FireHose is a paid subscription product. We earn revenue from subscriptions and only from subscriptions. We do not sell advertising. We do not license user data. We do not train third-party AI models on what you read. This page describes the data we collect, why we collect it, where it lives, and how to get it back or delete it.
Data we collect
The minimum required to run the service: your email address (account, sign-in, dispatch delivery); the briefs, sources, highlights, notes, and hide/save signals you create (to rank and display your reading); server logs containing truncated IP, user-agent, and request path (security and abuse prevention); and billing metadata returned by Stripe. We do not see or store full card numbers. We do not request your phone number, location, or contacts.
Purpose of collection
We use this data to (a) authenticate you, (b) deliver the daily dispatch, (c) rank items against the briefs you wrote, (d) maintain availability and prevent abuse, and (e) handle billing. We do not use it for advertising, profiling, or sale to third parties.
Legal basis (GDPR)
For account, dispatch, and ranking data: performance of the subscription contract (Art 6(1)(b)). For security logs and abuse prevention: legitimate interests (Art 6(1)(f)). For optional features such as the editorial-judgment corpus: explicit consent (Art 6(1)(a)), which you can revoke at any time in Settings.
Data sharing
We do not sell or rent personal data. We share data only with sub-processors required to operate the service: Neon (database hosting), Cloudflare R2 (encrypted source-content cache), OpenAI (LLM processing — your saved content is sent to generate summaries, rankings, and embeddings; OpenAI does not use API data to train its models), Stripe (billing), and Postmark (email delivery). A current sub-processor list with roles is available on request. We disclose data to law enforcement only under a valid legal order and, where lawful, will notify the affected user.
Data retention
Active account data is retained while the account exists. Server logs are retained 30 days. On account deletion, primary data is purged within 7 days; encrypted backups age out within 30 days, after which deletion is complete. Billing records required by tax and financial regulations are retained for the statutory period (typically 7 years).
International transfers
Primary data resides in the United States (Neon, US-East). Cloudflare R2 and Postmark may process data in additional regions. For transfers out of the EEA, UK, or Switzerland we rely on the European Commission Standard Contractual Clauses with our sub-processors. EU/UK residents may request a copy of the relevant transfer safeguards.
Your rights
Under GDPR (Art 15–21), UK GDPR, and CCPA, you have the right to access, rectify, port, delete, restrict, and object to processing of your personal data, and to withdraw consent where processing relies on it. Export everything you have given us in Markdown or JSON from Settings → Export. Delete your account from the same screen. Requests to [email protected] are answered by a person within 30 days. You may also lodge a complaint with your local data protection authority.
Cookies & tracking
The marketing site uses no third-party trackers, no advertising pixels, and no session-replay tools. The reader uses a single first-party session cookie to keep you signed in and a first-party preference cookie for theme. We do not fingerprint devices. Aggregate usage is measured with privacy-respecting first-party logs only.
Security
Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is limited, logged, and reviewed. SOC 2 Type I attestation is in progress, target Q4 2026; SOC 2 Type II will follow. We will publish material findings of any security incident to affected users without undue delay, and in line with applicable breach-notification laws.
Children
FireHose is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data to us, write to [email protected] and we will delete it.
Changes to this policy
We will notify subscribers of material changes by email at least 30 days before they take effect. Material changes include any broadening of what we collect, retain, share, or how we process it. The effective date below is updated whenever the policy changes.
Contact
Data protection enquiries, GDPR / UK GDPR / CCPA requests, and complaints: [email protected] (acting Data Protection Officer). A human writes back. Effective date: 21 May 2026.
— the editorial team, 21 May 2026