Privacy Policy

Last updated: April 12, 2026

This Privacy Policy describes how Hurley Inc ("we", "us", "our", "Company") collects, uses, stores, and protects information when you visit www.hurleyinc.com ("the Site") or use any of our products and services, including Restitch, Leda, and Briefstack (collectively, "Services"). By accessing the Site or using any Service, you agree to the practices described in this policy.

Individual products may have their own supplemental privacy policies that provide additional detail about product-specific data practices. Where a product-specific policy conflicts with this policy, the product-specific policy governs for that product. See: Restitch Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

Account registration: When you create an account, we collect your full name, email address, and password. If you sign in with Google, we receive your name and email address from Google.
Waitlist sign-ups: When you join a product waitlist, we collect your name, email address, and optionally your area of interest.
Payment information: If you purchase a subscription or one-time product, your payment details (card number, billing address) are collected and processed directly by Stripe. We do not receive or store your full card number. We receive from Stripe a tokenized reference, card last four digits, expiration date, and billing address for record-keeping and fraud prevention. Not all Services currently offer paid plans; this section applies when payment functionality is available.
Support communications: If you contact us at support@hurleyinc.com, we retain the content of your messages and any information you provide to resolve your inquiry.
Product-specific data: Each product may collect additional data necessary for its functionality (e.g., resume text for Restitch, household preferences for Leda). See the applicable product privacy policy for details.

1.2 Information Collected Automatically

Analytics data: We use Google Analytics 4 to collect aggregated usage data, including pages visited, referral source, approximate geographic location (country/region level), device type, browser type, and interaction events. Google Analytics may set cookies on your device.
Log and request data: Our hosting provider (Vercel) automatically collects server logs, including your IP address, request timestamps, HTTP method, URL path, response status, and user agent string. These logs are used for security monitoring, abuse prevention, and debugging.
Authentication cookies: When you sign in, we set session cookies via Supabase to maintain your authenticated state. These are strictly necessary for the Site to function and are not used for tracking or advertising.

1.3 Information We Do Not Collect

We do not purchase data about you from third-party data brokers.
We do not collect biometric data, precise geolocation, or data from your device sensors.
We do not knowingly collect information from children under 18 (see Section 9).

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Services: Account creation, authentication, delivering product functionality, processing payments, and managing subscriptions.
Communication: Sending transactional emails (account verification, password resets, subscription confirmations, billing receipts), responding to support requests, and notifying waitlist members when a product launches. We do not send marketing emails unless you have explicitly opted in.
Security and abuse prevention: Rate limiting, detecting fraudulent activity, enforcing our Terms of Service, and protecting the integrity of the Site and Services.
Analytics and improvement: Understanding how visitors use the Site so we can improve the user experience, fix bugs, and prioritize product development.
Legal compliance: Meeting applicable legal obligations, responding to lawful requests from public authorities, and establishing or exercising legal claims.

3. Legal Bases for Processing (EEA/UK)

If you are in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

Performance of a contract: Processing necessary to provide the Services you have requested (account management, product delivery, payment processing).
Legitimate interests: Analytics, security monitoring, fraud prevention, and product improvement, where those interests are not overridden by your data protection rights.
Consent: Where we rely on your consent (e.g., optional marketing communications), you may withdraw consent at any time.
Legal obligation: Where processing is necessary to comply with applicable law.

4. Third-Party Service Providers

We share data with third-party service providers only as necessary to operate the Site and Services. We do not sell, rent, or trade your personal information to anyone.

Provider	Purpose	Data Shared
Supabase	Authentication, database, waitlist storage	Email, name, hashed password, auth tokens, waitlist entries
Google	OAuth sign-in, Analytics (GA4)	OAuth tokens, analytics events, anonymized usage data
Stripe	Payment processing	Payment method, billing address, transaction details
Anthropic	AI model inference (product features)	User-submitted content processed by AI features (e.g., resume text, prompts)
Vercel	Hosting, edge compute, CDN	Server logs, IP addresses, request metadata

Each provider processes data under its own privacy policy and applicable data processing agreements. We select providers that maintain appropriate security safeguards.

5. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly necessary cookies: Authentication session cookies set by Supabase. These are required for the Site to function and cannot be disabled.
Analytics cookies: Google Analytics 4 may place cookies to distinguish unique users and track sessions. These cookies collect aggregated, pseudonymized usage data.

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks or sell data derived from cookies.

Most browsers allow you to refuse or delete cookies through their settings. Disabling strictly necessary cookies may prevent you from signing in. Disabling analytics cookies will not affect Site functionality.

6. Data Retention

Account data: Retained for as long as your account is active. Upon account deletion, we remove your personal data from our active systems within 30 days. Backups may retain data for up to 90 days before automatic expiration.
Waitlist data: Retained until the associated product launches and you are notified, or until you request removal, whichever comes first.
Payment records: When payment functionality is available, transaction records are retained for a minimum of 7 years to comply with tax and financial regulations.
Server logs: Automatically purged by our hosting provider per their retention schedule (typically 30 days).
Analytics data: Google Analytics data is retained according to our GA4 configuration settings (default: 14 months).
AI-processed content: Data sent to AI models for processing (e.g., resume text) is processed in memory and not permanently stored on our servers. Third-party AI providers may retain data per their own policies.

7. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

HTTPS/TLS encryption for all data in transit, enforced via HTTP Strict Transport Security (HSTS).
Strict Content Security Policy (CSP) headers to mitigate cross-site scripting and injection attacks.
Passwords hashed and salted by Supabase using industry-standard algorithms; we never store plaintext passwords.
Rate limiting on sensitive endpoints to prevent brute-force and abuse.
Minimal data collection — we only collect what is necessary for the purposes described in this policy.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to support@hurleyinc.com.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Request a machine-readable export of your data.
Restriction: Request that we restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests, including profiling.
Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@hurleyinc.com with "Privacy Request" in the subject line. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.

8.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, the purposes for which it is used, and whether it is sold or shared. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. You have the right to request deletion of your personal information and to not be discriminated against for exercising your rights.

8.2 EEA/UK Residents (GDPR/UK GDPR)

If you are in the European Economic Area or United Kingdom, you have the rights described above plus the right to lodge a complaint with your local data protection authority. Our legal bases for processing are described in Section 3.

Data may be transferred to and processed in the United States, where our servers and service providers are located. We rely on standard contractual clauses and other appropriate safeguards for international data transfers.

9. Children's Privacy

The Site and Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@hurleyinc.com.

10. International Data Transfers

Your data may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction. By using the Site or Services, you acknowledge this transfer. We ensure appropriate safeguards are in place, including standard contractual clauses where required by law.

11. Third-Party Links

The Site may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing them with any personal information.

12. Do Not Track Signals

There is no industry consensus on how to respond to Do Not Track (DNT) browser signals. At this time, the Site does not alter its data collection practices in response to DNT signals. If a standard for responding to DNT signals is established, we will revisit this policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will update the "Last updated" date at the top of this page and, for account holders, provide notice via the email address associated with your account at least 15 days before the changes take effect. Your continued use of the Site or Services after the effective date constitutes acceptance of the revised policy.

14. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Hurley Inc
support@hurleyinc.com