Legal

Privacy

What we collect, why, and what you can do about it. Plain language. No dark patterns.

Who we are

whichidea.com is run by Paris Thomas and Christian Doll, private individuals. For privacy questions, write to hello@whichidea.com.

The short version

• If you sign up for the waitlist, we keep your email and which form you submitted (hero or final CTA). That's it.
• If you're an admin signing in with Google, we set one short-lived session cookie. We do not track you across the web.
• We don't run any third-party analytics, advertising, or tracking pixels.
• You can ask us to delete your data at any time by emailing hello@whichidea.com or unsubscribing from any email we send you.

What we collect, and why

Email signups

When you submit your email through the waitlist forms on the homepage, we collect:

• Your email address.
• A short tag indicating which form on the page you used (hero or cta) so we can see which message resonates.

Legal basis: your consent (Art. 6(1)(a) GDPR), given by submitting the form. Purpose: to email you when the book is ready and occasionally with related updates. Retention: until you unsubscribe or ask us to delete it.

This data is stored in Sender.net (Lithuania, EU), our email service provider. Sender acts as a data processor on our behalf under a Data Processing Addendum.

Admin sign-in

If you sign in to the admin area at /api/auth/login using your @whichidea.com Google Workspace account, we set a signed, HTTP-only session cookie so we can recognise you on subsequent requests. The cookie is strictly necessary for the admin function and contains no personal data beyond your email and Google user ID.

Legal basis: contract / legitimate interest (Art. 6(1)(b)/(f) GDPR — operating the site). Retention: cookie expires when you sign out or after 7 days, whichever comes first.

Server logs

Our hosting provider, Vercel (USA), keeps short-lived access logs (IP address, user agent, request path, status code) for operational purposes — debugging, abuse prevention, performance. Logs are retained for a few days and then discarded. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Code commits and admin notifications

When an admin makes a content edit through the in-browser editor, the edit is committed to our private GitHub repository. The commit author records the admin's email. The site also sends a short message to a private Telegram chat to notify the team.

AI-assisted editing

When an admin uses Comment Mode to commission a content change, the comment text and the current page HTML are sent to the Anthropic Claude API to draft and execute the change. Anthropic processes data on our behalf as a sub-processor and does not use it for model training. No public visitor data is sent to Anthropic.

Who else sees your data

We use the following processors. Each is bound by a Data Processing Addendum (or equivalent contractual safeguards) and only handles the data described above:

• Sender.net (EU/Lithuania) — email delivery and subscriber storage.
• Vercel (USA) — hosting and serverless functions. Transfers are covered by Standard Contractual Clauses.
• GitHub (USA, Microsoft) — source code and content storage. SCCs.
• Google Workspace (USA) — admin email and OAuth sign-in. SCCs.
• Anthropic (USA) — AI editing assistance, admin-initiated only. SCCs.
• Telegram (international) — admin notifications only. No public visitor data is sent.
• Cloudflare (USA) — DNS and email routing for our domain.

We do not sell or rent your data to anyone, ever.

International transfers

Some of the processors above are based outside the EU/EEA. Where personal data is transferred to them, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures, to ensure an adequate level of protection.

Your rights

Under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Have it corrected if it is wrong.
• Have it deleted ("right to be forgotten").
• Receive a copy in a portable format.
• Object to or restrict our processing of it.
• Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email hello@whichidea.com. We aim to respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — for us, that's the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus.

Security

We use HTTPS everywhere, signed and HTTP-only session cookies, scoped API tokens, and least-privilege access for the small team that runs the site. We will never email you asking for a password.

Cookies

Public visits to whichidea.com set zero cookies. Cookies appear only when you sign in to the admin area, and they are strictly necessary for that function. See the cookies page for the full list.

Changes to this policy

If we change anything material, we'll update the date below and — if you're on our list — let you know by email.

Last updated: 2026-04-26.