Heretics · Privacy Policy

What heretics collects, how it's used, and your rights.

Last updated: [DATE] · Entity: [LEGAL ENTITY]

Draft — pending legal review. This page is a working draft. It is not a substitute for legal advice and has not yet been reviewed by qualified counsel. Bracketed fields ([DATE], [LEGAL ENTITY]) must be completed. Any operations subject to GDPR, CCPA, or other privacy regulations require counsel's review before publication.

The short version

Browse the site, we use Google Analytics to count visits — nothing else.
Email or contact us, we keep your name and email to reply to you — nothing else.
Engage heretics for paid work, we collect what's needed to deliver the engagement (defined in the SOW) and protect it accordingly.
We don't sell your data. Ever.
Want your data deleted? Email nick@heretics.io — we will.

01 Who we are

This policy applies to heretics.io, work.heretics.io, and any sub-properties operated by [LEGAL ENTITY] ("heretics," "we," "us"). For questions about this policy or your data, contact nick@heretics.io.

It does not cover Markets InSecurity (marketsinsecurity.com), The Atlas (atlas.marketsinsecurity.com), or The Kumite (arena.marketsinsecurity.com), which publish their own privacy policy. It does not cover OpptyCon (app.netherops.com), which publishes its own when the alpha launches publicly.

02 What we collect

Site visitors — when you browse heretics.io or work.heretics.io, we collect basic analytics via Google Analytics 4 (page views, referral source, approximate location at country level, device type, and a randomly assigned ID). We do not knowingly collect names, email addresses, phone numbers, or other personally identifying information from passive site visits.

Contacts — when you email nick@heretics.io or use a mailto link from any heretics page, you provide your name, email address, and whatever you write in the message. We keep it to respond and to maintain the conversation history.

Engagement clients — when you engage heretics for paid services, we collect what's required to deliver the engagement: your contact details, the names and roles of your team members, business context (revenue stage, market, organizational structure), and read access to relevant systems (CRM, analytics, board materials). The scope is defined in each SOW.

03 Cookies & similar technologies

We use Google Analytics, which sets cookies to measure traffic. The cookies are first-party (set by the site you're on) and they expire on Google's schedule (typically 14 months for ID cookies, shorter for session cookies). We do not use cross-site advertising trackers, retargeting pixels, or third-party social-media widgets that set their own cookies.

You can block Google Analytics with browser extensions, browser do-not-track settings, or by declining tracking cookies. The site will continue to work normally.

04 Why we use it

Analytics — to understand which content is read, where traffic comes from, and which pages need work. Decisions about the site, not about you personally.

Email contacts — to respond, to provide proposals, to coordinate engagements.

Engagement data — to deliver the engagement we were hired to deliver. Strictly limited to engagement purposes.

We do not use any of the above for advertising targeting, ad measurement, or data brokerage.

05 How it's shared

We share data only with the third-party service providers needed to operate the business:

Google (Analytics, Workspace) — analytics and email infrastructure
Netlify — site hosting
GitHub — engagement artifact storage
Notion — engagement working documents
Slack — engagement communication (Slack Connect channels)
Stripe or similar — payment processing (engagement invoices)

Each operates under its own privacy and security terms. We do not sell, rent, or trade personal data. We will share data when required by law (subpoena, court order, regulatory request) and will notify you where legally permitted.

06 Retention

Analytics data — retained per Google Analytics defaults (currently 14 months) unless you request earlier deletion.

Email correspondence — retained for as long as the conversation is relevant, then archived. You can request deletion at any time.

Engagement data — retained for 90 days after engagement close in encrypted archive, then permanently deleted unless you've requested longer retention or the engagement Deliverables include the data. A deletion certificate is available on request.

07 Your rights

You have the right to: access the data we hold about you, request correction of inaccuracies, request deletion, request a portable copy, and object to certain processing. To exercise any right, email nick@heretics.io. We will respond within [30] days.

[GDPR/CCPA specifics — controller designation, EU representative, supervisory authority addresses, "Do Not Sell My Personal Information" mechanism if applicable — pending counsel review. If heretics receives traffic from the EU, UK, or California, additional disclosures and rights apply and must be reflected here.]

08 Children

The Site is not directed to children under [13/16, per jurisdiction], and we do not knowingly collect personal information from children. If we learn that we have, we will delete it.

09 Security

We use commercially reasonable measures to protect data — encrypted-in-transit communications, encrypted-at-rest storage with our service providers, 2FA on all accounts, principle-of-least-privilege access. No system is perfectly secure; we will notify affected parties of any breach within the timelines required by applicable law.

10 External links

The Site links to third-party websites. We do not control them and are not responsible for their privacy practices. Review their policies before sharing data.

11 Changes & contact

We may update this Privacy Policy; material changes will be reflected in the "last updated" date. Questions, requests, or notices: nick@heretics.io.