This policy should be reviewed by counsel before live checkout, analytics, community tooling, or paid membership is broadly promoted.
Privacy
Privacy Policy
This launch draft explains what After Hours Builders collects, why it is collected, and which production providers remain disabled until deliberately configured.
Effective June 22, 2026
What we collect now
When you submit the starter form, we collect your email address, buyer type, optional idea context, readiness answers, marketing consent timestamp, and attribution fields such as campaign IDs or UTM parameters.
The free stack PDF is delivered from a public static URL after the lead form is accepted. Production lead submissions are stored in Cloudflare D1.
What is provider-gated
Google sign-in routes exist, but auth is disabled until OAuth client settings and signed session secrets are configured.
Stripe checkout and webhook-backed membership access exist, but live checkout is disabled until Stripe keys, price IDs, webhook settings, billing terms, and support coverage are verified.
Transactional email has a Resend-ready boundary, but production email remains disabled until the sender domain and secrets are configured.
Analytics keys are not configured in production. If analytics are enabled later, this policy should name the provider and the events being tracked.
How we use information
We use lead information to send the requested starter material, understand readiness, improve the course funnel, and follow up only when consent has been given.
When auth and checkout are enabled, account and membership records will be used to verify access to member-only course/community surfaces and protected downloads.
Admin actions are logged in an audit table with actor, target, timestamp, request metadata, and redacted metadata so operational changes can be reviewed.
Who processes information
Cloudflare hosts the Worker, public assets, and D1 database. Google may process OAuth profile information when sign-in is enabled. Stripe may process billing and subscription events when checkout is enabled. Resend may process transactional email when email delivery is enabled.
Card data should be handled by Stripe, not by After Hours Builders directly.
Cookies and sessions
When Google auth is enabled, the app uses signed cookies for OAuth state and member sessions. These cookies are used to complete sign-in and verify access.
The current production deployment keeps auth disabled, so member and admin routes fail closed until the required provider configuration exists.
Retention and deletion
Lead and account records are kept while they are useful for operating the course, support, audit, and membership workflows.
You can ask for a record lookup or deletion by contacting hello@afterhoursbuilders.com. Some audit, billing, or security records may need to be retained when required for legitimate operational, financial, or legal reasons.
Security posture
The app is designed around server-side access checks, provider gates, D1 persistence, private protected asset storage when R2 is enabled, signed sessions, and audit logging for admin operations.
No internet service can guarantee perfect security. If a security issue is discovered, use hello@afterhoursbuilders.com so it can be triaged.
Children
After Hours Builders is built for employed adults and is not directed to children.