Front of the Napkin
Sign in Sign up

Privacy Policy

Last updated: March 17, 2026

The privacy of your data is a big deal to us. In this policy, we lay out: what data we collect and why; how your data is handled; and your rights with respect to your data. We promise we never sell your data: never have, never will.

Who we are

Front of the Napkin is a product of Steven Makes Things (a trade name of Ink and Feet LLC, a Wyoming LLC). If you have questions about this policy or your data, you can reach us at [email protected].

What we collect and why

We only collect what we need. Here's what that means in practice:

Identity & access

When you sign up, we ask for your email address and optionally your first name. That's it. We use your email to log you in, send you reports and account notifications, and to contact you if needed. If you give us your first name, we use it to personalize the site (e.g. "Hi, Steven"). We don't sell or share your identity information with anyone.

Your ideas and conversations

When you use Front of the Napkin, you describe your business ideas through a chat conversation. We store that conversation and the research we generate from it so you can access your reports. Your ideas are yours. We don't use them for any purpose other than providing you the service.

AI data processing

To analyze your ideas and generate research reports, we send your idea descriptions and conversation messages to Anthropic's Claude API. Anthropic processes this data to generate our analysis. Importantly:

  • Anthropic does not use API data to train their models.
  • Data sent to the API is subject to Anthropic's Privacy Policy and their API data usage policy.
  • We also use web search and scraping services to gather publicly available market data as part of our research process.

Billing information

When you buy credits, your payment is processed by Stripe. We never see or store your full credit card number. We keep a record of which credit packs you purchased, your Stripe customer ID, and transaction history for accounting and support.

Website analytics

We collect basic, first-party analytics (page views, feature usage) to understand how the product is used and to fix problems. We do not use any third-party analytics or tracking services. No Google Analytics, no Facebook pixels, nothing like that.

Cookies

We use essential cookies only - a session cookie to keep you logged in and a CSRF cookie to protect against cross-site attacks. That's it. We don't use advertising cookies, tracking cookies, or any third-party cookies. Our cookies are:

  • Essential for the service to function (authentication and security)
  • Encrypted and served over HTTPS only
  • Session cookie expires after 90 days of inactivity (refreshed each time you visit)
  • CSRF cookie is temporary (cleared when you close your browser)

When we access or share your data

We don't sell your data to anyone, and we don't share it with third parties for marketing.

Here are the limited cases where your data may be accessed or shared:

  • To provide the service: Your idea descriptions are sent to Anthropic's Claude API for analysis, and to web search/scraping services for market research. These services process data only to fulfill our requests.
  • To process payments: Stripe processes your payment information.
  • To send email: Amazon SES (Simple Email Service) delivers transactional emails like account verification and data export notifications. Only your email address is shared with AWS for this purpose.
  • To fix problems: If you contact support or something breaks, we may need to look at your account data to help. We'll never access your content without a reason.
  • When required by law: If we receive a legally binding request from law enforcement, we will comply. We will notify you if legally permitted to do so.

Your rights

We respect your rights over your data. These rights apply to all users, regardless of where you live:

  • Right to access: You can export all of your data at any time from your Account Settings page.
  • Right to correction: You can update your profile information from your account settings.
  • Right to erasure: You can delete your account entirely from your account settings. When you do, we permanently delete all of your personal data, ideas, conversations, and reports. Cost records are anonymized (de-linked from your identity) for accounting purposes.
  • Right to portability: Our data export gives you a complete JSON file of all your data that you can take anywhere.
  • Right to object: You can contact us at any time to object to processing of your data.

If you're in the EU, you also have the right to lodge a complaint with your local data protection authority.

Data security

All data is transmitted over HTTPS/TLS. Passwords are hashed and never stored in plain text. Session cookies are encrypted and marked Secure, HttpOnly, and SameSite=Lax. Our servers are hosted on Hetzner in the EU, with automated backups.

Data retention and deletion

We keep your data for as long as your account is active. If you delete your account, we permanently purge your personal information, ideas, conversations, and reports. Anonymized cost records may be retained for accounting. Backups that contain deleted data are cycled out within 30 days.

Data location

Our servers are hosted by Hetzner in the EU (Germany). Payment processing through Stripe may involve data transfer to the United States. By using the service, you consent to this transfer.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we'll notify you by email or by placing a prominent notice on the site. The date at the top of this page tells you when the policy was last updated.

Questions?

If you have any questions about this policy or your data, please contact us at [email protected].

This privacy policy is adapted from the Basecamp open-source policies, used under CC BY 4.0. Thank you, Basecamp, for making these available.