Privacy Policy
Last updated: May 26, 2026
01Who runs this site
This site is operated by Michael Dishmon, a sole proprietor based in the USA. When this policy says “I” or “me,” that’s Michael. There’s one person behind this, and that person is accountable for how your data is handled.
02What I collect and why
Here’s a straightforward list of the data I collect, and the reason for each piece.
Name and email
Collected when you fill out the contact form, create an account, or purchase a product. Used to respond to your message, manage your account, and deliver what you bought.
Payment information
Processed entirely by Stripe. I never see or store your card number. Stripe handles PCI compliance. I receive a confirmation with the amount, product, and a Stripe customer ID.
Usage analytics
Collected via PostHog and Google Analytics 4 (GA4). This includes pages visited, time on site, browser type, approximate location (city-level), and referral source. The purpose is to understand which content is useful and which pages need work.
Account data
If you create an account, I store your email, display name, and purchase history in Supabase (hosted on AWS). This lets you access your purchases, download products, and manage your account.
Sales research data
I may collect publicly available business contact information about decision-makers at companies that fit my service profile, including people who have never visited this site. The fields stored are name, job title, employer, business email address, LinkedIn URL, and public business phone numbers. Sources include public web pages, LinkedIn, company websites, and business directories. The data is stored in my internal CRM and is used to send personalized outreach for my fractional, consulting, and SaaS services. I do not enrich these records with sensitive categories such as health, finance, or household demographics. To request deletion of a record, see section 09 below.
03Cookies and tracking
This site uses cookies and browser storage. Visitors located in the EEA, UK, or Switzerland are detected at the edge via a country-code header and analytics scripts (PostHog, Google Analytics 4) are not loaded for those visitors at all. Everyone else has analytics loaded by default and can opt out via the browser Do-Not-Track signal, which PostHog respects.
PostHog
Product analytics. Tracks page views, clicks, and custom events (things like viewing a product page, submitting the contact form, or reading a case study) to help me understand how people use the site. Honors browser Do-Not-Track. Not loaded for EEA / UK / CH visitors. Session recording is active for authenticated portal users on /dashboard/* routes only. It is off for every other page on the site. When recording is active, passwords and email fields are masked before the data leaves your browser. Fields marked with a data-pii attribute are masked as well. Marketing pages, the homepage, /work, /products, /writing, and all other public routes are never recorded. Recordings are retained for 30 days. You can request deletion of any session recordings associated with your account by emailing hello@michaeldishmon.com. When you sign up and log into the member portal, your PostHog analytics history is linked to your account using a pseudonymous identifier - specifically, the UUID assigned to your account in the database. Your email address and name are not sent to PostHog as identifying attributes. The linking happens after you create an account, and it is how the site tracks things like which products you have accessed and whether particular features are being used. You can request deletion of your PostHog event history, including any linked profile, by emailing hello@michaeldishmon.com. When you submit the contact form or a service inquiry, the company name you enter may also be recorded in PostHog as a group attribute. This is used to understand aggregate patterns by business type, not to target or sell to you.
Google Analytics 4
Traffic analytics. Collects anonymized usage data including page views, session duration, and traffic sources. Not loaded for EEA / UK / CH visitors via the client-side script. In addition to the client-side script, a server-side event is sent to Google Analytics via the Measurement Protocol when a purchase completes. This server-side call happens on my infrastructure, not in your browser, so it fires for all completed checkouts regardless of your location. It sends the transaction ID, purchase amount, currency, and the product you bought. It does not send your name, email address, or any other personal identifier. Google processes this data under their own privacy policy.
Authentication cookies
Session cookies from Supabase Auth that keep you logged in. These are strictly necessary for the site to function if you have an account.
Stripe
Stripe sets cookies during the checkout process to prevent fraud and process payments. These are necessary for purchases to work.
bzk-geo
A short cookie this site sets at the edge on first visit, based on the country code in your request. Value is either 'ok' (analytics scripts will load) or 'block' (analytics suppressed for EEA / UK / CH visitors). Used so the analytics decision does not require running a full geolocation lookup on every navigation. 30-day max-age. Not shared with any third party.
04Browser storage we use
Beyond cookies, this site stores small amounts of data in your browser via localStorage and sessionStorage. The list below is the primary set as of the “last updated” date above. None of these are shared with a third party, none are persistent identifiers, and clearing them only resets in-page demos. Case-study demo pages may also set short-lived UI state in browser storage; these clear on tab close.
| Key | Purpose | Duration |
|---|---|---|
| bzk:chat.session | Persists the in-browser chat history for the Berserker assistant across navigations. | Tab session |
| bzk:personalization:* | Caches resolved personalization codenames so a visitor opening a personalized link is not re-queried each navigation. | Tab session |
| mdc-bloom-charts-v1 | Bloom case-study chart demo: stores the selected date range. | Persistent |
| mdc-bloom-metrc-packages-v1 | Bloom Metrc demo: column visibility preferences. | Persistent |
| mdc-bloom-mobile-budtender-v1 | Bloom mobile budtender demo: in-progress cart state. | Persistent |
| mdc-bloom-pos-discount-v1 | Bloom POS demo: applied discount. | Persistent |
| mdc-bloom-pos-register-v1 | Bloom POS demo: cart contents. | Persistent |
| mdc-bloom-pos-returns-v1 | Bloom POS demo: returns wizard state. | Persistent |
| mdc-bloom-portal-dashboard-v1 | Bloom portal demo: dashboard date range. | Persistent |
| mdc-hearthlight-calendar-v1 | Hearthlight demo: weekly meal calendar. | Persistent |
| mdc-hearthlight-mealplan-v1 | Hearthlight demo: meal plan wizard progress. | Persistent |
| mdc-hearthlight-pantry-v1 | Hearthlight demo: pantry matcher selections. | Persistent |
| mdc-hearthlight-recipe-v1 | Hearthlight demo: recipe correspondences view. | Persistent |
| mdc-hearthlight-shopping-v1 | Hearthlight demo: shopping list. | Persistent |
| mdc-hearthlight-tarot-v1 | Hearthlight demo: daily tarot reading. | Persistent |
| mdc-hearthlight-tarot-showcase-v3 | Hearthlight demo: tarot showcase state. | Persistent |
| mdc-rl-food-journal-v1 | The Rooted Life demo: food journal entries. | Persistent |
| mdc-rl-foundations-quiz-v1 | The Rooted Life demo: foundations quiz answers. | Persistent |
| mdc-rl-naq-demo-v1 | The Rooted Life demo: NAQ slice demo state. | Persistent |
To clear any of these, open your browser’s site data settings for michaeldishmon.com and remove storage. The site will continue to work; in-progress demos will reset.
05AI disclosure
The Berserker chat assistant on this site is a large language model. It uses Anthropic’s Claude API to generate responses. When you send a message, the message and a system prompt are forwarded to Anthropic’s API and a response is returned. Anthropic processes this data under their own privacy policy and does not train default API traffic on customer inputs.
This disclosure is published in advance of the EU AI Act Article 50 first-interaction transparency requirement (effective August 2, 2026). The chat is clearly labeled “Berserker” and “ai assistant” in the in-page UI; this section adds the formal data-processing disclosure.
Chat conversations, including the full text of messages you send and responses generated by the assistant, are retained for up to 30 days for incident review and quality assurance, then automatically deleted. IP addresses associated with chat conversations are stored as salted SHA-256 hashes and are not personally identifying.
06How I use your data
Your data is used to deliver the service you asked for. Specifically: to respond to contact form submissions, to process purchases and deliver digital products, to manage your account, and to improve the site based on aggregate usage patterns.
I do not sell your data. I do not share your email with third parties for marketing purposes. If I send you an email, it’s because you bought something, asked me a question, or explicitly signed up for updates.
07Third-party services
The following services process data on my behalf. Each has their own privacy policy.
Stripe
Payment processing. stripe.com/privacy
Supabase
Database and authentication. supabase.com/privacy
Vercel
Site hosting. vercel.com/legal/privacy-policy
PostHog
Product analytics. posthog.com/privacy
Google Analytics
Traffic analytics. policies.google.com/privacy
YouTube
The member portal (/dashboard/learn/*) uses YouTube's standard embed API to deliver course videos. This integration uses youtube.com (not the privacy-enhanced nocookie domain), which means YouTube may set cookies for authenticated portal users to track video playback and performance. This is required for accurate lesson-completion tracking inside the portal. YouTube processes this data under Google's privacy policy. Marketing pages on this site that embed YouTube videos use the nocookie domain and do not set YouTube tracking cookies.
Resend
Transactional email. resend.com/legal/privacy-policy
Anthropic
Powers the in-site chat assistant. Messages you send to the chat are forwarded to Anthropic's Claude API and processed under their policy. anthropic.com/legal/privacy
Cloudflare R2
Object storage. Hosts short-form video clips used by the Furby TV easter egg. Receives video file requests and IP address. Region: WNAM. Retention: indefinite while account is active.
Google Tag Manager (GTM)
Tag orchestration. Dispatches analytics events. Receives event metadata and page URLs. Retention per GTM defaults.
Google Fonts
Web font delivery for DM Serif Display, DM Sans, and DM Mono. Receives IP address per Google Fonts Terms of Service. Fonts are self-hosted via next/font where possible to minimize the request footprint.
Cal.com
Meeting scheduling. Used when visitors book a call with Michael. Receives name, email, meeting topic, and time. Retention per Cal.com.
Telnyx
SMS messaging for sales outreach sequences. Receives phone numbers and message content for outbound SMS. telnyx.com/legal/privacy-policy
Twilio
Fallback SMS provider. Same data scope as Telnyx; used when the Telnyx adapter fails. twilio.com/legal/privacy
Mailgun
Inbound email routing for go.michaeldishmon.com replies. Parses sender address, subject, and body of reply emails into the sales CRM. mailgun.com/privacy-policy
08Data retention
Account data is kept as long as your account is active. If you delete your account, your personal data is removed within 30 days. Purchase records may be retained longer for tax and legal compliance.
Contact form submissions are kept for 2 years or until you request deletion. CRM records (sales research data, outreach activity history) are deleted within 30 days of a deletion request emailed to hello@michaeldishmon.com. Email and SMS send logs are retained for 12 months for deliverability auditing.
Analytics data is retained according to each provider’s default retention periods (PostHog: 1 year, GA4: 14 months). Server-side GA4 purchase events (transaction amount, product, non-identifying reference) are retained under Google’s standard 14-month retention and fire for all completed purchases regardless of location.
09Your rights
You can request a copy of your data, ask me to correct it, or ask me to delete it. Just email me. I’ll respond within a reasonable timeframe, typically a few days.
If you’re in the EU, you have additional rights under GDPR including data portability and the right to object to processing. If you’re in California, you have rights under the CCPA. I respect both regardless of where you live.
California residents: I do not sell your personal information to third parties for monetary consideration, and I do not share it for cross-context behavioral advertising. To exercise your right to know what data I hold, to correct it, or to delete it, email hello@michaeldishmon.com with the subject line “CCPA Request.” You will get a response within 45 days. You may also authorize an agent to make the request on your behalf.
If you never visited this site: If you received outreach from me and want the underlying record removed from my CRM, email delete@go.michaeldishmon.com and include the email address or LinkedIn URL on the record so I can locate it. This is the only mechanism required for sales research records. The request will be honored within 45 days, matching the CCPA service-level window.
10Children and minimum age
This site and its products are intended for adults. To create an account or purchase a product, you must be at least 16 years old.
This site is not directed at children under 13. I do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided personal information through this site, email me at hello@michaeldishmon.com and I will delete that data promptly. Parents or guardians can contact me with COPPA-related requests at that same address.
11Security
The site is served over HTTPS. Authentication is handled by Supabase with bcrypt password hashing and secure session tokens. Payment data is processed by Stripe and never touches my servers. I take reasonable measures to protect your data, but I also want to be honest: this is a one-person operation, not a Fortune 500 security team. If I ever discover a breach, I’ll notify affected users directly.
12Changes to this policy
If I make meaningful changes, I’ll update the “last updated” date at the top. For significant changes that affect how your data is handled, I’ll do my best to notify you via email if you have an account.
13Contact
Questions about this policy? Email me at hello@michaeldishmon.com. I read every email and respond personally.
$ michael dishmon / sole proprietor / usa