Privacy Policy

Who this applies to

This policy covers anyone who uses mascot.sh — the website, the app, and any related services operated by Wraxle LLC. "We," "us," and "our" mean Wraxle LLC, 3525 Del Mar Heights Rd, Suite 818, San Diego, CA 92130.

What we collect

Account information

When you sign up with Google, we receive your name, email address, and profile photo from Google. That's it — we don't get access to your contacts, calendar, or anything else in your Google account.

Business information you provide

To generate a mascot that actually fits your brand, we ask you to describe your business — the name, what you do, your vibe, colors you like, and so on. You might also give us your website URL so we can pull in context about your business automatically. All of that goes into generating your mascots.

Generated images

Every mascot image generated through your account is stored and associated with your account. This includes images you lock into your brand kit and images you discard. See the Terms of Service for how discarded images are handled.

Usage data

We track how the service is used — things like which features people click on, where they get stuck, and how they move through the generation flow. This is aggregate and behavioral data, not a surveillance log of your every move. We use PostHog for this.

Payment information

We don't store your credit card number. Payment processing goes through Stripe, and they handle everything related to card data. We do receive a record of your transactions — amount, date, and whether payment succeeded — so we can manage your subscription.

Cookies and local storage

We use cookies to keep you logged in and remember your preferences. We don't run third-party ad tracking cookies. The PostHog analytics tool sets its own cookie to track sessions across visits. That's pretty much it. You can block cookies, but parts of the service may stop working if you do.

How we use your data

Everything we collect has a purpose:

• Your email and account info — to log you in, send receipts, and contact you about your account
• Business descriptions and URLs — to generate mascots that actually match your brand
• Generated images — to show them to you, let you download them, and improve our generation quality over time
• Usage data — to understand what's working and fix what isn't
• Payment records — to manage billing and handle refund requests

We don't sell your data. We don't rent it. We don't share it with advertisers. Full stop.

Third-party services

PostHog (analytics)

We use PostHog to understand how people use mascot. PostHog records session activity like clicks and page views. It can be configured to anonymize IP addresses, and we've done that. PostHog's privacy policy is at posthog.com/privacy.

Stripe (payments)

Stripe processes all payments. When you subscribe or make a purchase, your card information goes directly to Stripe's servers — it never touches ours. Stripe's privacy policy is at stripe.com/privacy.

Cloudflare R2 (image storage)

Your generated mascot images are stored on Cloudflare R2, which is Cloudflare's object storage service. Images are stored in the US. Cloudflare's privacy policy is at cloudflare.com/privacypolicy.

Google (authentication)

We use Google OAuth for login. Google's privacy policy governs how Google handles your data on their end. We only use what Google sends us — your name, email, and profile photo.

Data retention

We keep your account data for as long as your account is active. If you cancel your subscription, your account moves to archive mode and your data stays intact unless you request deletion.

If you delete your account, we remove your personal information within 30 days. Some records — like billing history — may be retained longer to comply with tax and accounting requirements, but they're not used for anything else.

Generated images that you discarded (and didn't lock) may be retained in our training data pipeline even after account deletion. If you want specific images removed, email us and we'll do our best.

Your California privacy rights (CCPA)

We're based in California, and California's Consumer Privacy Act gives California residents specific rights. Regardless of where you live, we extend these rights to all our users:

• Know what we collect — you can ask us for a summary of the personal data we hold about you
• Delete your data — you can request that we delete your personal information
• Correct your data — if something's wrong, you can ask us to fix it
• Opt out of sale — we don't sell personal data, so there's nothing to opt out of, but the right stands
• Non-discrimination — we won't treat you differently or charge you more for exercising your privacy rights

To exercise any of these rights, email privacy@mascot.sh. We'll respond within 45 days.

Data security

We use HTTPS everywhere, store passwords through Google (so we never see them), and keep production data access limited to people who need it. No system is perfectly secure, but we take this seriously.

If there's ever a breach that affects your personal data, we'll notify you as required by law — and sooner if we can.

Children's privacy

mascot is not intended for anyone under 18. We don't knowingly collect data from minors. If you believe a minor has created an account, please email us and we'll remove it.

Changes to this policy

We'll update this policy when our practices change or when laws require it. If the changes are significant, we'll notify you by email before they take effect. The "Effective" date at the top of the page reflects the current version.

Contact us

Privacy questions or requests go to privacy@mascot.sh. General questions go to hello@mascot.sh. You can also write to us:

Wraxle LLC
3525 Del Mar Heights Rd, Suite 818
San Diego, CA 92130