Privacy Policy

Last updated: April 2026

TL;DR

We collect the minimum needed to run the service: your email (if you subscribe), a SHA-256 hash of your IP (for rate-limiting — we never store raw IPs), and your extraction history. We use cookieless page-view analytics (Umami) and a Google Ads conversion tag to measure the effectiveness of advertising we run. Payments go through Stripe, emails through Resend. We don't sell anything to advertisers.

Data we collect

• Email address — only if you subscribe to Pro or pay for a one-off. Collected at Stripe Checkout and used to tie your account to your extractions and to send download/login links.
• Hashed IP address — SHA-256 hashed with a server-side salt, used for rate-limiting free users (3 extractions/day). We cannot reverse the hash to recover your IP.
• Extraction history — the URLs you extract, so we can show them in your dashboard, on the leaderboard, and so you can re-download past exports.
• Stripe customer ID + subscription ID — stored only to manage billing and cancellations.
• Session cookie — strictly-necessary functional cookie (a signed JWT) that keeps you signed in. No tracking or analytics cookies.

What we don't collect

• Your raw IP address (only the hash is stored)
• Names, addresses, phone numbers, payment card details (Stripe handles payment; we never see card data)
• Analytics/marketing trackers, pixel tags, third-party cookies
• Data about who referred you, what else you browse, etc.

Who processes your data

We use a small set of sub-processors to run the service:

• Vercel — hosting the frontend and API routes
• Railway — hosting the extraction worker
• Neon — managed Postgres database
• Vercel Blob — storing the generated download zips
• Stripe — payment processing (see Stripe's own privacy policy)
• Resend — transactional email delivery (magic-link login, download links)
• Umami — cookieless, privacy-respecting page-view analytics (no personal data, no cross-site tracking)
• Google Ads (gtag.js) — conversion tracking so we can measure whether paid advertising works. Sets the _gcl_au cookie when you arrive from a Google ad. Data retention governed by Google's policies. You can opt out of Google personalised ads at adssettings.google.com.

How long we keep it

• Rate-limit hashes: rolling 24 hours then discarded
• Auth magic-link tokens: 15 minutes, then unused
• Extraction zips in Blob: 7 days for Pro downloads, 24 hours for free downloads
• Account data: for as long as your account exists. Delete at any time — see below.

Your rights (UK GDPR)

You have the right to access, correct, export, or delete your data. Email us at joe@primeeight.co.uk or use the contact form— we'll action the request within 30 days (usually within a day or two). If you're unhappy with how we've handled your data, you can also complain to the UK's Information Commissioner's Office at ico.org.uk.

Cookies

First-party (strictly necessary):

• copycats_session — signed token that keeps you signed in. Required for login to work.

Third-party (advertising measurement):

• _gcl_au (and related) — set by Google Ads only if you arrive on Copycats from a Google ad. Used to link ad clicks to sign-ups/purchases so we know which ads are working. Opt out at adssettings.google.com or block it in your browser.

We use cookieless Umami for page-view stats — it sets no cookies and collects no personal data.

Transfers outside the UK

Some of our sub-processors are based in or process data in the US (Vercel, Stripe, Resend). They're covered by appropriate safeguards (Standard Contractual Clauses and/or Data Privacy Framework certification where applicable).

Changes to this policy

If we materially change how we handle data, we'll update this page and, for existing users, email you to let you know.

Contact

Data-protection queries: joe@primeeight.co.uk or contact form.