is carried out by automated means. Analysis reports are exportable in PDF, CSV, and PPTX formats via the platform.

Right to Object (GDPR Art. 21)

You may object to processing of your personal data where we rely on legitimate interests as the legal basis. We will assess whether our legitimate interests override your rights and respond accordingly.

Right to Opt-Out of Sale or Sharing (CCPA/CPRA)

We do not sell personal data to third parties for monetary consideration. We do not share personal data for cross-context behavioral advertising purposes. No opt-out mechanism is required for this specific practice, but you may contact us to confirm this at any time.

Right to Lodge a Complaint

If you believe we have not complied with applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority in your jurisdiction (e.g., your national Data Protection Authority within the EU/EEA).

Request Data Access Request Account Deletion

6. Subprocessors and Third-Party Service Providers

We engage third-party service providers ("subprocessors") to support the operation of the Service. These providers process data solely on our behalf, pursuant to written data processing agreements that require them to: (i) process data only in accordance with our documented instructions; (ii) implement appropriate technical and organizational security measures; and (iii) not use customer data for their own purposes, including model training, product improvement, or any form of re-use, unless explicitly permitted and disclosed.

The following subprocessors are engaged:

Supabase — Infrastructure, Database & Authentication

Provides PostgreSQL database hosting, authentication, and file storage for account data and derived analysis results. Data is hosted in EU Central (Frankfurt, Germany). Supabase enforces Row-Level Security (RLS) ensuring users can only access their own data. Submitted raw content transits through this infrastructure during processing.

Vercel — Application Hosting & Edge Network

Provides serverless application hosting, edge delivery, and CDN. API routes (Next.js serverless functions) process analysis requests ephemerally — each invocation is isolated and stateless. Request metadata may appear in Vercel logs for up to 30 days.

Anthropic — AI Inference (Claude API)

Submitted content is transmitted to Anthropic's Claude API for language detection, translation, and content analysis. Anthropic does not use API inputs to train their models per their API usage policy and Data Processing Agreement. Inference is stateless — no content is retained by Anthropic beyond the request lifecycle.

Lemon Squeezy — Payment and Billing (Merchant of Record)

Lemon Squeezy acts as Merchant of Record for all subscription transactions. Payment card data, billing addresses, and transaction records are processed and stored exclusively by Lemon Squeezy under its own privacy and data processing terms. We receive limited billing metadata (e.g., subscription status, plan tier) from Lemon Squeezy via webhook.

Analytics Provider (Optional)

Where analytics services are enabled by user consent, usage telemetry (e.g., page views, feature interactions) may be processed by a third-party analytics provider. No submitted content is included in analytics data. Analytics processing is subject to user cookie consent (see Section 8).

An up-to-date list of active subprocessors may be requested by contacting us at support@laenethylabs.com. We will notify users of material changes to the subprocessor list where required by applicable law or data processing agreements.

7. International Data Transfers

The Company is incorporated in the United States. Personal data processed through the Service may be transferred to, and processed in, countries outside the European Economic Area (EEA), including the United States, where the level of data protection may differ from that provided under GDPR.

Where personal data originating in the EEA is transferred to countries not recognized by the European Commission as providing adequate data protection, we rely on one or more of the following transfer mechanisms:

•Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for data flows to third countries, including transfers to subprocessors such as Anthropic and Vercel.
•Adequacy Decisions: Where the European Commission has issued an adequacy decision for a recipient country, we rely on that decision as the legal basis for the transfer.
•Supplementary Technical Measures: Where appropriate, we apply supplementary measures (e.g., encryption in transit via TLS 1.3, data minimization) to reduce the risk associated with third-country transfers.

You may request a copy of the applicable transfer mechanisms by contacting us at support@laenethylabs.com.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies in accordance with applicable law, including the ePrivacy Directive and GDPR. A consent management interface is presented upon first access to the Service. Users may accept all cookies, reject non-essential cookies, or configure category-level preferences.

•Strictly necessary cookies: Required for authentication, session management, and core service functionality. These cookies cannot be disabled without impairing the operation of the Service. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) and/or performance of a contract.
•Analytics cookies: Used to collect pseudonymized usage data (e.g., feature interactions, session duration) to improve service performance. Activated only with user consent. Legal basis: consent (GDPR Art. 6(1)(a)).
•Marketing and preference cookies: Used for personalized communications or product improvement activities. Activated only with user consent. Legal basis: consent (GDPR Art. 6(1)(a)).

Cookie preferences may be modified at any time via the consent banner or browser settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, in accordance with GDPR Art. 32. These measures include:

•Encryption in Transit: All data transmitted between the client and our servers is encrypted using TLS 1.3 (Transport Layer Security).
•Encryption at Rest: All data stored in Supabase is encrypted at rest using AES-256.
•Row-Level Security: Supabase RLS policies ensure that users can only access, modify, or delete their own data — enforced at the database layer, independent of application logic.
•Access Controls: User accounts are protected by authenticated sessions managed by Supabase Auth. Administrative access to production systems is restricted to authorized personnel and is subject to access logging.
•Data Minimization by Design: The processing pipeline is designed to minimize the retention period of raw content. Vercel serverless function logs are configured to avoid capturing full content payloads where technically feasible.
•Payment Security: Payment card data is not processed or stored by Edithority. All payment transactions are handled exclusively by Lemon Squeezy, which is PCI-DSS compliant.
•Incident Response: In the event of a personal data breach, we will notify affected users and relevant supervisory authorities as required under GDPR Art. 33–34 and applicable U.S. breach notification laws.

10. Legal Bases for Processing (GDPR)

For users located in the European Economic Area (EEA) or the United Kingdom, we process personal data on the following legal bases under GDPR Art. 6:

Performance of a Contract (Art. 6(1)(b))

Processing of account data, submitted content, and derived analysis results is necessary to provide the Service under the Terms of Service agreed to by the user.

Consent (Art. 6(1)(a))

Non-essential cookies and analytics tracking are processed only where the user has provided freely given, specific, informed, and unambiguous consent via the cookie consent interface. Consent may be withdrawn at any time.

Legal Obligation (Art. 6(1)(c))

Certain data (e.g., billing records) may be retained to comply with applicable legal obligations, including tax and accounting law.

Legitimate Interests (Art. 6(1)(f))

We rely on legitimate interests for security monitoring, fraud prevention, and service integrity operations, where such processing does not override the fundamental rights and freedoms of data subjects.

11. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. In the event of material changes affecting your rights or our obligations, we will provide notice via the platform interface or by email to the address associated with your account, at least 14 days prior to the changes taking effect, unless a shorter notice period is required by law.

Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree to the revised policy, you should discontinue use of the Service and may request account deletion in accordance with Section 5.

12. Contact and Data Protection Inquiries

For privacy-related inquiries, data subject requests, or to exercise any rights described in this policy, please contact us at:

support@laenethylabs.com

Harbinger Bros. LLC · 1309 Coffeen Avenue STE 1200 · Sheridan, WY 82801 · USA

Response time: Within 30 calendar days of receipt of a verifiable request, in accordance with GDPR Art. 12(3).