← Back to BURST

BURST

Privacy Policy

Last updated: April 1, 2026

Early-stage product. BURST is operated by Elad Yakobowicz as an early access / proof-of-concept service. This policy explains, in plain language, what we collect and how we use it. It is not a substitute for legal advice for your organization.

1. What we collect

  • Account data: email address, name (if provided), password hash (for email/password sign-in), OAuth identifiers when you use Google sign-in, and verification timestamps.
  • Burst content: text you enter when creating a Burst (topic, questions, optional fields), sponsor signal, and the list of recipient names, titles, departments, and email addresses you add for that Burst.
  • Responses: sentiment, written rationale, optional confidence score, and timestamps from recipients who submit through their personal response link.
  • Technical data: standard server logs (e.g. IP, user agent) may be retained briefly for security and debugging. We may use Google Analytics on the website for aggregated traffic statistics; see Google's privacy policy.

2. How we use information

We use the data above to run the service: authenticate users, send emails about your Bursts (including verification and password-reset messages), display briefs to sponsors, and generate optional AI summaries. We do not sell your personal information or recipient lists to third parties.

We may show high-level usage figures on public pages. They are not derived from the text of your briefs or responses and are not shown per customer.

3. Operator and technical access (important)

Because BURST is early-stage and self-operated, the service operator can access stored data through the database and hosting tools—for example to debug issues, prevent abuse, comply with law, or recover from outages. That includes sponsor and recipient content you might consider sensitive.

If you are evaluating BURST for regulated or high-stakes use, you should assume this level of access exists until we ship stronger isolation, audit logs, and enterprise controls. For many early startups, transparency here matters more than a long policy that obscures the same reality.

4. Third-party processors

Depending on configuration, data may be processed by infrastructure and vendors. Their use is limited to providing those functions. Review each vendor's privacy policy if you need detail.

Services we use (typical production setup)

  • Application hosting — e.g. Vercel (or similar) to run the site and API routes.
  • Database — where Burst and account records are stored (e.g. managed Postgres, or local SQLite in development only).
  • Email delivery — e.g. Resend (or similar) for Burst notifications, verification, password reset, and account-related notices.
  • Authentication — Google OAuth when you choose "Continue with Google"; credentials stay with Google per their terms.
  • Optional AI — e.g. OpenAI when executive-style summaries are enabled; prompts include burst context you have already entered.

5. Retention

We retain data while your account exists and as needed to operate the service. As a sponsor, you can delete an individual Burst (brief) from your dashboard or brief page at any time; that removes the Burst, recipient records, and submitted responses we store for it from our database, subject to ordinary backups expiring on their own schedule. Retention for the rest of your account may be refined as the product matures (e.g. automatic deletion of inactive data, export-before-delete flows). When you delete a Burst, we send a short confirmation email to your account address so you have a record of the action. Contact us to request deletion of your account and associated content where technically feasible.

6. Security

We use reasonable technical measures appropriate to a small product (e.g. HTTPS, hashed passwords, and rate limits on sensitive actions such as password reset). No online service is perfectly secure.

7. International users

If you access BURST from outside the United States, your data may be processed in the U.S. or other regions where our providers operate.

8. Children's privacy

BURST is not directed at children under 13 (or the minimum age in your jurisdiction). Do not use the service for child-directed data collection.

9. Changes

We may update this policy as the product evolves. We will adjust the "Last updated" date and, when appropriate, provide notice through the app or email.

10. Contact

Questions about privacy, how we use or retain data, security, or this policy: sendaburst@proton.me