Privacy Policy — Pitch Score by byTHELAB
Last updated: 2026-05-26
Spanish version: <code>PRIVACY_ES.md</code>
30-second summary
- No tracking cookies, no Google Analytics, no Meta Pixel. None of it.
- When you audit a landing page, we only scrape the public HTML from the URL you give us.
- If you leave your email, we store it in Supabase and send you a confirmation email via Resend.
- We keep your IP and user agent for 30 days to prevent abuse and spam. We don't use them to profile you.
- We don't sell your data. We don't share it with anyone except the processors listed below (Vercel, Supabase, Resend, Google, Upstash).
- You can ask us to delete your email anytime by writing to hola@bythelab.xyz.
- We're a small studio in Mexico City, not a Fortune 500. We do things properly but honestly: we don't have SOC 2 or end-to-end encryption.
Who we are
byTHELAB Studio — a human-directed AI creative studio based in Mexico City, Mexico.
- Data controller: Wen Lopez (founder)
- Website: bythelab.xyz
- Product covered by this policy: Pitch Score (pitch.bythelab.xyz)
- Contact: hola@bythelab.xyz
This policy covers Pitch Score only. Other studio products have their own policies.
What data we collect
By type, with the purpose next to it:
| Data | When we collect it | What it's for |
|---|---|---|
| When you fill the waitlist / lead form | Sending you your report and product updates | |
| URL you audit | Each time you run an audit | Scraping the public HTML and running the analysis |
| Audit result | Generated by the system | Showing it to you, storing it so you can come back |
| Preferred language | Detected from browser or your selection | Showing UI and report in Spanish or English |
| IP and user agent | Automatically on every request | Rate limiting (abuse prevention) + standard server logs |
What we do NOT collect:
- No login, no account, no password.
- No third-party tracking cookies (Google Analytics, Meta Pixel, etc.).
- We don't follow you across the web.
- We don't read private content — only the HTML that's already public at the URL you gave us.
What we use it for
- Running the audit you asked for (we process the URL with a language model and return the score).
- Emailing you the result if you provided one.
- Preventing service abuse (IP-based rate limits).
- Improving the product (we look at what kinds of URLs get audited to understand who uses the tool — always in aggregate, not individually).
- Notifying you of product updates if you joined the waitlist. You can opt out anytime.
We don't use your data for advertising. We don't sell it. We don't rent it.
Who we share it with (subprocessors)
Pitch Score runs on third-party infrastructure. Each provider only sees what it needs:
| Processor | What it does | Where data lives | Policy |
|---|---|---|---|
| Vercel | Hosts the site and API routes | USA | vercel.com/legal/privacy-policy |
| Supabase | Database (Postgres) — stores emails and audit results | Multi-region (set at project creation) | supabase.com/privacy |
| Resend | Sends transactional emails (confirmations, reports) | USA | resend.com/legal/privacy-policy |
| Google Generative AI | Processes scraped HTML and generates the analysis (Gemini 2.5 Pro) | USA | policies.google.com/privacy |
| Upstash Redis | IP-keyed counters for rate limiting | Multi-region | upstash.com/trust/privacy.pdf |
Future / V2 (not active yet):
| Processor | What it would do | Where |
|---|---|---|
| ClickUp | Receive lead emails to forward into the studio's internal CRM pipeline | USA — clickup.com/terms/privacy-policy |
When we activate ClickUp, we'll update this policy and let you know.
International transfers: As you can see, several processors are in the USA. If you're in Mexico, the EU, or another country, your data travels to the USA. This is covered by each provider's contractual clauses (Standard Contractual Clauses for GDPR; informed consent under Mexico's LFPDPPP). [LEGAL REVIEW: confirm whether we need a signed DPA with each provider before official prod launch.]
How long we keep it
| Data | Retention |
|---|---|
| Email + audit results | Indefinite, until you ask us to delete it |
| Vercel IP logs | 30 days (Vercel's standard retention) |
| Upstash rate-limit counters | 24 hours (they overwrite themselves) |
| Resend email logs | Per Resend's retention (typically 30 days) |
If you want us to delete your email and audits sooner, write to hola@bythelab.xyz and we'll do it within 15 business days at most.
Your rights (ARCO + GDPR)
Because we apply Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and the GDPR for European users, you have rights over your data. The acronym matters less than the fact that you can:
- Access — Ask what data we have about you.
- Rectify — Ask us to correct incorrect data.
- Cancel / Delete — Ask us to remove your data.
- Object — Ask us to stop using it for a specific purpose (e.g., stop emailing you).
- Portability (GDPR) — Ask for a copy of your data in a readable format.
- Withdraw consent — Change your mind about something you previously allowed.
No weird paperwork. An email is enough.
How to exercise your rights
Send us an email at hola@bythelab.xyz with:
- What you want to do (access / rectification / deletion / etc.).
- The email you registered with (so we can identify you).
- If it's deletion, confirmation that you understand you'll lose your audit history.
We'll respond within 15 business days at most. If we need more time (complex case), we'll explain why.
If you're not happy with how we handled your case, you can contact the data protection authority:
- In Mexico: INAI (inai.org.mx)
- In the EU: your country's authority (list at edpb.europa.eu)
Cookies and tracking
We keep it simple:
- No tracking cookies. Not first-party, not third-party.
- No Google Analytics, Meta Pixel, Hotjar, or anything similar.
- We may use strictly functional cookies (e.g., to remember your language preference). These don't require consent under GDPR or LFPDPPP.
If this changes, you'll read it here first.
Security
We do what a small studio can do well:
- HTTPS site-wide (TLS terminated at Vercel).
- API keys and secrets in environment variables, not in the repo.
- Supabase access restricted by roles and RLS where applicable.
- Backups managed by Supabase.
What we are NOT:
- We don't hold SOC 2, ISO 27001, or HIPAA certifications.
- We don't do end-to-end encryption of data at rest (Supabase encrypts data at rest with its standard managed setup).
- We don't have a dedicated security team. We're a team of 3 humans + agents.
If you handle highly sensitive data (health, regulated financial, etc.), Pitch Score isn't the right tool. Use it to audit public landing pages, which is what it's built for.
Minors
Pitch Score is for users 13 and older. If you're younger, don't use the product and don't leave your email. If we find out a minor gave us data, we delete it.
Changes to this policy
If we change something material (new processors, new data types, changes to your rights), we update the date above and:
- If you have a registered email with us, we'll send you a notice.
- We publish a changelog in the public repo.
Minor changes (typos, broken links) we make without notification.
Contact
For anything privacy-related:
- Email: hola@bythelab.xyz
- Data controller: Wen Lopez, byTHELAB Studio
- Address: Mexico City, Mexico [LEGAL REVIEW: add formal registered address if required by INAI for full privacy notice]
If you have a question, write to us. We answer like humans, not bots.
[LEGAL REVIEW — open items for legal counsel before official prod launch:]
- Confirm whether we need signed DPAs with each subprocessor.
- Confirm whether the full LFPDPPP privacy notice requires a registered physical address.
- Confirm specific language for international transfers under LFPDPPP (Mexico → USA).
- Review whether we need a formal DPO under GDPR (likely not given our size, but confirm).