Privacy Policy

When you call the API, here's what we keep, why, and for how long:

Here's what we don't collect:

• End-user PII beyond the candidate name itself.
• Browser fingerprints, cookies, or tracking pixels. The API has no UI to attach them to.
• Payment card details. Stripe handles billing — see their privacy policy.
• Anything the candidate name “represents.” We treat the name as opaque text.

We meter the free tier without requiring you to sign up. To stop a single caller from burning the whole pool, unauthenticated requests are grouped into an anonymous bucket using a one-way hash of three signals:

• The source IP address of the request
• The User-Agent header
• The Accept-Language header

We compute SHA-256(ip + user_agent + accept_language), store it in Cloudflare KV under the key aeo_quota:anon:{hash} alongside a small JSON value ({count, first_seen}), and use it only to enforce the 5-call free limit before the signup prompt is surfaced. The raw IP is not retained alongside the hash. Hashes auto-expire after 30 days of inactivity.

In plain English: we hash IP + user-agent for rate limiting, retain 30 days, do not sell or share. We don't use this hash for advertising, profiling, cross-site tracking, or any purpose other than the anonymous quota counter.

Known limitation: shared NAT (coffee shops, corporate networks) can cause multiple users to share an anonymous bucket. This is intentional — we'd rather under-meter than fingerprint more aggressively. If your team needs higher anonymous limits, sign up for a free account (50/mo, magic-link, no password).

• Operating the service. Returning verdicts to authenticated callers.
• Rate limiting. Per IP on the unauthenticated Free tier; per API key for authenticated calls.
• Abuse prevention. Catching fraud, scraping, denial-of-service patterns.
• Service improvement. Aggregated, anonymized telemetry feeds engine calibration.
• Customer support. When you contact us about a specific verdict ID.

The complete, current list of sub-processors — including hosting, payments, email, analytics, trademark-data sources, and LLM endpoints — is published as a separate page at /privacy/subprocessors. Under GDPR Art. 28 we maintain that list as the canonical disclosure; this page links to it rather than duplicating (which would drift). The headline categories:

• Hosting + infrastructure: Railway (compute + Postgres), Cloudflare (edge, KV, Workers, Email Routing).
• Payments: Stripe and Polar.sh — both merchants-of-record with their own sub-processor lists.
• Email: Resend (transactional), Loops (lifecycle, when enabled).
• Analytics + error monitoring: PostHog (cookieless), Sentry, Microsoft Clarity (marketing site only, with GPC + DNT honored), Google Analytics 4 (only if consented).
• Trademark + naming data: USPTO TSDR, EUIPO, UKIPO, WIPO Madrid, Apify (SERP scraping), Dynadot (domain registrar for Forge bundles).
• LLM + MCP surfaces: Anthropic, OpenAI, Smithery, and the user-installed LLM clients (Cursor, ChatGPT, Claude Desktop, etc.).
• Communications + observability: Twilio (inbound SMS), ElevenLabs (TTS), Better Stack (log retention).

We do not sell or share personal data with advertisers or data brokers. We don't intend to start. International transfers to US sub-processors rely on the EU Standard Contractual Clauses and the UK IDTA where applicable — details and per-processor SCCs are in the sub-processor list and in the “International data transfers” section below.

Verdicts are computed against open / public-domain registries:

• USPTO (public domain): trademark register + TTAB decisions
• EUIPO (open data): EU Community Mark register
• UKIPO (Open Government Licence): UK trademark register
• WIPO Madrid (public): International Registrations
• YC portfolio (public scrape; refresh weekly): YC alumni names
• RDAP (RFC 7480/7482): domain registration status
• Social platforms (public profile probes): handle availability

• Contract (Art. 6(1)(b)). Returning verdicts to authenticated callers, billing for paid tiers, account maintenance.
• Legitimate interest (Art. 6(1)(f)). Anonymous quota fingerprinting, abuse prevention, error monitoring, aggregated engine calibration. Balanced against the minimal data we retain.
• Consent (Art. 6(1)(a)). Optional analytics (PostHog, Clarity, GA4) and marketing email (Loops). Withdraw at any time via the cookie banner or by emailing privacy@etymolt.com.
• Legal obligation (Art. 6(1)(c)). Billing records retained for tax law compliance.

You have the right to access, rectify, erase, port, restrict, and object to processing of your personal data. Specifically:

• Access — request a copy of your data by emailing privacy@etymolt.com. We respond within 30 days.
• Erasure — email privacy@etymolt.com or legal@etymolt.com; we honor within 30 days. If you just want to close your account, the in-app path is /account → Danger zone — it routes the request to support@etymolt.comand a human confirms within 24 hours.
• Rectification — correct inaccurate account data in-app or by emailing us.
• Portability — machine-readable JSON export of your verdict history and account record on request.
• Object / restrict — to processing based on legitimate interest; email privacy@etymolt.com.
• Withdraw consent — for analytics and marketing email, with no effect on processing already done.
• Lodge a complaint with your supervisory authority (in the EU, your local DPA; in the UK, the ICO; in California, the CPPA).

Programmatic erasure: customers can also call DELETE /v3/verdicts/{id}/outcomes to permanently erase outcome events linked to a specific verdict. GDPR Article 17 / CCPA right-to-delete fulfilled.

Etymolt verdicts (PROCEED, STRATEGIC, ABANDON) are computed algorithmically. The verdict response includes a composite score (0–100) and per-axis sub-scores — the “axes” currently exposed in the API response are:

• trademark — derived from USPTO, EUIPO, UKIPO, and WIPO Madrid public-register signals. Internal fields beyond the per-axis score (raw conflict candidates, examiner-action history, ranked-similarity scores) are not exposed in the public verdict response — see the methodology page for which signals feed the axis.
• domain — derived from RDAP and the standard registrar resolvers. Exposes only the per-axis score in the verdict response.
• cultural — derived from public SERP and social handle probes. Exposes only the per-axis score.
• sound_symbolism — derived from phonotactic and prosody analysis. Per-axis score only.
• pronunciation — derived from G2P and cross-lingual pronounceability heuristics. Per-axis score only.

Status under GDPR Art. 22. Verdicts are advisory. They are designed to inform — not replace — your decision to adopt a name, register a domain, or file a trademark application. We do not market verdicts as self-executing legal determinations, and the API caller (you, or the LLM acting on your behalf) is the decision-maker of record. We nevertheless acknowledge that, where you rely on a verdict to make a commercial decision (a Forge bundle purchase, a domain registration, a TM filing), the line between “advisory” and “decisional” is fact-specific. We therefore extend GDPR Art. 22(3) rights to every Etymolt verdict regardless of whether the strict legal test is satisfied:

• Right to human review. You may request that a member of the Etymolt team review any verdict and the underlying data sources, weights, and reasoning that produced it. Email legal@etymolt.com (preferred for verdict-review requests) or privacy@etymolt.comwith the verdict_id. We respond within 30 days.
• Right to contest. You may dispute a verdict and request that Etymolt not rely on the automated output for any downstream service we offer (Forge bundle, custom name screening). Same contacts.
• Right to an explanation. You may request a human-readable explanation of how each axis was scored, including the data sources consulted and the weighting applied. The methodology page documents the high-level logic; per-verdict explanations are available on request.
• Right to object to automated processing. You may request that Etymolt not run automated screening against any candidate name you submit. We will honor the objection by returning a manual-review-only response.

Note on third-party data inside verdict findings: when a verdict cites a conflicting prior mark (e.g. “US-87521634 owned by Acme Corp”), the registrant name is drawn from the USPTO public register and is reproduced under the public-record exemption. If you are the registrant of a cited mark and wish to object to its appearance in a verdict, email legal@etymolt.com.

• Verdict logs: 90 days (Free), 12 months (Paid), per contract (Platform/Enterprise)
• Account data: while account is active + 12 months after closure
• Billing records: 7 years (US tax) or per local requirement
• Error logs: 30 days (rolling)

Etymolt is operated from the United States. Primary stores:

• Postgres (account, verdicts, audit log): hosted by Railway in US-East (us-east-1 region) as the default deployment. The exact region is visible to operators in the Railway dashboard and may be migrated to a different US region on operator request.
• Cloudflare KV (anonymous quota hash, inbox-parser records): auto-replicated globally by Cloudflare across its edge network. KV writes are eventually consistent across the global mesh; values are encrypted at rest with Cloudflare-managed keys.
• Cloudflare R2 (any static asset bundles): WNAM (Western North America) as the default placement, unless the bucket has been pinned to a specific region.
• PostHog (product analytics): the host is controlled by the NEXT_PUBLIC_POSTHOG_HOST environment variable. The codebase defaults to https://us.i.posthog.com; operators serving primarily EU customers should set the variable to https://eu.i.posthog.com so analytics never cross the Atlantic.
• Sentry (error monitoring): region tracked by the operator-provided SENTRY_DSN. EU and US Sentry regions are both supported by configuration.
• Resend / Loops (email): US-hosted by default; Resend offers an EU region on request per its DPA.
• Stripe / Polar (payments): Stripe stores customer data in the US with EU residency available per its DPA; Polar runs primarily on EU infrastructure (Sweden) with US replicas.

Cross-border transfers from the EU / UK / Swiss area. Where personal data of EU, UK, or Swiss data subjects is transferred to a US-hosted sub-processor, the transfer is governed by the EU Standard Contractual Clauses (GDPR Art. 46(2)(c)), the UK International Data Transfer Addendum, and — where the sub-processor is actively self-certified — the EU-US Data Privacy Framework (and its UK extension / Swiss-US equivalent). Per-processor SCC references are listed in the sub-processor list. A transfer impact assessment (TIA) is on file for each US-hosted sub-processor and is available on request to privacy@etymolt.com.

• TLS 1.3 in transit
• AES-256 at rest (database + object storage)
• API keys hashed via SHA-256 before storage
• Magic-link tokens are SHA-256 hashed at rest and atomically consumed (two-step, single-use)
• Authentication and admin actions are written to a Postgres audit_log with database-level append-only triggers (DB-level triggers reject UPDATE and DELETE operations)
• Verdict identifiers are immutable — once issued, the public permalink content is fixed
• SOC2 Type I in progress (Stage 2 commitment)

Etymolt is a business-tooling API and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data — for example, an account was opened with a minor's email — please email privacy@etymolt.com and we will delete the data and close the account within 72 hours.

Etymolt is established in the United States. Some of our sub-processors (Stripe, Sentry, Resend, Loops, Anthropic, Microsoft Clarity, Google Analytics 4, and PostHog's US backups) are also based in the US. When personal data of EU, UK, or Swiss data subjects is transferred to these processors, we rely on:

• EU Standard Contractual Clauses (SCCs) under GDPR Art. 46, executed module-by-module with each processor.
• The EU-US Data Privacy Framework (DPF) and the UK Extension where the processor maintains active self-certification on dataprivacyframework.gov.
• The UK International Data Transfer Addendum (IDTA) issued by the UK ICO, where the SCCs alone do not cover UK transfers.
• The Swiss-US DPF for transfers from Switzerland.

Transfer impact assessments (TIAs) are on file for each US-hosted sub-processor. Email privacy@etymolt.com to request a copy.

Under GDPR Art. 27 and UK GDPR Art. 27, controllers outside the EU / UK that process personal data of EU / UK data subjects must appoint a local representative. Etymolt's posture during launch:

• EU representative: appointment in progress. Final appointment will be confirmed and published here before we cross the GDPR Art. 27 derogation threshold for non-occasional processing of EU personal data (we are below that threshold at launch).
• UK representative: appointment in progress. Final appointment will be confirmed and published here before we cross the UK GDPR Art. 27 threshold.

Until appointments are finalized, EU and UK data subjects can exercise GDPR rights directly with us by emailing privacy@etymolt.com. We respond within 30 days. Supervisory authorities may also contact us at the same address.

privacy@etymolt.com · support@etymolt.com

EU representative: to be appointed (see “Data protection — EU / UK representatives” above)
UK representative: to be appointed (see “Data protection — EU / UK representatives” above)