Privacy Policy
Last updated: February 2026
This Privacy Policy describes how Lemonberry Labs LLC ("Company," "we," "us," or "our"), the owner and operator of howtowritea.com ("Service" or "Site"), collects, uses, discloses, and protects your personal information. By using the Service, you consent to the data practices described in this policy.
1. Information We Collect
1.1 Information You Provide Directly
- Account information: Email address (required for purchase and account creation via magic link authentication).
- Dispute and letter details: Names, mailing addresses, financial amounts, dates, property information, and descriptions of disputes that you provide in the intake wizard. The specific fields vary by letter type.
- Sender and recipient addresses: Full mailing addresses provided for letter delivery, which are validated through our address verification service.
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, device and browser information, IP address, referral source, and session duration, collected via Google Analytics 4.
- Funnel and conversion data: Anonymized event data tracking your progress through the Service (e.g., letter type selected, wizard steps completed, purchases made).
- Session data: Authentication session tokens necessary for the Service to function.
1.3 Information We Do NOT Collect or Store
- Payment card information: Credit card numbers, CVVs, and billing details are processed directly by Stripe and never touch or are stored on our servers.
- Passwords: We use passwordless authentication (magic links). No passwords are collected or stored.
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Letter generation | Dispute details sent to Google Gemini AI to generate your demand letter |
| Mail fulfillment | Sender and recipient names and addresses shared with Lob to print and mail via USPS Certified Mail |
| Payment processing | Order metadata shared with Stripe to process payments |
| Email communications | Email address shared with Resend to send order confirmations, delivery updates, and authentication links |
| Address validation | Addresses shared with Lob to verify mailing addresses before submission |
| Bot prevention | Cloudflare Turnstile token to verify human interaction |
| Analytics and improvement | Anonymized usage data collected by Google Analytics 4 |
| Account management | Email address for authentication and account access |
3. Third-Party Service Providers
We share personal information with the following third-party service providers, each of which has its own privacy policy governing its use of your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Gemini | AI letter generation and research | Dispute details, recipient state, form responses |
| Stripe | Payment processing | Email, order metadata, payment information |
| Lob | USPS Certified Mail printing and delivery; address validation | Sender/recipient names and addresses, letter content (for mail tier) |
| Resend | Transactional email delivery | Email address, order confirmations, tracking numbers |
| Google Analytics 4 | Website analytics | Anonymized usage data, device info, page views |
| Neon | Database hosting (PostgreSQL) | All stored data (encrypted at rest) |
| Cloudflare | Bot prevention (Turnstile CAPTCHA) | Verification token, IP address |
| Vercel | Application hosting and deployment | Server logs, request metadata |
We do not sell, rent, or trade your personal information to any third party. Data is shared with the providers listed above solely for the purposes of operating the Service.
4. AI Processing and Automated Decision-Making
The core function of this Service involves automated processing of your data by artificial intelligence (currently Google Gemini). When you submit the intake wizard, your dispute details are sent to Google's AI model, which:
- Searches for relevant legal statutes and deadlines based on your state
- Generates a demand letter based on the information you provide
- Fact-checks legal citations and references for accuracy
This AI processing is necessary to deliver the Service and is performed under the legal basis of contract performance. The AI output is provided to you for review; no automated decisions are made about your legal rights, and you retain full control over whether to use, modify, or send any generated document. Google's use of data sent to Gemini is governed by Google's privacy policy and AI terms of service.
5. Cookies and Tracking Technologies
5.1 Essential Cookies
We use essential cookies that are strictly necessary for the Service to function:
- Session token: Maintains your authenticated session.
- CSRF token: Protects against cross-site request forgery.
These cookies cannot be disabled as the Service will not function without them.
5.2 Analytics Cookies
We use Google Analytics 4, which sets cookies (including _ga and _ga_*) to collect anonymized usage data. You can opt out of Google Analytics tracking by:
- Installing the Google Analytics Opt-out Browser Add-on
- Using your browser's cookie settings to block third-party cookies
- Enabling the Global Privacy Control (GPC) signal in your browser (see Section 8)
5.3 Client-Side Storage
The intake wizard stores form data in your browser's sessionStorage to preserve your progress between steps. This data is stored only in your browser, is not sent to our servers until you submit the wizard, and is automatically cleared when you close the browser tab.
6. Data Retention and Deletion
| Data Type | Retention Period |
|---|---|
| Email address | Lifetime of your account (until deletion requested) |
| Names and addresses | 90 days after letter delivery or purchase, then automatically deleted |
| Dispute details (intake data) | 90 days after letter delivery or purchase, then automatically deleted |
| Generated letter content | 90 days after letter delivery or purchase, then automatically deleted |
| Order records | Retained for accounting and legal compliance (non-sensitive metadata only after 90-day purge) |
| Payment card information | Never stored on our servers (processed by Stripe) |
| Analytics data | Per Google Analytics data retention settings (14 months default) |
Sensitive data (names, addresses, dispute details, and letter content) is automatically purged by an automated process that runs daily. After the 90-day retention period, these fields are permanently deleted from our database. Non-sensitive metadata (letter type, status, creation date) is retained for record-keeping.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Right to Correction: Request correction of inaccurate personal data.
- Right to Portability: Request your data in a structured, machine-readable format.
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Object: Object to the processing of your personal data.
- Right to Withdraw Consent: Withdraw consent where processing is based on consent.
To exercise any of these rights, email us at privacy@howtowritea.com. We will verify your identity before processing any request and will respond within 45 days (or 30 days for GDPR requests). We will not discriminate against you for exercising any of these rights.
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
8.1 Categories of Personal Information Collected
| Category (per CCPA) | Examples | Source |
|---|---|---|
| Identifiers | Email address, name, mailing address | Directly from you |
| Commercial information | Purchase records, order history | Directly from you; from Stripe |
| Internet or network activity | Pages visited, device info, browser type | Automatically via Google Analytics |
| Geolocation data | Approximate location (from IP address) | Automatically via analytics |
| Inferences | Letter type preferences, usage patterns | Derived from your activity |
8.2 Sale and Sharing of Personal Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
8.3 Your CCPA Rights
- Right to Know: You can request what personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You can request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: Not applicable, as we do not sell or share personal information.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to that which is necessary to perform the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.
8.4 How to Exercise Your Rights
To exercise your CCPA rights, contact us at privacy@howtowritea.com. We will verify your identity by confirming the email address associated with your account. We will respond to verifiable consumer requests within 45 days. You may also designate an authorized agent to make a request on your behalf by providing written authorization to the agent and verifying your identity with us.
8.5 Global Privacy Control (GPC)
We recognize and honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as a valid opt-out request for the sale or sharing of personal information (though, as noted, we do not sell or share personal information). We will also treat GPC signals as a request to limit the use of analytics cookies where technically feasible.
9. GDPR (European Economic Area Users)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional provisions apply:
9.1 Data Controller
Lemonberry Labs LLC is the data controller responsible for your personal data. Contact: privacy@howtowritea.com.
9.2 Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Generating and delivering your letter | Performance of a contract (Article 6(1)(b)) |
| Processing payment | Performance of a contract (Article 6(1)(b)) |
| Sending transactional emails | Performance of a contract (Article 6(1)(b)) |
| Website analytics | Legitimate interest (Article 6(1)(f)) — improving the Service |
| Bot prevention | Legitimate interest (Article 6(1)(f)) — security |
9.3 International Data Transfers
Your personal data is transferred to and processed in the United States by Lemonberry Labs LLC and its third-party service providers (including Google, Stripe, Lob, Resend, Neon, and Cloudflare). These transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms as applicable. By using the Service, you acknowledge that your data will be processed in the United States.
9.4 Additional GDPR Rights
In addition to the rights listed in Section 7, EEA users have the right to:
- Right to restrict processing: Request that we limit how we process your personal data.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal effects. The AI processing in our Service generates a draft document for your review; final decisions about use of the document remain with you.
9.5 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe our processing of your personal information violates applicable law. A list of EU supervisory authorities is available at edpb.europa.eu.
10. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with personal information, please contact us at privacy@howtowritea.com.
11. Security
We implement industry-standard security measures to protect your personal information, including:
- Encryption at rest: Database encryption via Neon (PostgreSQL).
- Encryption in transit: All data transmitted over TLS/HTTPS.
- Payment security: PCI-DSS compliant payment processing via Stripe (no card data stored on our servers).
- Webhook verification: Cryptographic signature verification (HMAC-SHA256) for all incoming webhooks from Stripe and Lob using timing-safe comparison.
- Authentication security: Passwordless magic link authentication with time-limited tokens.
- Automatic data purge: Sensitive data automatically deleted after 90 days.
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
12. Data Breach Notification
In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users as required by applicable law. For breaches affecting EEA users, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. For California residents, we will comply with California Civil Code Section 1798.82 notification requirements.
13. Do Not Track and Global Privacy Control
We recognize the Global Privacy Control (GPC) signal as described in Section 8.5. We do not currently respond to the older Do Not Track (DNT) browser signal, as there is no industry-standard protocol for DNT compliance. However, we honor GPC signals as the successor to DNT.
14. Third-Party Links
The Service may contain links to third-party websites or services (e.g., Stripe payment pages, Google Analytics opt-out). We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will indicate the date of the most recent revision at the top of this page. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this Privacy Policy periodically. For material changes that significantly affect how we process your personal data, we will make reasonable efforts to notify you (e.g., by posting a notice on the Site or sending an email).
16. Contact
For privacy-related inquiries, data access requests, or questions about this Privacy Policy, contact us at:
- Privacy inquiries: privacy@howtowritea.com
- General support: support@howtowritea.com
Lemonberry Labs LLC
Email: privacy@howtowritea.com