Skip to content
← Back to IdeaSpark

Privacy Policy

Last updated: April 26, 2026

1. Who We Are

IdeaSpark is operated by Nextera Consulting LLC, based in Chicago, Illinois, United States. We are the data controller for personal information collected through IdeaSpark. For all privacy matters, contact us at ideaspark@nexteraconsult.com.

2. Information We Collect

Account data: Your email address, password (stored as a one-way hash by Supabase — we never see your plaintext password), and any display name or profile information you choose to provide.

Content data: The startup idea descriptions you submit ("prompts") and the AI-generated blueprints we create for you. This content is stored in our database and associated with your account.

Usage data: How many blueprint generations you have made in the current billing period, timestamps of generations, and which blueprint sections you regenerate.

Billing data: Your subscription status, plan type, billing period dates, and Stripe customer ID. We do not store full payment card numbers — card data is handled directly by Stripe.

Technical data: IP address, browser type, operating system, referring URL, and pages visited, collected via PostHog (see Section 5). Log data including error reports containing stack traces and session context, collected via Sentry.

Communications: Emails you send to our support address, including their content.

3. How We Use Your Information

  • Providing the service: Authenticating you, storing and displaying your blueprints, processing payments, and enforcing plan generation limits.
  • AI generation: Your submitted idea descriptions are transmitted to our AI generation pipeline to produce blueprint content (see Section 6).
  • Service communications: Transactional and lifecycle emails including account verification, password reset, billing receipts, welcome messages, usage threshold notifications, and re-engagement messages when you have not used the service for an extended period. These are service communications, not marketing. We do not send promotional or marketing emails without your affirmative opt-in consent.
  • Product improvement: Aggregated and anonymized usage analytics to understand how features are used and where the service can be improved.
  • Security: Detecting and preventing fraud, abuse, and unauthorized access.
  • Legal compliance: Maintaining records as required by law, responding to lawful requests from authorities.

4. Legal Basis for Processing (EU/UK Users)

If you are located in the European Union or United Kingdom, we process your personal data under the following legal bases:

  • Contract: Processing necessary to provide the service you signed up for (authentication, generating blueprints, billing).
  • Legitimate interests: Security monitoring, fraud prevention, product analytics (PostHog, Sentry), and service communications.
  • Legal obligation: Record-keeping required by applicable law, tax authorities, or regulatory requirements.
  • Consent: Analytics cookies (PostHog), where consent is collected via our cookie consent banner. You may withdraw consent at any time.

5. Third-Party Service Providers

We use the following sub-processors to operate IdeaSpark. Each receives only the data necessary for their function and is contractually bound to protect it:

Supabase (Supabase Inc.) — Database, authentication, and file storage. Your account data, blueprints, and usage records are stored in Supabase. Data may be stored in US and EU regions. Privacy Policy

Stripe (Stripe, Inc.) — Payment processing and subscription management. Stripe handles all card data; we receive only tokenized payment identifiers and subscription metadata. Privacy Policy

Vercel (Vercel Inc.) — Application hosting and serverless functions. Processes request data (IP address, headers) to serve the application. Data may be processed globally across Vercel's edge network. Privacy Policy

PostHog (PostHog Inc.) — Product analytics. Collects event data (page views, feature interactions, session data) to help us understand how users engage with IdeaSpark. Data is sent to PostHog's US servers. Analytics tracking activates only after you accept cookies via our consent banner. Privacy Policy

Sentry (Functional Software, Inc.) — Error monitoring. Captures error reports and stack traces when software errors occur, which may include session context such as your user ID and the page you were viewing at the time of an error. Privacy Policy

hCaptcha (Intuition Machines, Inc.) — Bot protection on our login form. hCaptcha processes behavioral signals from your browser interaction to determine whether you are human. This may include mouse movement, interaction timing, and browser fingerprint data. Privacy Policy

Upstash (Upstash, Inc.) — Redis-based rate limiting. Stores anonymized counters (keyed on user ID) to enforce generation rate limits. No content data is stored by Upstash. Privacy Policy

Google LLC — Optional OAuth authentication provider. If you choose "Sign in with Google," your request is processed through Google's OAuth infrastructure. Google receives your identity information (email address, name, profile picture) to authenticate you and return a token to IdeaSpark. Google's data handling is governed by their terms. Privacy Policy

Resend (Resend Inc.) — Transactional email delivery. We use Resend to send service-related emails (welcome, usage notifications, and similar service communications). Your email address is transmitted to Resend's infrastructure to deliver these messages. Privacy Policy

n8n (self-hosted) — Our AI generation pipeline runs on a self-hosted n8n instance operated on private infrastructure controlled by Nextera Consulting. Your submitted idea text passes through this pipeline to reach AI providers. No data is stored by n8n beyond ephemeral processing required to complete the generation. No data leaves our infrastructure to any n8n-controlled service.

6. AI Generation and Third-Party AI Providers

How generation works: When you submit an idea for blueprint generation, the text of your idea is transmitted through our backend automation pipeline (n8n, self-hosted) to third-party AI language model providers to generate your blueprint.

AI providers used: We currently route AI generation through OpenRouter (OpenRouter Inc.) and may use underlying models from providers including OpenAI (OpenAI, L.L.C.), xAI, Anthropic, and others, depending on configuration. Your idea text is processed by these providers to produce output and is subject to their data handling policies. OpenRouter's API terms generally prohibit use of your data for model training without consent; however, you should review their terms at openrouter.ai/privacy.

What we do: We do not use your submitted ideas or generated blueprints to train our own AI models. We do not sell your content to AI providers.

Recommendation: Do not submit sensitive personal information, trade secrets, confidential business information, or anything you would not want transmitted to a third-party AI provider as part of your idea descriptions.

7. Cookies and Tracking

We use the following types of cookies and similar tracking technologies:

Strictly necessary cookies: Session cookies set by Supabase to maintain your logged-in state. These are required for the service to function and cannot be disabled. They do not track you across other websites.

Analytics cookies (consent required): PostHog sets cookies to track product usage events across sessions. These activate only after you accept cookies via our consent banner. You can withdraw consent at any time by clearing cookies or using our cookie preference controls.

Security cookies: hCaptcha may set temporary cookies as part of bot-detection processing on the login form. These are not used for tracking or advertising.

We do not use advertising cookies, third-party ad networks, or sell cookie-based data to any party.

8. Data Retention

  • Account and content data: Retained for as long as your account is active. When you delete your account, your email, ideas, blueprints, and profile data are permanently deleted within 30 days.
  • Billing records: Stripe transaction records are retained for up to 7 years as required by applicable financial and tax regulations.
  • Error logs (Sentry): Retained for up to 90 days.
  • Analytics data (PostHog): Retained per PostHog's standard retention policy (typically 12 months for event data).
  • Audit logs: Internal security and audit logs retained for up to 12 months.

9. International Data Transfers

IdeaSpark is operated from the United States. If you are located in the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, be aware that your data may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home country.

For transfers from the EU/UK to the US, we rely on Standard Contractual Clauses (SCCs) where applicable (for example, through Supabase and Stripe's DPA agreements). By using IdeaSpark, you consent to such transfers as necessary to provide the service.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you. You can export your data via Settings → Export My Data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): Request deletion of your data. You can delete your account via Settings → Delete Account.
  • Portability: Receive your data in a machine-readable format.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email ideaspark@nexteraconsult.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

11. California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell your personal information to third parties, and we do not share personal information for cross-context behavioral advertising. No opt-out is required, but if our practices change, we will provide notice and the means to opt out.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a request, email ideaspark@nexteraconsult.com with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days.

12. Data Security

We use industry-standard security measures including: TLS/HTTPS for all data in transit; row-level security (RLS) enforced at the database level so each user can only access their own data; bcrypt-hashed passwords (via Supabase Auth); and access controls limiting who within Nextera Consulting can access production data.

No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users and relevant authorities as required by applicable law (including within 72 hours under GDPR where applicable).

13. Children's Privacy

IdeaSpark is intended for users 18 years and older. We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has provided us with personal information, we will delete it promptly. If you believe a minor's information has been collected, contact us at ideaspark@nexteraconsult.com.

14. Links to Other Sites

IdeaSpark may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. For material changes, we will notify you by email where practicable. Your continued use of IdeaSpark after changes are posted constitutes acceptance of the updated policy.

16. Contact

For all privacy questions, data requests, or concerns, contact us at ideaspark@nexteraconsult.com. Please include "Privacy" in the subject line.

Nextera Consulting LLC · Chicago, Illinois · United States