Skip to main content

Privacy Policy

This Privacy Policy describes how Noah Ratzan Consulting, LLC(“I,” “me,” or “my”), a Connecticut limited liability company, collects, uses, and protects personal information when you use noahratzan.com, submit an application, attend a consultation, or book a session. I am the data controller for the processing described below.

Contact for privacy matters: noah@noahratzan.com.

1. Information I Collect

I collect the following categories of personal information:

  • Application / lead data— name, email, a short description of your project and goals, technical context (languages, frameworks, prior AI-tool experience), how you heard about me, and any fields you voluntarily fill on the application form. Collected when you submit an application through the site.
  • Account and profile data— if you are promoted to customer status, a password-protected account is created; stored fields include a display name, email, time zone, and optional profile photo.
  • Customer session data— goals you record in your customer dashboard, pre-session prep notes, tech stack declarations, and session journal entries (post-session reflections). These are collected and stored only for active customers.
  • Booking data— session date, time, duration, product type (e.g. “Build 60”), and any notes you submit during booking.
  • Payment data— processed by Stripe at time of booking. I do not receive or store your full card number; Stripe provides a tokenized reference, charge ID, amount, and status. I retain those metadata records for tax, accounting, and refund purposes.
  • Session recording media— the standard recording posture is audio recorded continuously plus selective time-stamped screenshotstaken by me at meaningful moments and correlated to the audio timeline. I do not use continuous video or screen-share recording as the default; in specific circumstances (e.g., a session you host on your own platform that auto-records, or where we agree in advance on an alternate medium) the recording medium may differ — see Terms §15. I apply per-screenshot crop + redact discipline before saving to minimize incidental personally-identifying information. Selective screenshots may incidentally include your video tile or content you have voluntarily shared on screen. Plus transcript text if one is generated. Stored in Google Workspace (Google Drive). Collection, retention, your image rights, and your rights relating to recordings are governed by Terms §15 (Session Recording) and summarized below in §5 (Data Retention).
  • Analytics events— a first-party log of product-use events (e.g. application submitted, session booked, recording viewed) keyed to your account or to a pseudonymous session identifier for anonymous visitors. I mirror a subset of these events to PostHog(see §4). IP addresses are truncated before storage and not retained in full.
  • Email engagement data— Apps Script delivery, open, and click events for lifecycle emails I send you (booking confirmations, prep reminders, receipts, optional re-engagement emails). Used to diagnose delivery problems and to honor unsubscribe requests.
  • Testimonial data— if you choose to submit a testimonial, I collect your quote, an attribution (name and optional affiliation at your preference), and the publishing scope you consent to (private, homepage, social media, case study). Nothing is published without your explicit, written consent.
  • Anti-abuse data— IP address (truncated before storage), user-agent string, and hCaptcha challenge results on application submission and other high-risk endpoints, used only for rate limiting and bot mitigation.
  • Audit log data— when I (administrator) access your account, approve an application, view a recording, or edit your data, a timestamped audit entry is written. Retained for up to seven (7) years for compliance and dispute-resolution purposes.

2. How I Use Your Information

I use your information for the following purposes:

  • Deliver the service— reviewing your application, scheduling a free consultation, operating the booking flow, conducting paid sessions, processing payments, issuing refunds, and sending necessary transactional emails.
  • Assess fit— reviewing applications to decide whether to invite you to a consultation and subsequently promote you to customer status.
  • Improve the service— reviewing anonymized or pseudonymized analytics events to understand funnel performance, identify friction, and prioritize improvements.
  • Security and anti-abuse— rate-limiting, fraud detection, and audit logging.
  • Communications— sending transactional emails (booking confirmation, receipts, prep, cancellations) you cannot opt out of while you have an active booking, and — with your opt-in — periodic re-engagement emails (no more than three per year, with a clear unsubscribe link in every message).
  • Legal and accounting— retaining payment and invoice records to comply with tax, accounting, and dispute obligations.

I do not sell your personal information. I do not use your data to train AI models. I do not share your data with advertising networks.

3. Legal Bases for Processing (EU / UK / EEA)

If you are in the EU, UK, EEA, or Switzerland, I process your personal information on one of the following lawful bases under the GDPR / UK GDPR:

  • Performance of a contract (Art. 6(1)(b)): operating the booking flow, delivering paid sessions, and processing payments you have authorized.
  • Legitimate interests (Art. 6(1)(f)): reviewing applications to assess fit, running first-party analytics to improve the service, operating rate limits and audit logs for security, and writing anonymized funnel summaries for internal business analysis. I have assessed these interests against your rights and freedoms and consider them appropriate given the small scale of processing, the minimization measures applied (IP truncation, short retention), and your ability to object.
  • Consent(Art. 6(1)(a)): session recording (by booking, you consent under Terms §15; you may withdraw consent and request deletion), testimonials, optional re-engagement emails, and any optional cookies.
  • Legal obligation (Art. 6(1)(c)): retaining payment and invoice records for the periods required by Connecticut tax and accounting law.

You may withdraw consent at any time by emailing noah@noahratzan.com. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

4. Sharing and Third-Party Processors

I rely on the following third-party processors, each subject to its own privacy policy. I have a data processing agreement (DPA) or the provider's equivalent in place where required by law.

  • Stripe, Inc.(United States) — payment processing, invoicing. Receives name, email, billing address, and card details directly. stripe.com/privacy
  • Google LLC(United States) — Google Calendar (scheduling), Google Meet (video call hosting and optional recording), Google Drive (recording storage), Google Workspace (my business email). policies.google.com/privacy
  • PostHog, Inc.(United States / EU) — product analytics. Events are mirrored with truncated IP and no third-party cookies; cross-site tracking is disabled. posthog.com/privacy
  • Cloudflare, Inc.— Turnstile bot mitigation on the application and booking endpoints. cloudflare.com/privacypolicy
  • Vercel Inc.(United States) — website hosting and edge infrastructure. vercel.com/legal/privacy-policy
  • Supabase, Inc.(United States) — database for site content, user accounts, and analytics events. supabase.com/privacy
  • Cloudflare, Inc.(United States) — DNS and edge network layer. cloudflare.com/privacypolicy

I do not share your personal data with third parties other than these processors, except (a) with your explicit consent (e.g. a published testimonial), (b) if required by law, court order, or regulator, or (c) in the unlikely event of a business transfer, in which case you would be notified in advance.

5. Data Retention

Retention periods vary by data category:

  • Declined or dormant applications — up to twelve (12) months from the last status change, then automatically scrubbed: personally identifying fields (name, email, free-text notes) are removed; an anonymized summary is retained for funnel analytics.
  • Active customer profile, goals, journal, tech stack — retained while your account is active. On account closure, retained up to twelve (12) months for dispute resolution and reactivation, then deleted or anonymized.
  • Session recordings — default twelve (12) months from the session date, then soft-deleted and purged on the next scheduled cleanup cycle. You may request earlier deletion or an extension at any time. See Terms §15.
  • Booking and payment records — retained for seven (7) years as required by Connecticut tax and accounting law. Deletion requests for these records may be refused on legal-obligation grounds.
  • Analytics events — up to twenty-four (24) months, then aggregated to non-personal summaries and the per-event rows deleted.
  • Email engagement data — up to eighteen (18) months from last send.
  • Testimonials— retained while displayed publicly. You may withdraw consent to publication at any time, at which point the testimonial is removed from public surfaces; internal archival copies may be retained for up to three (3) years to preserve a record of the consent withdrawal.
  • Audit log — up to seven (7) years.
  • Anti-abuse data — up to ninety (90) days.

6. Your Rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

  • Access— request a copy of the personal data I hold about you.
  • Correction / rectification— request correction of inaccurate data.
  • Deletion / erasure— request deletion of data that is not required to be retained on legal or contractual grounds.
  • Portability— request a copy of certain data in a machine-readable format.
  • Restriction— request that I pause processing while a concern is resolved.
  • Objection— object to processing based on legitimate interests (I will honor the objection unless I have a compelling overriding basis).
  • Withdraw consent— withdraw consent for recording retention, testimonials, or marketing emails at any time.
  • Recording-specific rights— request a copy, earlier deletion, or extended retention of any session recording associated with your account (see Terms §15).
  • Do-not-sell / do-not-share (CCPA)— I do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of, but you may submit a confirmatory request.
  • Non-discrimination— I will not discriminate against you for exercising any right under applicable privacy law.

To exercise any right, email noah@noahratzan.com. I will acknowledge within 7 days and respond substantively within 30 days (or as required by applicable law). I may need to verify your identity before fulfilling certain requests.

If you are in the EU, UK, or EEA, you also have the right to lodge a complaint with your national data protection authority; you are encouraged to contact me first so I can address your concern directly.

7. International Data Transfers

Noah Ratzan Consulting, LLC is based in the United States, and several of my processors (Stripe, Google, Apps Script (GmailApp), Vercel, Supabase, Cloudflare) are also based in the United States. If you are located in the EU, UK, EEA, or another jurisdiction with data-transfer restrictions, your personal data may be transferred to and processed in the United States. Where required, such transfers are made under the Standard Contractual Clauses (SCCs) adopted by the European Commission (and the UK equivalent) or under another lawful transfer mechanism made available by the processor.

8. Cookies and Similar Technologies

I use only strictly necessary cookies (session management, CSRF tokens, preference flags) and, on pages where analytics are loaded, first-party cookies for PostHog with third-party-cookie and cross-site-tracking features disabled. I do not use advertising cookies. Because I rely only on strictly necessary cookies and first-party analytics configured for minimization, no cookie consent banner is shown; this approach is consistent with current guidance for non-advertising small sites. If you prefer, you can disable cookies in your browser; some features may not work without them.

9. Security

I use industry-standard security practices: HTTPS everywhere, encrypted database connections, encrypted OAuth tokens, scoped admin access with two-factor authentication, rate limiting on high-risk endpoints, and audit logging of administrative actions. No system is perfectly secure; I cannot guarantee absolute security but I take reasonable precautions. In the event of a security incident that affects your personal data, I will notify you and, where required, the applicable regulator, within the timeframes required by law.

10. Children's Privacy

My services are directed to adult professionals, researchers, and practitioners. I do not knowingly collect personal information from individuals under the age of 16. If you believe a minor has submitted data, please email noah@noahratzan.com and I will delete it promptly.

11. Governing Law

This Privacy Policy is governed by the laws of the State of Connecticut, USA. For any questions or concerns about this policy, contact noah@noahratzan.com.

12. Changes to This Policy

I may update this policy as services evolve. Changes take effect when posted at this URL. The “Last updated” date below reflects the most recent revision. Material changes will be announced by email to active customers at least 14 days before they take effect.

Last updated: April 28, 2026