PrivacyUpdated 2026 · 05 · 01

Privacy.

Plain language version, then the legal-careful version. Both are accurate.

The plain version.

We don’t track you. We don’t set advertising cookies. We don’t share your data with third parties for marketing. We don’t train models on your data, and we hold our model providers to the same rule. If you join the waitlist, we keep your name, email, and the sentence you sent us. We use them to write to you when there’s a seat. We don’t sell, share, or sublicense them. You can ask us to delete everything by emailing bryan@perseidechocreations.com; we will, within seven days.

What we collect.

From visitors to this site: nothing identifying. We use Plausible, a privacy-respecting analytics provider that gives us aggregate page-view counts and referrer data; it does not set cookies and it does not identify you. From people who join the waitlist: name, email, business description, and any note you sent. From customers, when we have them: account information, billing details (handled by Stripe), and the operator data you create in the product.

What we don’t do.

No third-party trackers. No retargeting pixels. No data sales. No model training on customer data. No cross-site profiling. No A/B testing on this website’s readers.

Your rights.

You can request a copy of everything we have on you. You can request deletion. You can request correction. You can opt out of any future marketing communication; we don’t send any in the meantime, but the right is yours either way. Email bryan@perseidechocreations.com with the request and we will respond within seven days.

— If anything on this page is unclear, write to us. We’ll fix the wording.

The legal-careful version.

This is the longer version, written so we can stand behind it under GDPR, UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the California Online Privacy Protection Act, and the Children’s Online Privacy Protection Act. Where the two versions differ, the legal-careful version controls.

1. Who we are.

Bristlecone is operated by Perseid Echo Creations LLC, a Washington limited liability company, which acts as the data controller. For any privacy question, write to bryan@perseidechocreations.com.

2. What we collect.

We collect three categories of data, depending on how you interact with us.

Visitors to this website. Aggregate, non-identifying analytics: page paths, referrer, country (derived, not stored at IP level), browser family, device type. Collected through Plausible. No cookies, no fingerprinting, no cross-site identifiers.

Enquiries. Name, email address, an optional short description of your business, and any free-text note you sent. Submitted by you, voluntarily, by email.

Customers and operators. Account credentials, profile information, billing details (collected and stored by Stripe; we receive limited metadata such as last-four and country, not full card numbers), the operator data you create in the product, and the system logs needed to run the service (timestamps, request IDs, error traces).

3. Why we collect it, and on what legal basis.

Enquiries. Purpose: to reply to you when you write to us. Lawful basis: your consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time without affecting prior processing.

Billing and account. Purpose: to provide the service you have signed up for and to meet our tax and accounting obligations. Lawful basis: performance of a contract (GDPR Art. 6(1)(b)) and legal obligation (GDPR Art. 6(1)(c)).

Analytics. Purpose: to understand which pages are read and which channels send traffic, so we can improve the site. Lawful basis: legitimate interests (GDPR Art. 6(1)(f)). Balancing test, in summary: we use a cookieless, IP-truncating analytics provider that does not identify visitors and does not enable cross-site profiling, the data is aggregate, you have a clear opt-out via your browser’s Do Not Track or content-blocker, and the impact on your privacy is minimal — we have concluded our interest in understanding site usage does not override your rights and freedoms. We will revisit this if circumstances change.

Security and abuse prevention. Purpose: to keep the service running and to investigate misuse. Lawful basis: legitimate interests (GDPR Art. 6(1)(f)).

4. How long we keep it.

Enquiry records: 24 months, or until you ask us to delete them, whichever is sooner.

Billing and tax records: 7 years, as required by tax and accounting law in the jurisdictions we operate in.

Operator and account data: for the life of the account plus 30 days, after which it is deleted from primary systems.

Backups: rolling 90 days. Deletion requests will purge primary systems immediately and backups will age out within that window.

5. Sub-processors.

We use a small set of vetted sub-processors to run the service. The current list, with each provider’s purpose, location, and transfer mechanism, lives at /legal/subprocessors.html. Plausible is named there as our analytics provider, alongside Stripe, Postmark, and Vercel. Customers receive 30 days’ email notice before any sub-processor change.

6. International transfers.

We operate from the United States and the European Union, and our sub-processors are located in the US, EU, and globally. Where personal data is transferred from the EEA or the UK to a country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses and, where the receiving party is certified, the EU–US Data Privacy Framework and the UK Extension. Specifically: Stripe (US) and Postmark (US) are covered by SCCs and DPF; Vercel (global) is covered by SCCs and DPF for transfers to the US; Plausible (EU) requires no transfer mechanism for EU/UK personal data. We will update the sub-processor page if any of these change.

7. Your rights.

If you are in the EEA, the UK, or California, and in many other places, you have rights over your data. We honor them globally regardless of where you live:

  • Access — ask for a copy of what we hold about you.
  • Rectification — ask us to correct anything wrong.
  • Erasure — ask us to delete it.
  • Restriction — ask us to pause processing while a question is resolved.
  • Portability — ask for your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.

Email bryan@perseidechocreations.com. We will respond within seven days.

8. Right to complain.

If you are in the EU or UK and you think we have mishandled your data, you have the right to lodge a complaint with your national supervisory authority. In the UK, that is the Information Commissioner’s Office (ico.org.uk). In the EU, it is the data protection authority of the member state where you live or work. We’d rather you wrote to us first — but the right is yours and we won’t obstruct it.

9. California residents.

This subsection applies if you are a California resident, under the California Consumer Privacy Act as amended by the California Privacy Rights Act, and the California Online Privacy Protection Act.

Notice at Collection. The categories of personal information we collect, per Cal. Civ. Code § 1798.100, are: identifiers (name, email), commercial information (billing records), internet or other electronic network activity information (aggregate analytics), and, for customers, the contents of operator data you submit to the product. We collect this directly from you. We use it for the purposes described in section 3 above. We retain it for the periods described in section 4.

We do not sell or share your personal information, as those terms are defined in the CCPA/CPRA, including for purposes of cross-context behavioral advertising. We have not done so in the preceding 12 months and we do not plan to.

Do Not Sell or Share My Personal Information. Because we do not sell or share personal information, there is nothing for you to opt out of. We are publishing this language anyway so you do not have to wonder. If this ever changes, we will publish a working opt-out link here and notify customers and contacts in advance.

Other CCPA/CPRA rights. You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information (we do not collect sensitive personal information for inferences), and the right not to be discriminated against for exercising these rights. To use any of them, email bryan@perseidechocreations.com. You may use an authorized agent; we will verify the agent and your identity before responding.

Shine the Light. California Civil Code § 1798.83 lets California residents request information about disclosures of personal information to third parties for direct marketing. We do not make such disclosures. To confirm in writing, email bryan@perseidechocreations.com.

10. Children.

Bristlecone is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has submitted information to us, write to bryan@perseidechocreations.com and we will delete it.

11. Cookies.

We do not set third-party cookies, advertising cookies, or tracking cookies. We may set first-party functional cookies (for example, session or preference cookies) where strictly necessary to operate the site or the product. None are used for advertising or cross-site profiling.

12. Model training.

We do not use your operator data to train Bristlecone’s models, and we contractually require the same of any model providers we route through. See /legal/subprocessors.html for the current list and the contractual terms that apply to each.

13. Changes to this policy.

If we change this policy in a way that affects how we treat your data, we will update the date at the top of the page and, for material changes, email customers and contacts in advance.

— Bristlecone. Last updated 2026 · 05 · 01.

Back

Back to Bristlecone.

Home