Privacy Policy

1. Introduction

AskEveryone ("AskEveryone," "we," "our," or "us") is an audience-feedback platform. Creators use AskEveryone to ask questions of their audiences, distribute those questions, collect responses, and receive AI-generated insights. Respondents use AskEveryone to answer questions posted by creators they follow or by our own platform-run "Community" spaces.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It applies to both creators and respondents. Because the two groups interact with the Service in very different ways, much of this policy is organized by role.

By using AskEveryone you agree to the collection and use of information as described here. If you do not agree, please do not use the Service.

2. Who We Are

AskEveryone is a DBA operating the Service at askeveryone.io. For privacy questions, contact privacy@askeveryone.io. For legal notices, contact legal@askeveryone.io.

3. Information We Collect

3.1 Respondent Information

When you answer a question on AskEveryone, we may collect:

• Response content: The text you submit (typically 10 to 5,000 characters).
• Optional demographics: Age range, country, and region, only if you choose to provide them.
• Voice recordings: If you use voice responses, we collect the audio and a transcription. Transcription runs locally in your browser — your audio is not sent to a third-party transcription service. You must explicitly consent before a voice recording is used in any public audio output.
• Results-notification email (optional): If you opt in on the thank-you screen, we store your email so we can notify you when results are ready. This email is stored in a separate table with no link to your response. You can unsubscribe at any time using the token link in any email.
• Rate-limiting metadata: Your IP address and a Cloudflare Turnstile token are used at submission time to prevent spam and abuse. IP addresses are used in memory for rate limiting and are not stored alongside your response.

3.2 Creator Information

When you sign up as a creator (an "Asker") we collect:

• Account information: Email address, name, and profile picture from your chosen sign-in method (Google OAuth, Apple OAuth, or a WebAuthn passkey).
• Space configuration: The slug, name, branding, questions, settings, team members, and integration credentials you configure for your creator space ("Ask").
• Billing information: If you subscribe to a paid tier, Stripe collects and processes your payment details. We receive and store billing metadata (customer ID, subscription ID, plan, invoice history, last four digits of card, country) from Stripe. We never see or store your full card number.
• Creator content sources: If you connect your website, RSS feed, YouTube channel, or newsletter (Beehiiv or Kit), we fetch and store that content in order to summarize it and build a "creator context" that improves auto-generated questions. See Section 5.
• Imported responses: If you upload a CSV of existing responses (for example, from a prior survey or focus group), we ingest and store those responses in your space. You represent that you have the right to upload that data. See our Terms of Service.

3.3 Information Collected Automatically

• Session cookies: If you sign in, we set a session cookie to keep you authenticated. We also set a short-lived referral cookie (ae_ref, 30 days) on creator-facing pages when a ?ref= parameter is present, in order to credit referrals.
• Plausible Analytics: We use Plausible, a privacy-focused analytics service, to measure aggregate page views and referral sources. Plausible does not use cookies, does not collect personal data or IP addresses, and does not track you across sites.
• Server logs: Standard web server logs (timestamp, request path, user agent, approximate IP) are retained briefly for security and debugging, and are not joined to response content.

4. Response Anonymity

Responses on AskEveryone are designed to be anonymous to the creator who receives them. We do not store a link between a response and the respondent's account, IP address, or device. Each response is stored with a random identifier that cannot be traced back to a user.

4.1 What "anonymous" means here

• No sign-in is required to respond to most questions.
• We do not store your IP address or device fingerprint alongside your response. IPs are used only in memory for rate limiting, then discarded.
• Creators see response content, aggregate statistics, and AI syntheses — not a list of who answered.
• If a creator enables "returning audience" tracking and you opt in, a pseudonymous identifier lets that single creator see that the same person answered multiple questions over time. This identifier is scoped to one creator and cannot be used to link your responses across different creators. You can request removal of that link by contacting us.
• Because anonymous responses are not linked to you, we generally cannot find or delete a specific anonymous response on request — there is no key that connects it to your identity. This is intentional. If you need a response deleted, contact us and we will work with the creator to locate it by content.

4.2 Limits of anonymity

• Self-identification: If you include identifying details in your response text, you may be identifiable from that text alone.
• Writing style: Sophisticated stylometry could theoretically correlate a response with other public writing you have done. We do not perform this kind of analysis, but we cannot prevent third parties from attempting it.
• Voice characteristics: A voice recording may be recognizable by people who know you, even after audio manipulation.
• Small audiences: In very small audiences, combinations of optional demographics (e.g., age + country + region) could reduce the anonymity set. We apply k-anonymity thresholds before displaying demographic breakdowns publicly.

5. Creator Content Ingestion

To help creators generate better questions and produce richer insights, AskEveryone can ingest content the creator owns or has the right to use. This happens only for content sources the creator has connected, and only on their own space. Ingested content is stored on the creator's space and is used to build a summarized "creator context" that is fed into AI models when generating questions, syntheses, advice, or blog posts.

Content sources we support:

• Website and RSS: We crawl pages on a creator-provided URL and follow RSS feeds to fetch recent posts.
• YouTube: We use the YouTube Data API to fetch channel and video metadata, and yt-dlp to download publicly available video captions (transcripts) for a limited number of recent videos on a creator's linked channel. We also ingest comments on linked videos when the creator enables YouTube autopilot.
• Beehiiv / Kit: If a creator connects a Beehiiv or Kit newsletter, we use those platforms' APIs to fetch recent posts or broadcasts.

Raw content and its AI-generated summary are stored on the creator's space. Creators can disconnect a source at any time. If you are a third-party commenter whose public YouTube comment was ingested into a creator's AskEveryone space and you want it removed, contact privacy@askeveryone.io.

6. How We Use Information

• Operate the Service: Deliver questions, collect responses, generate AI syntheses, manage creator spaces, process billing, send transactional email.
• AI-assisted features: Generate syntheses, themes, advice, question suggestions, blog posts, social posts, and spam checks using AI models. See Section 7.
• Spam and abuse prevention: In-memory rate limiting, Cloudflare Turnstile, automated spam classification.
• Product improvement: Aggregate analytics, engagement metrics, and anonymized research to improve the Service.
• Communications: Transactional email (magic links, billing receipts, team invites, notifications), optional creator digests, optional respondent results notifications, and — only where you have opted in — marketing or product-update emails.
• Legal compliance: Comply with applicable laws, enforce our Terms, respond to legal process, and protect the rights and safety of users.

7. AI Processing

AskEveryone uses AI models to power core features. The providers we currently use are:

• Google Gemini (direct API): Question generation, RAG streaming, creator-context summarization, social-content generation, spam classification.
• Anthropic Claude (via OpenRouter): Long-form synthesis, creator advice, blog and podcast generation.
• OpenAI: Text-to-speech (audio output only).
• Hugging Face Transformers.js: Sentence embeddings. These run server-side inside our own infrastructure and are not sent to a third-party inference endpoint.

When we call a third-party AI provider, response content or creator content may be transmitted to that provider as part of a prompt. All calls go over encrypted connections.

Voice-to-text transcription is performed locally in your browser and is not sent to any third-party AI service.

8. How Responses Are Displayed

• To the creator: The creator of a question can see all responses to that question, along with AI-generated themes and summaries. Responses are shown without identifying information.
• To the public: Creators can publish a synthesis publicly on their results page (/{slug}/results). When they do, we show AI-generated themes, quotes, sentiment, and charts. Privacy-sensitive fields (full response text previews, raw demographics, "best example" responses) are stripped from public endpoints.
• On the AskEveryone blog: Some published syntheses are embedded in public blog posts as charts or dashboards. The same privacy stripping applies.
• Creators can disable public results at the space level or per-synthesis.

9. Sharing and Disclosure

We share information only as described below. We do not sell personal information.

9.1 Service providers (subprocessors)

• Google Cloud Platform — Compute Engine (application hosting, us-central1), Cloud SQL (PostgreSQL database), Cloud Storage (file storage), Cloud Build (deployment), Secret Manager.
• Google Gemini API — AI model calls (question generation, RAG, summarization, spam).
• OpenRouter — Routing layer for Anthropic Claude model calls (synthesis, advice, blog).
• Anthropic — Claude models accessed via OpenRouter.
• OpenAI — Text-to-speech only.
• Stripe — Payment processing for paid creator subscriptions.
• Resend — Transactional and marketing email delivery.
• Cloudflare Turnstile — Bot protection on response and subscription forms.
• Plausible Analytics — Privacy-focused, cookie-free website analytics.
• Google (OAuth) and Apple (OAuth) — Authentication providers used only if you choose them.
• YouTube Data API — Read-only access to YouTube channels, videos, and comments when a creator connects a YouTube channel.
• Beehiiv API / Kit API — Read-only access to a creator's newsletter content when they connect one of these integrations.

These providers are bound by contract or their standard terms to process data only on our instructions and to maintain appropriate security.

9.2 Aggregate and anonymized data

We may publish aggregate or anonymized insights (for example, "72% of respondents said…") that cannot be tied to an individual.

9.3 Legal requirements

We may disclose information if required by law, subpoena, court order, or legal process, or to protect the rights, property, or safety of AskEveryone, our users, or the public. For responses submitted anonymously, we have no technical ability to identify the submitter and therefore cannot comply with identification requests for those responses.

9.4 Business transfers

If AskEveryone is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor or acquirer, subject to this Privacy Policy.

10. Data Retention

We retain personal information for as long as it is needed to operate the Service. Because responses are siloed by creator and are not linked to respondent identities, we generally keep them indefinitely so that creators and the public can continue to see long-term audience insights.

• Creator accounts: Retained while your account is active. Upon deletion request, we remove your account and associated identifying information within 30 days, subject to billing and legal retention obligations.
• Responses: Retained indefinitely in aggregate. Individual responses are removed on request (see Section 11).
• Voice recordings: Retained until transcribed and, if used in audio output, until that output is removed. Otherwise removed on request.
• Creator content sources: Retained while the source is connected. Deleted when you disconnect the source or delete your space.
• Billing records: Retained as required by tax and accounting rules (typically 7 years).
• Email subscriber data: Retained until you unsubscribe, plus a short suppression period to honor the unsubscribe.
• Server logs: Retained briefly for security and debugging.

11. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. We honor these rights for all users regardless of location.

11.1 Access, correction, and export

Contact privacy@askeveryone.io to request a copy of the personal information we hold about you, or to correct inaccurate information. Creators can update most account information directly in their settings.

11.2 Deletion

You can request deletion of your account and associated data at any time by emailing privacy@askeveryone.io. We will delete or anonymize your account and identifying information within 30 days, subject to legal and billing retention requirements.

11.3 Email preferences

Every marketing or notification email includes an unsubscribe link. Respondents who opted in for results notifications can unsubscribe using the token link in any email without needing an account. Transactional emails (billing, security, team invites) cannot be unsubscribed while your account is active.

11.4 "Do not sell or share" (California)

We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

11.5 Voice recordings

Voice recording is optional. You can always submit text instead.

12. Security

• HTTPS/TLS for all traffic between you and AskEveryone.
• Encryption at rest for database and object storage.
• OAuth, passkey (WebAuthn), and database-backed session authentication — we never store passwords.
• Secrets managed in Google Cloud Secret Manager.
• Role-based access for team members on creator spaces.
• Limited, audited employee access to production systems.

No online system is perfectly secure. We cannot guarantee absolute security, but we work to meet current industry standards.

13. State Privacy Rights (US)

Residents of California, Virginia, Colorado, Connecticut, Utah, and other US states with comprehensive privacy laws have rights to access, correct, delete, and port their personal information, to opt out of sale or sharing (we do neither), and to limit the use of sensitive personal information. To exercise these rights, contact privacy@askeveryone.io. We will respond within the time required by applicable law (typically 45 days).

Under California's "Shine the Light" law, California residents can request information about how we share personal information with third parties for their direct marketing purposes. We do not share personal information with third parties for their own direct marketing.

14. EEA / UK Residents (GDPR)

If you are in the European Economic Area or the United Kingdom, you have additional rights under the GDPR and UK GDPR, including the rights of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.

Our legal bases for processing are:

• Contract: To provide the Service you requested (authentication, responses, creator spaces, billing).
• Legitimate interests: Spam prevention, security, analytics, and service improvement, balanced against your rights.
• Consent: Voice recordings, optional email subscriptions, and optional demographics.
• Legal obligation: Tax, accounting, and other legal requirements.

Your data may be transferred to the United States and processed by our service providers there, using Standard Contractual Clauses or other approved safeguards. Contact privacy@askeveryone.io to exercise any GDPR right.

15. Children's Privacy

The minimum age to use AskEveryone depends on where you live:

• United States: 13 years old.
• European Union / EEA: 16 years old, or your country's age of digital consent (13–16).
• United Kingdom: 13 years old.
• Elsewhere: The minimum age for digital services in your country, or 13, whichever is higher.

We do not knowingly collect personal information from anyone below these ages. If you believe a child has provided information, contact privacy@askeveryone.io and we will delete it.

16. Cookies

• Session cookie: Maintains your sign-in state if you sign in.
• Referral cookie (ae_ref): 30-day HttpOnly cookie set on creator-facing pages only when a ?ref= parameter is present, used to credit referrals.
• Plausible Analytics: Does not use cookies.
• Cloudflare Turnstile: May set short-lived challenge tokens to verify you are not a bot.

17. Google OAuth Disclosure

AskEveryone's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request from Google:

• Email address and basic profile (for sign-in only).
• YouTube Data API read-only access (only if a creator chooses to connect a YouTube channel).

We do not use this information for any purpose other than the feature the creator enabled, and we do not transfer it to third parties except as required to provide that feature.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date at the top, and for material changes we will provide additional notice (for example, an in-product banner or email). Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Contact