Skip to main content

Privacy Policy

Last Updated: May 5, 2026

The Art of CTO ("we," "us," or "our") operates the website theartofcto.com, associated mobile applications, and related services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Platform. Please read this policy carefully. By using the Platform, you consent to the practices described herein.

1. Information We Collect

Information You Provide

We collect information you voluntarily provide when you:

  • Create an account (name, email address, profile picture via Auth0)
  • Subscribe to our newsletter (email address, optional first name)
  • Submit a contact form or CTO Office inquiry (name, email, message, optional file uploads up to 50 MB per file including PDF, Word, Excel, images, and text files)
  • Subscribe to a paid plan (billing handled by Stripe; we do not store payment card details)
  • Set preferences (topics of interest, email frequency, theme, notification settings)
  • Complete onboarding (role, interests, experience level)
  • Interact with our AI Assistant (conversation content)
  • Use the Command Center (services, teams, infrastructure entities, relationships, assessments, incidents, cost data, SLOs, tech debt items, activity logs)
  • Use Foundry (business plans, lean canvases, strategic planning data; AI learns your communication style, risk tolerance, expertise areas, and decision-making patterns)
  • Use SplitCause (causal graphs, hypotheses, evidence, snapshots, share links)
  • Use the 1:1 Assistant (team member information, meeting notes including shared and private notes, mood ratings, action items, AI-suggested topics)
  • Use the SEO Command Center (search keywords, target domains, location preferences for SERP ranking and LLM visibility tracking)
  • Bookmark content (saved content with optional user notes and tags)
  • Participate in learning paths (progress, completed items, completion certificates)
  • Join the referral program (referral codes, referred email addresses)
  • Register for push notifications (web push endpoint and keys; or native FCM (Android) / APNS (iOS) tokens with device label and platform)

Information Collected Automatically

When you visit the website, we may automatically collect:

  • IP address (stored temporarily; automatically deleted after 30 days)
  • Browser type and version, operating system, device type
  • Pages visited, time spent on pages, referral URLs
  • Click and scroll interactions, search queries entered on the Platform
  • Country and region (derived from IP address via Cloudflare headers)
  • Error and performance data (page load times, JavaScript errors)
  • Reading progress (scroll position, reading time, completion percentage per article)
  • Recently viewed content (last 50 items per user, including content type, title, view count, and timestamps)
  • Activity data for streaks, badges, and challenges (consecutive days active, tool usage counts, reading counts)

2. Mobile Application

If you use our mobile application, we collect additional information specific to mobile devices:

  • Device platform, model, and operating system version
  • Unique device identifiers
  • Push notification tokens (native FCM on Android, APNS on iOS, delivered via Firebase Cloud Messaging)
  • Crash data and performance metrics
  • Session replay data (sampled at 10% of sessions for quality improvement)
  • Full session replay on errors (100% of error sessions, including screenshots at time of error)

Mobile session replay and error data are processed by Sentry (see Section 3). Session replays capture user interactions for debugging purposes and may include screenshots of the app at the time of an error.

3. Third-Party Services

We use the following third-party service providers to operate and improve the Platform. Each provider processes data on our behalf under contractual obligations to protect your information.

ProviderPurposeData Processed
CloudflareHosting (Workers via OpenNext.js), CDN, security, DNS, KV storage, R2 object storage, D1 database, AI Gateway, Zaraz (consent-gated script loading)IP addresses, request metadata, stored content and files. Zaraz manages loading of analytics and marketing scripts based on your consent preferences.
NeonPostgreSQL database hostingAll user-created content and account data
Auth0 (Okta)Authentication and identity managementEmail, name, profile information, credentials
StripePayment processing (PCI DSS Level 1)Payment card details, billing address (not stored on our servers)
BrevoEmail marketing and transactional emailEmail address, name, topic preferences, email engagement metrics
SentryError tracking, performance monitoring, session replay (mobile)Error details, stack traces, performance metrics, PII (user agent, IP), mobile session replays and screenshots
Google Analytics 4Website analytics (via Cloudflare Zaraz, consent-gated)Page views, events, session data, engagement metrics
Google Ads / AdSenseAdvertising and conversion tracking (consent-gated)Conversion events, advertising cookies
Microsoft ClarityBehavioral analytics, heatmaps, session replay (consent-gated)Click/scroll behavior, session recordings, device info
PostHogProduct analytics, funnels, retention, session replay (consent-gated)Page views, custom events (signup, tool usage, pricing interactions), session recordings with all input fields masked, device info, anonymous client identifier promoted to your user ID after sign-in. Hosted on PostHog Cloud (US region, us.i.posthog.com).
Microsoft AdvertisingAdvertising conversion tracking (consent-gated)Conversion events, advertising cookies
OpenAIAI features (via Cloudflare AI Gateway)AI Assistant conversation inputs, Foundry AI and 1:1 AI suggestion prompts, content generation prompts for articles and daily sync briefings. Routed through Cloudflare AI Gateway to OpenAI (GPT-4o and successor models). OpenAI does not use API inputs for model training.
ElevenLabsText-to-dialogue audio generation for daily syncArticle text for audio synthesis. No user data is sent to ElevenLabs.
Cloudflare TurnstileCAPTCHA / bot protection on inquiry formsBrowser interaction data for bot detection
SlackInternal admin notifications onlySystem alerts (worker failures, billing events). No user data is shared with Slack users.
Firebase Cloud Messaging (Google)Mobile and web push notification deliveryPush notification tokens (native FCM on Android, APNS on iOS, web push endpoint and keys), device platform, device label
Anthropic (Claude)AI features for community engagement (EngageBot worker)Prompts and content sent to Anthropic Claude API for community-engagement automation. Anthropic does not use API inputs for model training.
TavilyWeb search for content research and source verification (PosterBot, admin post refinement)Search queries derived from article topics or admin-supplied refinement prompts. No personal user data (name, email, IP) is sent to Tavily.
DataForSEOSEO data provider (SERP rankings, AI/LLM visibility monitoring)Search keywords, target domains, and location preferences entered by users in the SEO Command Center. No personal data (name, email, IP) is sent to DataForSEO.

Sentry — Additional Details

Sentry is configured to collect personally identifiable information (PII) including IP addresses and user agent strings on the web application, background workers, and middleware. On the mobile application, Sentry captures session replay data (sampled at 10% of sessions) and full session replays with screenshots for 100% of error sessions; the mobile SDK is configured with sendDefaultPii: false, so device-level PII (IP, exact user agent) is not transmitted with mobile events — only the in-app interactions and screenshots needed to reproduce the error. Sentry data is hosted in the EU (de.sentry.io). This data is used exclusively for diagnosing and resolving technical issues. View Sentry's privacy policy.

PostHog — Additional Details

PostHog provides our product analytics (funnels, retention, cohorts) and session replay. The SDK is configured with capturing opted out by default, with all input fields masked in recordings, person profiles created only after sign-in (anonymous browsing remains pseudonymous), and a custom event mask selector ([data-private], input[type="password"]) for fields that must never be recorded. Events are hosted on PostHog Cloud US (us.i.posthog.com). You can opt out at any time via our consent banner; doing so disables capturing in the active session without a page reload. See PostHog's privacy policy for the full processor disclosure.

Analytics & Marketing — Consent Required

Google Analytics, Google Ads, Google AdSense, Microsoft Clarity, Microsoft Advertising, and PostHog are only activated after you provide explicit consent via our consent banner. The Google and Microsoft tools are managed through Cloudflare Zaraz; PostHog is loaded directly via its JavaScript SDK and is configured to start with capturing disabled by default, only enabling once you grant analytics consent. You can opt out at any time by adjusting your consent preferences or by installing the Google Analytics Opt-out Browser Add-on.

For more information, see: Google's privacy policy, Microsoft's privacy statement, Okta's privacy policy, Stripe's privacy policy, Brevo's privacy policy, Cloudflare's privacy policy, OpenAI's privacy policy, ElevenLabs' privacy policy, PostHog's privacy policy, Neon's privacy policy, DataForSEO's privacy policy.

We do not sell, trade, or rent your personal information to third parties. We may share your information with the service providers listed above, who process data on our behalf subject to confidentiality agreements and data processing addendums.

4. Cookies and Tracking Technologies

Cookies We Use

Strictly Necessary Cookies (always active):

  • auth_session — Encrypted authentication session (expires after 24 hours)
  • csrf_token — Cross-site request forgery protection (double-submit cookie pattern; the value is also sent in the x-csrf-token request header by our frontend code so the server can verify the two match)
  • zaraz-consent — Stores your cookie consent preferences for Cloudflare Zaraz (which gates the loading of analytics and marketing scripts based on your choices)

Analytics Cookies (set only after you provide analytics consent):

  • _ga, _ga_* — Google Analytics client and session identifiers
  • _clck, _clsk — Microsoft Clarity session identifiers
  • ph_*_posthog — PostHog session identifier and feature-flag state (cookie name varies by project key; only set after analytics consent is granted)

Marketing Cookies (set only after you provide marketing consent):

  • Google Ads conversion tracking cookies
  • Google AdSense advertising cookies

Local Storage

We use browser local storage to enhance your experience. This data stays on your device and is not transmitted to our servers unless explicitly noted:

  • Consent preferences stored in c15t-consent localStorage key by our consent UI (c15t), synced with our server for GDPR audit trail. Cloudflare Zaraz separately reads its own zaraz-consent cookie (described above) to decide which analytics and marketing scripts to load — the two are kept in sync.
  • Theme preference (dark/light mode)
  • Reading list and bookmarked content
  • Recent search queries (for autocomplete)
  • Recently viewed pages
  • PostHog SDK state (anonymous distinct ID, person properties, feature-flag cache) under keys prefixed ph_*_posthog. Written only after analytics consent is granted; cleared by PostHog's reset() on sign-out.

Managing Your Preferences

You can manage your cookie preferences at any time using the consent banner that appears on first visit, or by adjusting your browser settings. Note that disabling strictly necessary cookies may prevent the Platform from functioning properly.

5. Consent Management

We use a consent management system to ensure analytics and marketing technologies are only activated after you provide explicit opt-in consent. Consent records are stored with a full audit trail, including:

  • Categories accepted and rejected
  • IP address and approximate geographic location
  • Timestamp and consent version
  • Link to any previous consent record (for audit trail)

IP addresses stored in consent records are automatically deleted (set to null) after 30 days. Consent records expire after 1 year, at which point you will be asked to re-confirm your preferences.

6. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Platform and its features
  • Send newsletters, weekly briefings, push notifications, and marketing communications (with your consent)
  • Process payments and manage subscriptions
  • Authenticate your identity and manage your account
  • Personalize your experience (content recommendations, learning paths, AI responses)
  • Track engagement (streaks, badges, challenges, reading progress)
  • Analyze usage trends to improve our content, tools, and services
  • Detect, prevent, and address fraud, abuse, and security threats
  • Scan uploaded files for malware (via ClamAV)
  • Track referral program participation and reward credits
  • Respond to your inquiries and provide customer support
  • Comply with legal obligations

7. Data Retention

  • Authentication sessions: 24 hours
  • IP addresses: Automatically deleted after 30 days
  • Consent records: 1 year (IP addresses deleted after 30 days)
  • Analytics data: Retained per Google Analytics and Microsoft Clarity default retention periods
  • Newsletter subscriber data: Until you unsubscribe
  • Account data: Until you request account deletion
  • Payment records: Retained as required by tax and financial regulations
  • AI conversation history: Retained while your account is active
  • Security and honeypot logs: 30 days
  • Recently viewed items: Last 50 items per user (older items automatically removed)
  • File uploads: Retained until inquiry is closed, plus 90 days
  • Push notification tokens: Deleted on unsubscribe or account deletion
  • Referral data: Retained while the referral program is active
  • Command Center, Foundry, SplitCause, and 1:1 data: Retained until you delete the data or your account is closed
  • Bookmarks and learning path progress: Retained while your account is active
  • Onboarding data: Retained while your account is active
  • SEO Command Center data: Tracked keywords, rank snapshots, and LLM mention history retained while your account is active; LLM mention cache expires after 24 hours

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Request transfer of your data in a machine-readable format
  • Objection: Object to processing of your data for certain purposes
  • Restriction: Request restriction of processing
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@theartofcto.com. We will respond within 30 days.

9. Your Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell your data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a request, contact us at privacy@theartofcto.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States and the European Union, where our service providers operate. When we transfer data outside of the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms to ensure an adequate level of data protection.

11. Unsubscribe from Communications

You can unsubscribe from our newsletter and marketing communications at any time by:

  • Clicking the "Unsubscribe" link at the bottom of any newsletter email
  • Updating your preferences in your account dashboard
  • Disabling push notifications in your browser or device settings
  • Contacting us at unsubscribe@theartofcto.com

12. Data Security

We implement appropriate technical and organizational security measures to protect your personal data, including:

  • HTTPS/TLS encryption for all website traffic
  • Encrypted session cookies (AES-GCM)
  • CSRF protection on all authenticated API endpoints
  • IP-based rate limiting and abuse detection
  • Web Application Firewall (WAF) and DDoS protection via Cloudflare
  • Secure API connections to all third-party services
  • Automatic IP address deletion after 30 days
  • Automated malware scanning of uploaded files (ClamAV)
  • Honeypot-based bot detection
  • Content Security Policy (CSP) headers to prevent cross-site scripting
  • Regular security monitoring

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

13. Children's Privacy

The Platform is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@theartofcto.com.

14. Do Not Track & Global Privacy Control

We do not currently implement automated handling of Do Not Track (DNT) or Global Privacy Control (GPC) browser signals. You can manage your tracking preferences at any time via our consent banner, which controls whether analytics and marketing technologies are activated.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through a notice on the Platform. Your continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

← Back to Home