Privacy Policy

Gold Cauldron LLC ("Gold Cauldron," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information — including financial and billing data — when you visit our website at goldcauldron.ai, use our client portal, or engage with our AI automation services (collectively, the "Services").

By using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Services.

1. Information We Collect

1.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, job title, and company name when you fill out our contact or lead-capture forms.
• Account Credentials: Email address and password (hashed) when you create a client portal account.
• Billing & Payment Information: Cardholder name, billing address, and payment card details. Card numbers are processed exclusively by our PCI-DSS-compliant payment processor (Stripe) and are never stored on our servers. We retain only non-sensitive identifiers such as the last four digits of your card, card brand, and expiration month/year.
• Subscription & Service Data: Plan tier, billing cycle, subscription start/end dates, and payment history necessary to administer your account.
• Business Challenge Information: Information you voluntarily share about your business goals or operational challenges during onboarding or consultations.
• Communications: Messages, support requests, or feedback you send to us by email or through the portal.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click-stream data, and referring URLs.
• Device & Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Cookies & Similar Technologies: We use first-party cookies for session management and authentication, and may use analytics cookies (e.g., Vercel Analytics) to understand aggregate usage patterns. We do not use advertising or cross-site tracking cookies.
• Voice Interaction Data: If you use our AI voice assistant (powered by VAPI.ai), the content of your voice session may be processed by VAPI.ai's infrastructure to generate responses. Session transcripts may be stored temporarily for quality assurance and model improvement purposes.

1.3 Information from Third Parties

• Payment Processor (Stripe): Stripe may share limited transaction metadata with us, such as payment status, invoice IDs, and refund events, to keep your billing records accurate.
• Authentication Providers: If you sign in via a third-party OAuth provider, we receive basic profile information (name and email) as permitted by that provider and your account settings.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Provisioning, operating, and improving the Services you have engaged us to provide.
• Account Management: Creating and managing your client portal account, authenticating your identity, and maintaining session security.
• Billing & Payments: Processing subscription payments, issuing invoices, managing renewals and cancellations, handling refunds, and detecting fraudulent transactions.
• Financial Reporting: Maintaining accurate internal financial records as required for legal, tax, and accounting obligations.
• Communications: Sending transactional emails (receipts, invoices, password resets, account alerts) and, where you have opted in, service updates or educational content.
• Customer Support: Responding to your inquiries and resolving disputes.
• Analytics & Improvement: Analyzing aggregate usage to improve usability, reliability, and performance of the Services.
• Legal Compliance: Meeting obligations under applicable law, including anti-money-laundering (AML) and Know Your Customer (KYC) requirements where applicable.
• Security: Detecting and preventing fraud, abuse, or unauthorized access to accounts and systems.

We do not sell your personal information. We do not use your data to train generalized AI models without your explicit consent.

3. Financial Data & Payment Security

Because our Services involve subscription billing and financial reporting for client projects, we take the security of financial data seriously.

3.1 Payment Processing

All payment card transactions are processed by Stripe, Inc., a Level 1 PCI Service Provider. Gold Cauldron does not receive, transmit, or store raw payment card numbers. Stripe handles tokenization and card vaulting. By making a payment, you also agree to Stripe's Privacy Policy.

3.2 What Financial Data We Store

• Stripe customer ID and payment method ID (tokenized references — not raw card data)
• Subscription plan, billing amount, currency, and billing interval
• Payment status, invoice dates, and transaction IDs
• Billing address associated with your account
• Project budget and payment tracking data entered by you or your account manager in the client portal

3.3 Financial Data Retention

We retain financial records for a minimum of 7 years from the date of transaction to comply with federal and state tax laws and Generally Accepted Accounting Principles (GAAP). After this period, records are securely deleted or de-identified.

3.4 Refunds & Disputes

Refund requests are processed through Stripe. Dispute-related communications may require us to share transaction records with Stripe or financial institutions as permitted by law.

4. How We Share Your Information

We do not sell or rent your personal information. We may share it only in the following limited circumstances:

• Service Providers: Trusted vendors who process data on our behalf under binding data processing agreements, including Stripe (payments), Supabase (database hosting), Vercel (hosting and analytics), and VAPI.ai (voice AI infrastructure).
• Legal Obligations: When required by law, regulation, court order, or government authority, or to protect the rights, property, or safety of Gold Cauldron, our clients, or the public.
• Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information is transferred.
• With Your Consent: In any other circumstance where you have explicitly authorized us to share your information.

5. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law:

• Account data is retained for the duration of your active account, plus 90 days after deletion to support recovery requests, after which it is purged.
• Financial and billing records are retained for 7 years as required by tax and accounting regulations.
• Voice session data processed via VAPI.ai is subject to VAPI.ai's own retention policies; transcripts we retain are deleted within 12 months unless required for an active dispute.
• Marketing form submissions are retained until you opt out or request deletion.

6. Cookies & Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication sessions and core portal functionality. These cannot be disabled without breaking the Services.
• Analytics Cookies: Aggregate, anonymized data about how visitors use our site (e.g., Vercel Analytics). No personal identifiers are linked to these metrics.

You can control cookies through your browser settings. Disabling essential cookies will prevent access to the client portal.

7. Security

We implement industry-standard technical and organizational measures to protect your information, including:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for sensitive data at rest in our database (Supabase)
• Row-level security (RLS) policies to ensure users can only access their own data
• Hashed passwords (bcrypt) — we never store plaintext passwords
• Payment data tokenization via Stripe (PCI-DSS Level 1 compliant)
• Role-based access controls (RBAC) limiting internal access to personal data on a need-to-know basis
• Regular security reviews of authentication and authorization logic

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

8. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to our legal retention obligations (e.g., financial records).
• Portability: Request your data in a structured, machine-readable format.
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in any email we send, or by contacting us directly.
• Restriction / Objection: Request that we restrict processing of your data or object to certain processing activities.

To exercise any of these rights, email us at privacy@goldcauldron.ai. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

Note: Deleting your account does not automatically erase financial records that we are legally required to retain.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it.

10. Third-Party Links & Services

Our website or portal may contain links to third-party websites or integrate with third-party services (e.g., Stripe, VAPI.ai). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

11. International Data Transfers

Gold Cauldron is based in the United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to this transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where appropriate, by sending an email notification to registered account holders. Your continued use of the Services after any changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: