Privacy Policy

Last updated: April 28, 2026

  CarbonHelm is operated by Sean Valentine as a sole proprietorship (pending LLC formation). This policy covers all CarbonHelm products and services. We believe privacy policies should be readable, so we wrote this one in plain English.

1. Scope and Products Covered

This Privacy Policy applies to all products and services operated under the CarbonHelm brand, including:

Product	Description
RealRabbit	AI-powered real estate analysis
GlucoPulse	Glucose tracking and metabolic wellness
HealthPulse	General health and wellness monitoring
MCP Monitor	MCP server monitoring and observability
CloudShield	Cloud cost optimization and protection
EU AI Audit	EU AI Act compliance assessment
Agent Eval	AI agent evaluation and benchmarking
LLM Costs	LLM usage cost tracking and optimization
MCPConnect	MCP server marketplace and registry

By using any CarbonHelm product, you agree to the data practices described in this policy. If you do not agree, please do not use our products.

2. Data We Collect

2.1 Information You Provide

Account information. Email address (required for account creation). Name is optional and only collected if you choose to provide it.
Payment information. When you purchase a subscription, payment details (credit card number, billing address) are collected and processed directly by Stripe. CarbonHelm never receives, stores, or has access to your full payment card details. We receive only a transaction confirmation, last four digits of your card, and billing country.
Support communications. When you contact us, we retain the content of your messages, your email address, and any attachments you send.
User-generated content. Data you input into our products (property searches in RealRabbit, health readings in GlucoPulse, configuration settings in CloudShield, etc.).

2.2 Information Collected Automatically

Usage analytics. We use Cloudflare Web Analytics, which is cookieless and privacy-focused. It collects page views, referrers, browser type, country, and device type. It does not use cookies, does not track individual users across sessions, and does not collect IP addresses for analytics purposes.
Technical logs. Our hosting infrastructure (Cloudflare) may temporarily log IP addresses and request metadata for security and abuse-prevention purposes. These logs are retained by Cloudflare per their data processing terms and are not used by CarbonHelm for analytics or profiling.
Local storage data. Some products store data in your browser's localStorage or IndexedDB. This data remains on your device and is not transmitted to our servers unless you explicitly initiate a sync or export.

2.3 Health Data (GlucoPulse and HealthPulse)

GlucoPulse and HealthPulse may process health-related data such as glucose readings, blood pressure, weight, or other wellness metrics. This data is:

Processed on your device by default.
Not uploaded to CarbonHelm servers unless you affirmatively opt into cloud sync or data sharing.
Never sold, shared with advertisers, or used for purposes other than providing the product's functionality to you.

If you opt into cloud sync, health data is encrypted in transit and at rest. You may revoke this consent and delete your cloud-stored health data at any time.

3. How We Use Your Data

We use the information we collect for the following purposes:

Providing and improving our products. To operate, maintain, and enhance the features and functionality of our products.
Account management. To create and manage your account, process transactions, and send transactional communications (receipts, password resets, security alerts).
Customer support. To respond to your questions and resolve issues.
Security. To detect, prevent, and address fraud, abuse, and security incidents.
Legal compliance. To comply with applicable laws, regulations, and legal processes.
Product communications. To send product updates, new feature announcements, and (with your consent) marketing communications. You can unsubscribe from marketing emails at any time.

We do not use your data to build advertising profiles, sell to third parties, or train AI models on your personal information.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

Processing Activity	Lawful Basis
Account creation and service delivery	Performance of contract (Art. 6(1)(b))
Payment processing	Performance of contract (Art. 6(1)(b))
Cookieless analytics	Legitimate interest (Art. 6(1)(f)) — improving our products without impacting your privacy
Health data processing	Explicit consent (Art. 9(2)(a))
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Legal compliance	Legal obligation (Art. 6(1)(c))

At CarbonHelm's current scale, a Data Protection Officer (DPO) is not required under GDPR. If this changes, we will appoint one and update this policy. In the meantime, privacy inquiries can be directed to [email protected].

5. Third-Party Processors

We share data with the following third-party service providers, who process data on our behalf under data processing agreements:

Provider	Purpose	Data Shared
Stripe	Payment processing	Payment method details, billing address, transaction amounts
Resend	Transactional and marketing email delivery	Email address, name (if provided), email content
Cloudflare	Hosting, CDN, DNS, analytics (Web Analytics), database (D1)	Request metadata, page views (anonymized), stored application data
Clerk	Authentication (when implemented)	Email address, name (if provided), authentication tokens

We do not sell, rent, or trade your personal information to third parties. We do not share your data with third parties for their own marketing purposes.

6. Data Storage and Security

6.1 Infrastructure

CarbonHelm products are hosted on Cloudflare's global infrastructure, with data processed at edge locations in the United States and European Union. Database storage uses Cloudflare D1.

6.2 Security Measures

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
Encryption at rest: Data stored in Cloudflare D1 databases is encrypted at rest.
Access controls: Access to production systems and data is restricted to authorized personnel using role-based access controls and multi-factor authentication.
Client-side storage: Product data stored in your browser's localStorage is under your device's security controls. We recommend keeping your device and browser up to date.

6.3 Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach (as required by GDPR) and notify relevant supervisory authorities as required by applicable law.

7. Data Retention

Account data: Retained for as long as your account is active. Upon receiving a deletion request, we will delete your account data within 30 days, except where retention is required by law (e.g., tax records).
Transaction records: Retained for up to 7 years as required by tax and financial regulations.
Support communications: Retained for up to 2 years after the last interaction, then deleted.
Analytics data: Cloudflare Web Analytics data is aggregated and does not contain personal identifiers. Aggregate data is retained indefinitely.
Health data (cloud-synced): Deleted within 30 days of a deletion request or opt-out of cloud sync.
Health data (on-device): Stored locally on your device; deletion is under your control.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of access. Request a copy of the personal data we hold about you.
Right to correction. Request correction of inaccurate or incomplete data.
Right to deletion. Request deletion of your personal data, subject to legal retention requirements.
Right to data portability. Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to restrict processing. Request that we limit how we use your data while a dispute or request is being resolved.
Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Right to object. Object to processing based on legitimate interests, including for direct marketing.
Right to lodge a complaint. File a complaint with your local data protection authority.

To exercise any of these rights, email [email protected] with the subject line "Privacy Rights Request." We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA).

9.1 Categories of Personal Information Collected

Identifiers: email address, name (if provided).
Commercial information: purchase history, subscription status.
Internet or electronic network activity: anonymized page views and usage data (via cookieless analytics).
Health information: glucose readings, wellness metrics (GlucoPulse/HealthPulse only, with consent).

9.2 Your CCPA Rights

Right to know. You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete. You may request deletion of your personal information, subject to certain exceptions.
Right to correct. You may request correction of inaccurate personal information.
Right to opt out of sale/sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights.

To submit a request, email [email protected]. We will verify your identity and respond within 45 days.

10. Washington My Health My Data Act (MHMDA)

CarbonHelm complies with the Washington My Health My Data Act for consumers located in Washington State.

We obtain affirmative consent before collecting, sharing, or using consumer health data.
We maintain a valid authorization for any collection of consumer health data, which clearly states the purpose and scope of collection.
We do not sell consumer health data.
We do not geofence healthcare facilities for the purpose of collecting health data.
Consumer health data collected by GlucoPulse and HealthPulse is processed on-device by default and only transmitted to our servers when the consumer affirmatively opts in.
You may withdraw your consent and request deletion of your health data at any time by emailing [email protected].

11. Health Data — Special Provisions

GlucoPulse and HealthPulse are general wellness products. They are not medical devices and are not intended to diagnose, treat, cure, or prevent any disease. See our Terms of Service for important disclaimers.

Because health data deserves extra protection, we apply the following safeguards:

On-device first. Health data is processed and stored on your device by default. No health data leaves your device unless you explicitly opt in.
Explicit consent required. Cloud sync of health data requires a separate, affirmative opt-in — not bundled with general account consent.
Purpose limitation. Health data is used solely to provide product functionality to you. It is never used for advertising, profiling, or shared with third parties.
Enhanced deletion. When you request deletion of health data, we delete it from all systems (including backups) within 30 days.
No re-identification. We do not attempt to re-identify any de-identified or anonymized health data.

12. Cookies and Analytics

CarbonHelm uses Cloudflare Web Analytics, which is a cookieless, privacy-first analytics service. This means:

No cookies are set for analytics purposes.
No personal data is collected for analytics.
No cross-site or cross-device tracking occurs.
Analytics data is aggregated and cannot be used to identify individual users.

We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

Some products may use cookies or localStorage strictly for functional purposes (keeping you logged in, storing your preferences). These are first-party, essential cookies and do not require consent under most privacy laws. We do not use any non-essential cookies.

13. Children's Privacy

CarbonHelm products are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

14. International Transfers

CarbonHelm is operated from the United States. If you access our products from outside the US, your data may be transferred to and processed in the United States or at Cloudflare edge locations globally. We rely on Cloudflare's data processing agreements and standard contractual clauses (where applicable) to ensure adequate protection for international transfers.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

Minor changes (typo corrections, formatting) will be posted here with an updated "Last updated" date.
Material changes (new categories of data collection, new third-party processors, changes to your rights) will be communicated via email to the address associated with your account at least 30 days before the changes take effect.

Your continued use of CarbonHelm products after the effective date of a revised policy constitutes your acceptance of the changes.

16. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a complaint, contact us:

Email: [email protected]
Entity: CarbonHelm (Sean Valentine, sole proprietor)

We aim to respond to all privacy inquiries within 30 days.