This Privacy Policy describes how AllCaps Technologies Inc. ("AllCaps," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with the website located at https://d8m.io and any sub-domains, including the interactive playground located at /playground (collectively, the "Service").
AllCaps is a Delaware corporation with its principal place of business at 8700 Stonebrook Pkwy #1143, Frisco, TX 75034, USA. We are the controller of personal information collected through the Service.
This Policy applies to personal information collected through the Service. It does not apply to the AllCaps platform offered under separate commercial agreement, which is governed by the data processing terms in the applicable customer contract.
1. Information We Collect
1.1 Information You Provide to Us
We collect personal information that you submit through the Service:
- Contact form submissions. When you complete the contact form on the homepage or the embedded contact form in the "Book a call" modal, we collect your email address (required) and, where you provide them, your name, company, role, and the content of your message.
- Calendar booking interactions. The "Book a call" modal embeds a third-party Google Appointment Schedule. Booking details (your name, email, and selected time) are collected and processed by Google. AllCaps receives the resulting calendar event. See Section 5 for Google's role.
- Freeform playground queries. When you submit a natural-language query through the Playground's freeform endpoint, we transmit the text of your query and the role context you have selected to Google's Gemini API for response generation. We do not associate freeform queries with your identity unless you have submitted contact information through the email gate (after three queries).
- Email gate submissions. After three freeform queries in a single session, we ask you to provide an email address (and optional company / role) before further queries are processed. The email is associated with the session for the limited purpose described in Section 2.
1.2 Information Collected Automatically
When you use the Service, we and our service providers automatically collect the following:
- Log data and device data, including your IP address, browser type and version, operating system, referring URL, pages viewed, and request timestamps. Vercel Inc., our hosting provider, processes this information to operate the Service.
- Product analytics events. We use PostHog Inc. as our product analytics provider. PostHog collects standard product analytics signals: pageviews, button clicks, scenario and role changes in the Playground, citation expansions, freeform submissions, calendar opens, and form submissions. PostHog also captures approximate geographic location derived from your IP address (city/region level) and browser and operating system identifiers. PostHog is configured on the Service to use in-memory persistence only; we do not store identifiers in cookies or in your browser's local storage.
- First-party cookies set by embedded Google services. The Google Appointment Schedule iframe used in the "Book a call" modal may, when you have an active Google session, cause Google to set its own cookies in your browser as a result of that direct interaction with Google. AllCaps does not set its own cookies on the Service.
1.3 Information We Do Not Collect
- We do not collect government identifiers, payment information, or financial account information through the Service.
- We do not collect special categories of personal data (such as health, racial or ethnic origin, religious beliefs, or sexual orientation) through the Service.
- We do not maintain user accounts on the Service. The Service operates anonymously unless and until you provide contact information.
2. How We Use Personal Information
We use the categories of personal information described above for the following purposes:
| Purpose | Categories of Information |
|---|---|
| To respond to your inquiries and provide the information or meeting you have requested | Contact form data, email gate submissions, calendar booking interactions |
| To generate responses to freeform playground queries | Freeform query text, role context |
| To operate, secure, monitor, and improve the Service | Log data, device data, product analytics events |
| To detect, prevent, and respond to fraud, abuse, security incidents, and unlawful use | Log data, IP address, freeform query text |
| To compile aggregated and de-identified analytics and to evaluate the Service's performance and adoption | Product analytics events, log data |
| To develop, evaluate, and improve the underlying AllCaps platform | Freeform query text, aggregated analytics |
| To comply with our legal obligations and to enforce our agreements, including the Terms of Service | All categories |
We do not use personal information for automated decision-making that produces legal or similarly significant effects.
3. Legal Bases for Processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under one or more of the following lawful bases (as defined by the General Data Protection Regulation or its UK equivalent):
- Consent (Article 6(1)(a)), where you have explicitly consented to a specific use — for example, by submitting the contact form. You may withdraw consent at any time by contacting privacy@d8m.io.
- Performance of a contract or pre-contractual measures (Article 6(1)(b)), where processing is necessary to respond to your request for information, schedule a call, or otherwise take steps you have asked us to take prior to entering into a contract.
- Legitimate interests (Article 6(1)(f)), where we have a legitimate interest in operating, securing, and improving the Service, and that interest is not overridden by your rights or interests. Our legitimate interests include preventing abuse, understanding how the Service is used, and producing aggregated analytics. You may object to processing on this basis at any time.
- Legal obligation (Article 6(1)(c)), where processing is necessary to comply with a legal obligation to which we are subject.
4. How We Share Personal Information
We do not sell personal information. We share personal information only as described below:
4.1 Service Providers (Sub-Processors)
We share personal information with the following sub-processors, each of which is bound by data processing terms requiring confidentiality and processing of personal information solely on our instructions and for the purposes described in this Policy:
| Sub-Processor | Purpose | Data Categories | Primary Location |
|---|---|---|---|
| Vercel Inc. | Hosting; serverless function execution; CDN; request logging | IP address, request metadata, request payloads (including contact form and freeform query content) | United States |
| PostHog Inc. | Product analytics | Event names and properties, IP-derived geolocation, browser/OS, viewport size | United States or European Union (configurable; see below) |
| Amazon Web Services, Inc. (AWS SES) | Outbound email delivery for lead notifications | Sender/recipient email addresses, message content (the contact form payload) | United States |
| Google LLC (Gemini API) | Language-model inference for freeform playground queries | Text of your freeform query, role context, retrieval set from the fabricated dataset | United States |
| Google LLC (Google Calendar / Appointment Schedule) | Embedded meeting booking | Booking interactions you initiate (handled by Google's user interface within the embedded iframe) | United States |
The current PostHog region configured for the Service is shown in the Service's network requests as us.i.posthog.com or eu.i.posthog.com. You can determine the region by inspecting your browser's developer tools network panel.
4.2 Legal and Safety Disclosures
We may disclose personal information when we believe in good faith that disclosure is necessary to (a) comply with a legal obligation, judicial process, or government request, (b) enforce our Terms of Service, (c) detect, prevent, or address security, fraud, or technical issues, or (d) protect the rights, property, or safety of AllCaps, our users, or others.
4.3 Business Transfers
If AllCaps is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, personal information may be transferred as part of that transaction. We will require the receiving party to honor this Policy or provide notice and a meaningful choice before any subsequent material change in how the information is handled.
4.4 With Your Consent
We may share personal information with other parties when you direct us to do so or otherwise provide consent.
5. International Data Transfers
We operate from the United States, and our principal sub-processors are also located in the United States. When personal information is collected from individuals outside the United States, that information is transferred to and processed in the United States and other jurisdictions where our sub-processors operate.
For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum, as applicable). Where a sub-processor is certified under the EU-U.S. Data Privacy Framework, we may also rely on that certification. You may request a copy of the relevant safeguards by emailing privacy@d8m.io.
6. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Specifically:
- Contact form submissions and email gate submissions are retained until you request deletion under Section 7. We do not auto-delete leads.
- Freeform query text is retained for thirty (30) days for abuse detection and quality evaluation, after which it is deleted or de-identified.
- Product analytics events are retained according to PostHog's default retention period (currently seven (7) years for events, one (1) year for session-level identifiers); you may request earlier deletion under Section 7.
- Server logs held by Vercel are retained according to Vercel's standard retention period (typically up to thirty (30) days) and are not extracted or copied by AllCaps except in response to a security incident.
- Email delivery logs held by AWS SES are retained for the period specified in AWS's standard SES documentation.
7. Your Privacy Rights
Subject to applicable law and to verification of your identity, you have the rights described below. To exercise any of these rights, contact privacy@d8m.io from the email address associated with the personal information at issue, or by mail at the address in Section 12. We will respond to verifiable requests within the timeframe required by applicable law (generally thirty (30) days under the GDPR/UK GDPR, and forty-five (45) days under the CCPA).
7.1 Rights for Residents of the EEA, the UK, and Switzerland (GDPR)
- Right of access. You may request confirmation that we process your personal information and a copy of that information.
- Right to rectification. You may request that we correct inaccurate or incomplete personal information about you.
- Right to erasure. You may request deletion of your personal information, subject to limited exceptions (for example, where retention is required to comply with a legal obligation).
- Right to restrict processing. You may request that we limit the processing of your personal information in certain circumstances.
- Right to data portability. You may request a copy of your personal information in a structured, commonly used, machine-readable format, and the right to transmit that information to another controller.
- Right to object. You may object to processing of your personal information based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent. Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint. You may lodge a complaint with the supervisory authority in your country of residence.
7.2 Rights for Residents of California (CCPA/CPRA)
If you are a California resident, you have the rights below. AllCaps does not "sell" personal information or "share" personal information for cross-context behavioral advertising, as those terms are defined in the California Consumer Privacy Act.
- Right to know. You may request the categories of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share that information, and specific pieces of personal information collected about you.
- Right to delete. You may request deletion of personal information we have collected from you, subject to limited exceptions.
- Right to correct. You may request that we correct inaccurate personal information about you.
- Right to opt-out of sale or sharing. Not applicable; AllCaps does not sell or share personal information as those terms are defined under the CCPA.
- Right to non-discrimination. You will not receive discriminatory treatment for exercising any of these rights.
You may designate an authorized agent to make a request on your behalf. We will require the agent to provide written authorization, and we may also verify your identity directly.
7.3 Rights for Residents of Other U.S. States
Residents of Colorado, Connecticut, Virginia, Utah, Texas, and other U.S. states with applicable consumer privacy laws may exercise rights substantially similar to those described above, in accordance with their respective state laws. To exercise any such right, please contact privacy@d8m.io.
8. Cookies and Tracking Technologies
AllCaps does not set its own cookies on the Service.
PostHog is configured to use in-memory persistence on the Service, which means PostHog identifiers are not stored in cookies or local storage and are reset when you close the browser tab.
The Google Appointment Schedule iframe, when opened, is a direct interaction between you and Google. Google may set first-party Google cookies in your browser as a result of that interaction. Google's use of cookies in this context is governed by Google's privacy policy.
You can control cookies through your browser settings, but doing so may affect the availability of some Service features.
9. Security
We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Measures include encryption of data in transit (TLS 1.2 or higher), access controls on backend systems, and the use of vetted sub-processors that implement industry-standard security practices.
No system can be completely secure. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate authorities to the extent required by applicable law.
10. Children's Privacy
The Service is not directed to children under the age of eighteen (18) and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under eighteen, we will promptly delete it. If you believe that a child under eighteen has provided personal information through the Service, please contact privacy@d8m.io.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will provide additional notice through the Service. Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the updated Policy.
12. Contact Us
For questions, complaints, or to exercise a privacy right described in this Policy, contact us at:
- Email: privacy@d8m.io
- Mailing address: AllCaps Technologies Inc., 8700 Stonebrook Pkwy #1143, Frisco, TX 75034, USA
We will respond to verifiable requests as promptly as we can and in accordance with applicable law.