Last updated: 10 June 2026
Privacy Policy
Your privacy matters to us. This policy explains what information we collect, how we use it, and your rights as a user of Visibility Command Centre.
1. Who We Are
Visibility Command Centre (“we”, “us”, “our”) is operated by Andrew George. We provide an AI-powered visibility and PR management platform for solo marketers, speakers, coaches, and consultants.
For any privacy-related queries, contact us at: andrew@mrandrewgeorge.com
2. Information We Collect
We collect the following categories of information:
Account information
- Name and email address provided at registration
- Password (stored securely as a hash — we never store your plain-text password)
- Authentication tokens for Google OAuth where used
Profile information
- Speaker bios (short, medium, long)
- Headshot and media library uploads
- Topics, speaker title, and tagline
- Website URL and LinkedIn profile URL
Usage and opportunity data
- Opportunities you track (podcasts, events, press, collaborations)
- Pitch emails and follow-up notes you create or generate
- Contact records and relationship notes
- Activity logs and status updates
- Calendar events linked to your opportunities
Connected account data
- Gmail:We access your Gmail account to send pitch emails on your behalf when you use the “Send pitch” feature. We read only the threads necessary to check for replies.
- Google Calendar: We read and write events to your calendar when you use the calendar integration.
- Slack: We send notifications to your Slack workspace when you connect the Slack integration.
Payment information
Payments are processed by Stripe. We do not store your card number, CVV, or full payment details on our servers. We retain only your Stripe customer ID and subscription status.
Automatically collected data
- Feature usage patterns (which features you use and how often)
- Error logs to help us diagnose and fix issues
- Device and browser type for display purposes
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Send pitch emails, follow-ups, and calendar events on your behalf
- Generate AI-assisted content based on your profile and opportunity data
- Calculate your Visibility Score and pipeline analytics
- Send you product updates, weekly digests, and notifications (you can unsubscribe)
- Enforce our Terms of Service and prevent abuse
- Comply with legal obligations
We do not sell your personal data to third parties. We do not use your data to train AI models beyond what is necessary to provide the Service.
4. Data Storage and Security
Your data is stored on Supabase infrastructure. Supabase uses AWS data centres located in the EU/UK region (eu-west-2). Data is encrypted at rest and in transit using industry-standard TLS/SSL.
File uploads (headshots, media) are stored in Supabase Storage (S3-compatible) in the same region.
While we take reasonable technical and organisational measures to protect your data, no internet transmission is 100% secure. We encourage you to use a strong, unique password for your account.
5. Security Measures & Compliance
We implement multiple layers of security to protect your data and prevent unauthorized access:
Authentication & Access Control
- All API endpoints require authentication via secure session tokens
- Passwords are hashed using industry-standard algorithms — we never store plain-text passwords
- Admin users are verified before accessing sensitive functions
CSRF & Input Protection
- Cross-Site Request Forgery (CSRF) tokens protect form submissions
- All user input is validated and sanitized to prevent XSS (cross-site scripting) attacks
- Input length and format restrictions prevent injection attacks
Rate Limiting
- Authentication: 5 attempts per 15 minutes per IP address
- API calls: 100 requests per hour per user
- Data export: 10 exports per hour per user
- Account deletion: 3 attempts per hour per user
- General requests: 50 requests per minute per user
Security Headers
We inject security headers into all responses to prevent common web vulnerabilities:
- X-Content-Type-Options: Prevents MIME-type sniffing
- X-Frame-Options: Prevents clickjacking (set to DENY)
- X-XSS-Protection: Enables browser XSS protection
- Referrer-Policy: Controls referrer information (strict-origin-when-cross-origin)
Error Handling
Errors are logged server-side with full details for debugging, but generic, safe messages are returned to clients to prevent information disclosure. Stack traces are never exposed to users.
6. Audit Logging & Monitoring
We maintain detailed, immutable audit logs of all sensitive operations for security monitoring and compliance purposes. These logs cannot be deleted or modified once created.
What we log
- User authentication (login, logout, failed login attempts)
- Data export requests (GDPR Article 20)
- Account deletion requests (GDPR Article 17)
- Admin operations (user status changes, permissions modifications)
- Suspicious activity and access denials
- IP addresses and user agents for forensic analysis
Audit log retention
Audit logs are retained indefinitely for compliance, security monitoring, and forensic investigation. You can view your own non-sensitive activity logs from your account. Admins can access comprehensive logs for security and compliance purposes.
Log access
Only authenticated admins can access full audit logs. RLS (Row Level Security) policies ensure regular users can only view their own activity, and sensitive events are hidden from non-admin users.
7. Third-Party Services
We use the following third-party services to operate the platform:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, and file storage | All account and usage data |
| Stripe | Payment processing and subscription management | Email, billing details |
| Resend | Transactional and digest emails | Email address, email content |
| Google (Gmail & Calendar) | Email sending and calendar sync | Gmail and calendar access tokens |
| Slack | Workspace notifications | Slack access token, notification content |
| Anthropic (Claude) | AI pitch generation and content features | Profile data and opportunity context |
| Apple Podcasts | Podcast discovery and metadata enrichment | Search queries and podcast identifiers |
| Taddy | Podcast discovery and data enrichment | Search queries |
Each third-party service operates under its own privacy policy. We encourage you to review their policies if you have questions about how they handle your data.
8. Data Retention
We retain your personal data for as long as your account is active.
- If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law (for example, financial records for tax purposes, which are retained for 7 years).
- Anonymised, aggregated usage statistics may be retained indefinitely.
- Backup copies may persist for up to 90 days after deletion.
9. Your Rights under UK GDPR
As a user based in the UK or EU, you have the following rights regarding your personal data:
- Right to access / data portability:You can download a copy of your personal data as JSON directly from your account settings. This includes your profile, opportunities, subscriptions, usage logs, and activity history. You can access this at any time by clicking “Export my data” in your settings.
- Right to erasure:You can request permanent deletion of your personal data (“right to be forgotten”). You can delete your account directly from your settings, which will permanently remove all your data within 30 days.
- Right to rectification: You can update your profile and account information at any time from your settings page.
- Right to object: You can object to processing of your data for direct marketing purposes. You can unsubscribe from marketing emails in your notification preferences.
- Right to restrict processing: You can ask us to pause processing of your data in certain circumstances.
Self-service data tools: You have direct access to export and delete your data from your account settings without contacting support. If you prefer, you can also contact us at andrew@mrandrewgeorge.com and we will assist you. We will respond to requests within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
10. Cookies
We use minimal cookies to operate the Service:
- Authentication cookies: Set by Supabase to maintain your login session. These are session cookies and expire when you close your browser or after a period of inactivity.
- Preference cookies:We may store UI preferences (such as sidebar state) in your browser's localStorage.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. You can clear cookies at any time through your browser settings.
11. Children's Privacy
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the Service. The “Last updated” date at the top of this page shows when the policy was last revised.
Continued use of the Service after a policy update constitutes your acceptance of the revised policy.
13. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Andrew George
Visibility Command Centre
andrew@mrandrewgeorge.com