Privacy Policy
mySecond, LLC Effective Date: April 23, 2026 Last Updated: April 23, 2026
1. Introduction
mySecond, LLC ("mySecond," "we," "us," or "our") operates mysecond.ai (the "Platform"). This Privacy Policy describes how we collect, use, disclose, and protect information about you when you use the Platform, purchase our services, or interact with our communications.
This Policy applies to:
- Self-serve users of mysecond.ai (free and paid)
- Customers of our professional services (Discovery Audit, Implementation, Managed Services)
By using the Platform, you agree to this Privacy Policy.
2. Information We Collect
2.0 How the Platform Processes Data — mySecond App vs. Local Skills
mySecond's Platform has two components with different data-processing profiles:
- mySecond App (hosted web app): All activity inside the mySecond App — account data, context files, skill outputs, and team workspace content — is transmitted to and stored on mySecond's infrastructure. This Privacy Policy covers all mySecond App data.
- Local Skills (run via Claude Code on your device): When you download skills and run them locally through Claude Code on your own machine, that execution happens on your device. mySecond does not receive, transmit, or store the content of your local prompts, inputs, or outputs unless you explicitly sync that content to the mySecond App. Your use of Claude Code is separately governed by Anthropic's terms and privacy policies.
This Privacy Policy applies to mySecond App data and to any data you sync from Local Skills to the mySecond App.
2.1 Account and Identity Information
When you create an account or purchase services, we collect:
- Name
- Email address
- Company name and role
- Account credentials (password hashed; we do not store plaintext passwords)
2.2 Usage Data
We automatically collect data about how you use the Platform:
- Pages visited and features accessed
- Skills viewed and downloaded
- Search queries and filter interactions
- Session duration and frequency
- Device type, browser, operating system, and IP address
2.3 Payment Information
All payment processing is handled by Stripe. We do not collect or store full payment card numbers. Stripe may provide us with limited billing details — such as billing name, billing email, billing address, and a display-only reference to the card (e.g., last four digits and card brand) — for receipt, tax, and fraud-prevention purposes. For Stripe's data practices, see stripe.com/privacy.
2.4 Content Data
When you use the Platform, we store:
- Context files you create or upload (company, product, personas, competitors)
- Skill outputs and deliverables generated through the Platform
- Configuration settings for your PM OS
2.5 Communications Data
We collect data related to our email communications:
- Email open and click events (for improving email relevance)
- Responses to surveys or feedback requests
- Support requests and correspondence
2.6 Cookies and Tracking Technologies
We use cookies and similar technologies for:
- Authentication (session cookies)
- Product analytics (PostHog — see Section 5)
- Remembering preferences
You can control cookies through your browser settings. Disabling certain cookies may affect Platform functionality. Where required by applicable law, we will present a cookie consent mechanism before enabling non-essential cookies.
2.7 Team Plan Usage Analytics
For Team Plans, the mySecond App includes a team dashboard that shows which skills, workflows, and sub-agents each authorized seat has used. Data collected for this purpose includes:
- Skill, workflow, and sub-agent identifiers and timestamps of use
- Counts of runs and outputs generated per seat
- Seat identity (email, display name)
This data is visible to the Team Account Owner's designated administrator(s). Individual seat users can see their own activity. mySecond uses this data to operate the dashboard, support the Team Account Owner, and improve the Platform in aggregate. If you are a seat user on a Team Plan, your employer (the Team Account Owner) is the controller of this data; direct privacy requests relating to team usage data to them.
2.8 Team Plan Data Ownership
For Team Plans, the purchasing company (the "Team Account Owner") is the owner of all Content created within the Team workspace, including shared context files and skill outputs. Individual users are authorized seats; the Team Account Owner — through its designated administrator — controls seat provisioning, access rights, and seat removal. When a seat is removed, that user's access to the Team workspace ends; Content created within the Team workspace remains with the Team Account Owner. Privacy requests relating to Team workspace Content are directed to the Team Account Owner.
3. How We Use Your Information
We use the information we collect to:
- Provide the Platform and Services: Authenticate your account, deliver your subscription features, fulfill services engagements
- Process payments: Charge subscriptions, issue receipts, manage billing
- Product analytics: Understand usage patterns to improve the Platform (using PostHog)
- Email communications: Send transactional emails (receipts, onboarding, product updates) and marketing communications (with opt-out available)
- Customer support: Respond to requests and resolve issues
- Legal and compliance: Comply with applicable law, enforce our Terms, protect our legal rights
We do not use your Content to train AI models without your explicit consent.
4. AI Processing and Anthropic
4.1 How AI Works on Our Platform. The Platform uses Claude, an AI model developed by Anthropic, to power skill execution, content generation, and other AI features. When you interact with AI features, your inputs (Content, prompts, context files) are transmitted to Anthropic's API for processing.
4.2 Anthropic's Role. Anthropic processes your inputs as a subprocessor on our behalf to return AI-generated outputs. Our use of Anthropic's API is governed by Anthropic's commercial API terms, which include a prohibition on using customer inputs to train Claude models by default and commitments regarding data handling. For current details, see anthropic.com/commercial-terms and anthropic.com/privacy.
4.3 What Anthropic Receives. Anthropic receives the content of prompts and context files you submit to AI-powered features. Anthropic does not receive your payment information or passwords.
4.4 Anthropic's Data Use. Per Anthropic's API terms, inputs submitted via the API are not used to train Claude's models by default. For current Anthropic data practices, see anthropic.com/privacy.
5. Professional Services Engagement Data
When you engage mySecond for professional services — including Discovery Audits, Implementations, and Managed Services — authorized mySecond personnel may access your company's internal documents, interview transcripts, strategy materials, roadmaps, and other information reasonably necessary to deliver the engagement. This data is handled separately from self-serve Platform data.
- Who has access: Only mySecond personnel directly involved in your engagement.
- Retention: Engagement materials are retained for the duration of the engagement plus a reasonable wind-down period, subject to your Services Agreement.
- Destruction: Upon completion or termination of the engagement, mySecond will, at your request, return or destroy engagement materials within 30 days, subject to reasonable retention for legal, tax, or backup purposes.
- Governing terms: All confidentiality, data handling, and related obligations for professional services engagements are governed by your Services Agreement, which controls over this Privacy Policy for engagement-specific matters.
6. Third-Party Subprocessors
mySecond uses the following third-party providers to operate the Platform. These are subprocessors acting on our behalf; they are distinct from any third-party tools you connect yourself (your own accounts or APIs), which are not covered by this Policy.
| Subprocessor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, Content, usage metadata | US |
| Stripe | Payment processing | Name, email, billing address, transaction data | Global |
| PostHog | Product analytics | Usage events, anonymized identifiers, page views | US (US Cloud) |
| Anthropic | AI model API | Content inputs, prompts, context files | US |
| Resend | Transactional email delivery | Name, email address | US |
| Kit (formerly ConvertKit) | Email marketing automation | Name, email, tags, subscription status | US |
| Vercel | Website hosting and CDN | IP address, request logs | Global |
| Railway | Background worker infrastructure (plugin generation) | Customer identifiers, plugin build metadata, IP address, user agent | US |
| Sentry | Error tracking and performance monitoring | Error stack traces, request context, user identifiers | US |
We do not sell your personal information to these or any other parties. These providers process data only as instructed by us and subject to appropriate data protection agreements.
7. Data Sharing
We do not sell, rent, or trade your personal information. We share information only in the following circumstances:
- Subprocessors: As listed in Section 6, to operate the Platform
- Professional services delivery: If you engage us for services, authorized mySecond staff and contractors involved in delivery will access relevant Content
- Legal requirements: When required by law, subpoena, or to comply with legal process; we will notify you where permitted
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice provided to you
- With your consent: For any other purpose with your explicit prior consent
8. Data Retention
We retain your data for as long as your account is active and as needed to provide the Services. After account closure, we retain limited data as reasonably necessary for legal, tax, accounting, and operational purposes (for example, payment records may be retained for tax compliance).
You may request deletion of your data at any time by contacting support@mysecond.ai. We will honor deletion requests subject to our legal retention obligations.
9. Data Security
We take reasonable measures to protect your information:
- Data is encrypted in transit and at rest using the security features provided by our infrastructure partners (Supabase, Stripe, Vercel).
- Access to production data is limited to authorized personnel.
- We use modern authentication standards.
- We rely on reputable subprocessors (listed in Section 6) to maintain their own security practices.
Data Breach Notification. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by applicable law.
No security system is perfect. While we work to protect your information, we cannot guarantee absolute security.
10. Your Rights — California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.
Categories of Personal Information Collected
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Commercial information | Purchase history, subscription tier | Yes |
| Internet activity | Usage data, pages visited | Yes |
| Professional information | Company, job title | Yes |
| Inferences | Usage patterns, product preferences | Yes |
| Sensitive personal information | None collected | No |
Your California Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, and sold in the past 12 months.
- Right to Delete: Request deletion of personal information we have collected, subject to exceptions (e.g., legal compliance, security, ongoing business relationship).
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If we change this practice, we will provide an opt-out mechanism.
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA.
- Right to Non-Discrimination: We will not penalize you for exercising your privacy rights.
How to Submit a California Privacy Request
Email: support@mysecond.ai Subject line: "California Privacy Request" Include: Your name, email address, and the specific right(s) you are exercising.
We will respond within 45 calendar days. We may request verification of your identity before processing your request.
You may designate an authorized agent to make a request on your behalf with written authorization.
11. Your Rights — European Economic Area, UK, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, we process your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable local laws.
Legal Bases for Processing
| Processing Activity | Legal Basis |
|---|---|
| Providing the Platform and Services | Performance of contract (Art. 6(1)(b)) |
| Processing payments | Performance of contract (Art. 6(1)(b)) |
| Product analytics (PostHog) | Legitimate interests (Art. 6(1)(f)) — improving the Platform |
| Marketing emails | Consent (Art. 6(1)(a)) or legitimate interests for existing customers |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
Your GDPR Rights
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): Request deletion of your data where processing is no longer necessary, consent is withdrawn, or other conditions apply.
- Right to Restriction of Processing: Request that we limit how we use your data.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV upon request).
- Right to Object: Object to processing based on legitimate interests, including for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection supervisory authority.
International Data Transfers
mySecond is based in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the US, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses where applicable, consistent with our subprocessors' data transfer frameworks.
To exercise your GDPR rights, contact: support@mysecond.ai. We will respond within 30 calendar days (extendable by 2 additional months for complex requests, with notice).
12. Cookies
Types of Cookies We Use
| Cookie Type | Purpose | Provider |
|---|---|---|
| Essential / Authentication | Maintain your session and login state | mySecond (Supabase) |
| Analytics | Track product usage to improve the Platform | PostHog |
Managing Cookies
You can manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in. Disabling analytics cookies will prevent PostHog from tracking your usage.
EU/EEA Cookie Consent. Where required by applicable law (including the EU ePrivacy Directive and GDPR), non-essential cookies will not be enabled before obtaining your consent. You may withdraw consent at any time by contacting support@mysecond.ai or through the cookie settings link in the Platform footer where provided.
13. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we discover we have collected such information, we will delete it promptly. If you believe we have collected information from a child, contact support@mysecond.ai.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or prominent notice on the Platform. The updated Policy will be effective as of the stated effective date. Continued use after that date constitutes acceptance.
15. Contact and Privacy Requests
For any privacy-related questions, requests, or complaints:
Email: support@mysecond.ai Subject: Privacy Request — [Your Name]
mySecond, LLC Email: support@mysecond.ai Website: mysecond.ai
We aim to respond to all privacy requests within 30 days.