Privacy policy

This policy explains what data fencepost collects, why, who we share it with, and what you can do about it. It applies to the fencepost website (fencepost.life) and the fencepost web application, together “the Service.”

We’ve tried to write it in plain language. If anything is unclear, please email [email protected].

1. Who we are

fencepost is operated as a sole trade by an individual based in Ireland (“fencepost,” “we,” “us”). We are the data controller for the personal data described in this policy.

fencepost is in a free validation phase. We are deliberately running it without a registered company or trading address while we find out whether the program is useful to enough people to justify the structure of a paid product. The contact channel for all data-protection matters (including statutory rights requests and complaints) is [email protected]. If you need to identify the operator for a regulatory or legal purpose (for example to serve a complaint to a supervisory authority), email us and we will respond with identification details within 14 days.

2. What we collect, and why

We collect only what is needed to run the Service. We do not buy data about you from third parties, and we do not build advertising profiles. The categories of data are:

(a) Account data

Your email address. We use it to sign you in (via a magic link sent to your inbox) and to send transactional messages such as partner invites and account notices. We also store three consent timestamps (described below) so we can prove, when you ask us to, exactly when you agreed to which terms.

Lawful basis: necessary to perform the contract you enter with us when you create an account (GDPR Art. 6(1)(b)).

(b) Exercise responses

The answers you write in the program: short text, numbers, sliders, ranked lists, and the other field types used across the eight weeks. Without this data the Service cannot function. It is what we are storing on your behalf so you can come back to it.

Because the program prompts you to reflect on reproductive choices, your relationships, and your emotional state, your responses may contain what GDPR calls special-category data: data about health, sex life, and similar. Processing that kind of data requires a specific lawful basis under Art. 9 of GDPR. Ours is your explicit consent under Art. 9(2)(a), which you give on the welcome screen before any of your responses are stored. We record the timestamp of that consent on your account and you can withdraw it at any time by deleting your account (see Section 8 below). General processing of this data is also necessary to perform the Service contract (Art. 6(1)(b)).

Some exercises are marked private in their definition. The content of a private exercise is stored with a flag that prevents it from ever appearing in partner comparison views or being included in AI reflection requests, regardless of any other setting. The private flag is enforced at the database query layer; it is not a UI convenience.

(c) Partnership data

If you invite someone to work through the program with you, we create a partnership record linking your two accounts, and store the invite’s email address and a one-time invite token. Once accepted, the partnership lets each of you see the other’s submitted answers on non-private exercises, side by side. Either of you can dissolve the partnership at any time from settings, which immediately stops further sharing in both directions.

Lawful basis: necessary to perform the contract (Art. 6(1)(b)).

(d) AI reflection content (optional, opt-in)

The AI reflection feature is doubly opt-in. First, you decide at signup (on the welcome screen) whether you want to enable it on your account; the default is off, and you can flip the setting on or off at any time. Second, each individual reflection is triggered by you clicking a button on a specific exercise; we never send anything to the AI without that explicit click.

When you click, the free-text you wrote on that exercise (and only that text, with the exercise’s title) is sent to Anthropic’s Claude APItogether with a fixed system prompt that constrains how the model is allowed to respond. We never send numeric fields, slider values, ranked lists, single-select choices, structured ratings, or any field from a private exercise. Before you click, the “What does the AI see?” disclosure on the page shows you the exact payload that would be sent.

Lawful basis: your explicit consent (Art. 6(1)(a) and, where the underlying text is special-category data, Art. 9(2)(a)), granted when you enable the feature on the welcome screen and confirmed again when you click to request a reflection.

Anthropic’s use of the data is governed by its commercial terms of service. Under those terms Anthropic does not use API inputs or outputs to train its models. Anthropic retains inputs and outputs for up to 30 days for abuse-monitoring and then deletes them automatically. We are not on Anthropic’s enterprise-only zero-data-retention tier, so the 30-day window on Anthropic’s side does apply to your reflections. We will move to a stronger Anthropic arrangement when we can and will update this policy if and when we do.

We do not use your exercise responses or any data you produce on fencepost to train any AI model: not ours, not Anthropic’s, not anyone else’s.

(e) Technical data

When you visit the Service we receive standard request metadata: your IP address, browser user-agent, the page requested, and the time. We use this to operate the Service securely (rate-limiting, abuse detection, debugging). We do not use third-party analytics, and we do not run advertising tags. Lawful basis: our legitimate interest in running a secure service (Art. 6(1)(f)).

We set one essential cookie: a signed, http-only session cookie that keeps you logged in. We do not set any other cookies, and we do not use trackers, pixels, or fingerprinting. Because the only cookie we set is strictly necessary to deliver a service you have asked for (signing into your account), we do not display a cookie banner; under ePrivacy rules strictly-necessary cookies are exempt.

3. Audit log

We keep an internal audit log of security- and account-relevant events: magic-link issuance, sign-ins, consent grants and withdrawals, partner invite creation, partnership acceptance, exercise submissions, and AI reflection requests. Each entry stores the user’s ID, the event type, a timestamp, and the IDs of the relevant records, but not the content of your responses. We use this to investigate abuse, to handle deletion requests verifiably, and to debug issues you report. When you delete your account, audit-log entries are anonymised: the user ID is removed from each row so the row is no longer linked to an identifiable person, while the event type and timestamp remain for our internal record of what the system did.

4. Who we share data with

We do not sell your data and we do not share it with advertisers. We do use a small number of subprocessors that operate parts of the Service on our behalf. Each is bound by their own data processing terms and is only allowed to use your data to provide their service to us:

• DigitalOcean (DigitalOcean, LLC, USA, EU region) hosts the application and the managed Postgres database. All your account, exercise, partnership, and audit data is stored here. Database disks are encrypted at rest; connections to the database use TLS.
• Postmark(ActiveCampaign, LLC, USA) sends our transactional email: sign-in magic links, partner invites, waitlist confirmations, and partner-dissolution notices. Postmark receives the recipient’s email address and the content of the message at send time. They do not use the data for any other purpose.
• Anthropic(Anthropic, PBC, USA) generates the optional AI reflection question, only when you opt in to that feature on a specific exercise. See Section 2(d) for what we send and Anthropic’s retention.

We may also share data when we are legally required to (for example a valid court order or subpoena), or when needed to defend our rights or those of our users. If fencepost transitions from this free phase to a paid product and the operating entity changes, your data may move to the new operator under the same commitments; we will notify you in advance.

5. International transfers

DigitalOcean (in its US-headquartered capacity), Postmark, and Anthropic are established in the United States. Where we transfer personal data of EU/UK residents to those processors, the transfers are protected by the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum for UK residents), as published by the relevant processor. You can request copies of these mechanisms by emailing us.

6. How long we keep data

We keep data only for as long as it is needed for the purposes described in this policy.

• Account, exercise responses, partnership records, AI reflections: for as long as you have an active account. When you delete your account (see Section 8), this data is removed from production immediately and from encrypted backups within 7 days as backups rotate out.
• Magic-link tokens: 15 minutes from issue, single-use, then expired. Expired tokens are purged on a rolling basis.
• Waitlist signups: kept until we either launch the paid product and contact you, or you ask us to remove your email. If we abandon the paid-product plan we will delete all waitlist data and tell waitlist subscribers we have done so.
• Audit log entries: retained for up to two years from creation, then purged. Entries linked to a deleted account are anonymised at deletion time (see Section 3).

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (the underlying managed-database disks). Session cookies are signed, http-only, and marked Secure and SameSite=Lax. Magic-link tokens are hashed before storage so a compromised database read cannot be used to log in. Access to the production database is limited to people who need it to operate the Service.

No system is perfect. If we ever discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (for residents of Ireland, the Data Protection Commission) within 72 hours and will notify affected users without undue delay.

8. Your rights and account deletion

You have the following rights regarding the personal data we hold about you. These are guaranteed by GDPR in the EU and UK GDPR in the UK; equivalent rights are available to residents of some other jurisdictions:

• Access— you can download a copy of the personal data we hold about you at any time. Sign in, open Settings, and use “Download my data”. The file is a single JSON archive containing your profile, consents, exercise responses, AI reflections, partnerships metadata, waitlist entries, and audit log. It does not include anything belonging to another user.
• Rectification— you can ask us to correct inaccurate data.
• Erasure(“right to be forgotten”) — you can delete your account and the data we hold about you at any time. Sign in, open Settings, and use the Delete account button. Deletion is immediate from production and propagates to backups within 7 days as backups rotate out. If you have an accepted partnership, your partner is notified that the partnership has ended (we do not tell them why or share your email).
• Portability— the same JSON archive described under Access is structured for portability: you can take it to another service or archive it locally.
• Restriction and objection— you can ask us to stop processing your data for specific purposes, where the law allows.
• Withdrawal of consent— you can withdraw consent at any time. For AI reflections, the in-settings toggle does this for future reflections. For journal-storage consent (Art. 9(2)(a)), withdrawing means we cannot continue to hold your responses; the practical effect is the same as deleting your account, which is the mechanism we provide.
• Complaint— you can lodge a complaint with your local data-protection supervisory authority. For Ireland that is the Data Protection Commission; for other EU/EEA residents, the authority in your country of residence; for UK residents, the Information Commissioner’s Office (ICO).

To exercise any right that isn’t self-serve, email [email protected] from the address associated with your account, or include enough information to let us verify your identity safely. We respond within one month; complex requests may take an additional two months, and we will tell you if so.

9. Automated decision-making

fencepost does not make automated decisions that produce legal or similarly significant effects about you. The AI reflection feature produces an open-ended question that you choose whether to engage with; it does not score, rank, gate, or restrict your access to any part of the Service.

10. Children

The Service is intended for adults (18 and over) and is not appropriate for children. We do not knowingly collect data from anyone under 18. If you become aware that a minor has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we do, we will change the “Last updated” date at the top of the page. If the change is material (for example, adding a new category of data, a new subprocessor, or a new purpose) we will notify existing users by email or via an in-app notice before the change takes effect.

12. Contact

For anything (questions, data requests, complaints, or general feedback), please email [email protected]. We aim to reply within a few working days.

As noted in Section 1, fencepost is operated as a sole trade by an individual based in Ireland; identification details required for service of process or regulatory complaints are available on written request to [email protected] and will be provided within 14 days.