Privacy Policy

We collect as little as we can get away with. We never sell your data. Here's the full picture.

This policy covers all Turbo Puffin products: Helm, Propeller, Measure, and anything else we build.

What we collect and why

Identity and access

When you sign up, we ask for your name and email address. We need this to create your account and send you important product information. We won't use your name or company in marketing without your permission.

Billing information

If you pay for one of our products, we'll ask for payment details and a billing address. Credit card information goes straight to our payment processor (Stripe) — it never touches our servers. We keep the last four digits of your card number and your billing address for invoicing and fraud detection.

Your data in our products

We store whatever you put into our products. That's the whole point — you're using Helm to analyze MCA agreements, Propeller to send campaigns, or Measure to track analytics. We keep this data as long as your account is active. If you delete your account, we delete the data within 60 days.

Banking data (Helm)

If you use Helm and connect a bank account through our banking provider (Teller), we receive transaction data to help you audit ACH draws and understand your MCA activity. This data is encrypted in transit and at rest. We use it only to provide the service to you. We don't sell it, share it with lenders, or use it for any other purpose.

Website analytics

We use our own product, Measure, for website analytics across our sites. Measure is privacy-first by design — no cookies, no personal data collection, no cross-site tracking. We see aggregate numbers like page views and referral sources. We can't identify individual visitors and we don't try to.

Log data

We log IP addresses for security purposes — detecting unauthorized access, preventing brute force attacks, that kind of thing. We keep these logs as long as your account is active.

Emails from you

If you email us for support, we keep that conversation so we have context if you reach out again.

What we don't collect

We don't use third-party tracking cookies. We don't run ads. We don't use retargeting pixels. We don't collect data we don't need to run the service.

When we look at your data

Almost never. Your data is yours. The only times we'd access it:

• You asked us to. If you reach out for help with a support issue and we need to look at your account to fix it, we'll ask for your permission first.
• Something broke. If an automated process fails and requires manual intervention, we may need to look at the minimum amount of data necessary to fix it. This is rare.
• Security. If we suspect unauthorized access or abuse, we'll look at logs and metadata as part of the investigation.
• Legal obligation. If compelled by a valid U.S. court order or warrant. We won't hand over your data to anyone without proper legal process. If we're legally allowed to tell you about a request, we will.

Third-party services

We use a small number of third-party services to run our products:

• Stripe — payment processing
• Teller — bank account connections (Helm)
• Resend — transactional email
• OpenAI — AI analysis features (Helm contract analysis)

Each of these services only receives the data they need to do their job. We don't share your data with anyone else for any reason.

When we use AI to analyze your documents (like MCA agreements in Helm), the content is sent to the AI provider for processing. We don't allow the provider to use your data for training their models. The analysis is performed and returned to you — that's it.

Your rights

No matter where you live, we give everyone the same rights over their data:

• See it. You can ask us what personal data we have on you.
• Fix it. If something's wrong, you can ask us to correct it.
• Delete it. You can ask us to delete your personal data. In most cases, this means closing your account, since we need some of that data to provide the service.
• Take it. You can export your data at any time. It's yours.
• Object. You can object to how we process your data in certain situations.

To exercise any of these rights, email us at hello@turbopuffin.com. We'll respond within 30 days.

California residents

Under the California Consumer Privacy Act (CCPA), you have additional rights. The main ones: you can ask what personal information we've collected about you, request deletion, and opt out of any sale of your data. We don't sell personal information, so that last one is easy — there's nothing to opt out of.

We're a "service provider" under the CCPA, not a "business" or "third party," when it comes to data you put into our products. We only use it to provide the service you signed up for.

How we secure your data

All data is encrypted in transit using TLS. Database backups are encrypted. We use modern infrastructure with redundancy and regular security updates. For the full picture, see our security overview.

What happens when you delete stuff

If you delete content within your account, it'll be gone from our active systems within 30 days and from backups within 60 days. If you cancel your entire account, everything goes on the same timeline.

Where your data lives

Our infrastructure is in the United States. If you're outside the U.S., your data will be transferred to and stored in the U.S. By using our products, you're consenting to that transfer.

Changes to this policy

We may update this policy as needed. If the changes are significant, we'll update the date at the top and let you know.

Questions

Email us at hello@turbopuffin.com with any questions about your data or this policy.