PitchBoost

Privacy Policy

How we collect, use, and protect your personal data — and what your rights are under the General Data Protection Regulation (GDPR).

Effective: 14 April 2026 · Last updated: 6 May 2026

1. Who we are

PitchBoost (“we”, “us”, “our”) is an AR teleprompter service for Even Realities G2 smart glasses. The service is operated by the following sole proprietorship (impresa individuale) under Italian law, which is the Data Controller under Article 4(7) GDPR:

We have not appointed a Data Protection Officer — one is not required for our scale of processing under Article 37 GDPR. For any matter concerning your personal data, including the exercise of the rights described in section 9, write to support@pitchboost.io; for formal legal communications use the PEC address above.

2. Scope

This policy applies to the following services:

• Our website at pitchboost.io (including the checkout, download, and success pages);
• The PitchBoost desktop helper (macOS and Windows application);
• The PitchBoost Chromium extension (for Google Slides);
• The PitchBoost phone app that runs inside the Even Realities Hub on a paired smartphone and drives the G2 glasses display.

3. What personal data we collect and why

3.1 Checkout and licensing

When you purchase a PitchBoost license we collect the data needed to process the payment and deliver the product:

• Email address — to send you the license code and, where requested, to resend the receipt;
• Billing information (name, country, postal code, VAT identification where applicable, and payment card details) — collected and processed directly by Stripe, our payment processor. We never see or store full card numbers;
• License code (a string in the PB-XXXX-XXXX-XXXX format) generated by us and associated with your email.

3.2 Device activation

To prevent license sharing and enforce the per-license device cap (up to 5 devices) we generate a device fingerprint when you activate PitchBoost on a computer or browser. The fingerprint is a one-way SHA-256 hash of your machine's hostname plus the active username. The original values are not sent to our servers — we store only the hash.

3.3 Live session relay

While you use PitchBoost we temporarily store the following, indexed by an opaque 6-character pairing code:

• The parsed contents of the presentation you chose (slide titles and speaker notes) — required so the G2 glasses can display them;
• The current slide position, elapsed timer, and whether the slideshow is in the foreground;
• Queued ring commands (next, previous, scroll) waiting to be consumed by the desktop helper or the Chrome extension.

3.4 Google Slides access (optional — Chrome extension only)

If you choose to present a Google Slides deck through the Chrome extension, you explicitly authorise the extension to read the content of the presentation open in the active tab, using Google's OAuth consent flow. We only request the presentations.readonly scope; we cannot modify, delete, or share your files. The OAuth access token is stored in your browser's local storage (chrome.storage.local) and never leaves your device.

3.5 Transactional email

When you complete a purchase or request to have your license resent, we send one or more transactional emails (license delivery, receipt, download links) through our email service Resend.

3.6 Onboarding follow-up emails

If you request the download links on the phone app (“Send me the links”) but do not complete the purchase, we enrol your email address in a short onboarding sequence of up to three follow-up emails spread over approximately three weeks (days 3, 9, and 21 after your first request). Each email clarifies how PitchBoost works, recounts the product in use, and ends with a one-click opt-in check.

The email address is stored in our Upstash Redis database as a SHA-256 hash plus the plaintext address itself (needed to actually deliver the follow-up). We record four flags: the sequence step we are on, when the last email was sent, whether the address has since purchased (in which case the sequence stops immediately), and whether the address has unsubscribed.

Every follow-up email contains a one-click unsubscribe link. Clicking it permanently stops any future onboarding emails from being sent to that address. You can also opt out at any time by writing to support@pitchboost.io.

Onboarding follow-up records are kept until you unsubscribe (one-click link in every email) or until you ask us to delete them via the rights described in section 9. Retention is driven by your consent, not by a fixed timer: we keep the address on file only as long as it is useful to contact you about PitchBoost.

3.7 Technical logs

Like every web service we keep minimal operational logs (IP address, user-agent, request path and status code) collected by our hosting provider Vercel. These logs are used to detect abuse, investigate incidents, and satisfy our security obligations. They are never combined with the billing or license data above.

3.8 PitchBoost Web — the browser app at pitchboost.io/present

The browser version of PitchBoost runs entirely in your browser, with two backend hops we keep deliberately short and minimal:

• Slide conversion (Fly.io, Frankfurt EU). Your .pptx, .key, or .odp file is uploaded over TLS to our converter service hosted on Fly.io in Frankfurt. The file is handed to LibreOffice headless, which produces a PDF (and, for non-.pptx uploads such as Keynote, an additional .pptx used by your browser to extract speaker notes). The original file AND any conversion output are then deleted from disk within seconds (in the same request handler's cleanup block, including on crash). They are never persisted, never logged, never backed up. Total residence time on our converter is typically 5-30 seconds. If you upload a .pdf directly, this step is skipped entirely — your file never leaves your browser.
• Live session relay (same as section 3.3). The PDF stays in your browser. Speaker notes, slide titles, slide body text, and small thumbnail images (320 px PNG, generated client-side from the PDF) are sent to our session relay so your phone can display them on the G2 lens. These are stored in our Upstash Redis and discarded automatically when your session ends or after 2 hours of inactivity, whichever is sooner.

The PDF binary itself is never sent to the relay or stored anywhere outside your browser memory. The slide images displayed on the lens are 320-pixel thumbnails generated locally; the full-resolution PDF stays on your machine.

If your deck contains material too sensitive for the few-seconds round-trip through our converter, you have two install-free alternatives that keep the file on your machine: (i) the PitchBoost desktop helper, which drives PowerPoint locally and never uploads anything; (ii) uploading a pre-converted PDF directly to PitchBoost Web — the converter step is skipped and only the speaker notes ever transit our backend.

4. Legal bases for processing

We rely on the following lawful bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — for payment processing, license issuance, license validation, and the operation of the live session relay;
• Legitimate interest (Art. 6(1)(f)) — for device fingerprinting to prevent license abuse, for security logs, and for onboarding follow-up emails sent to addresses that explicitly requested the download links but did not complete the purchase. The interest is our need to protect the service against fraud, guarantee availability, and ensure that users who asked for help installing the product actually receive the information they need. We have assessed that this does not override your rights and freedoms, and every onboarding email includes a one-click unsubscribe link;
• Consent (Art. 6(1)(a)) — for the optional Google Slides integration. You may withdraw this consent at any time by clicking “Disconnect Google account” in the extension popup; the access token is immediately erased from your browser;
• Legal obligation (Art. 6(1)(c)) — for tax and accounting records, which Stripe retains on our behalf for the period required by Italian tax law (currently 10 years).

5. Who we share your data with

We only share personal data with the processors strictly necessary to deliver the service. Each of them is bound by a Data Processing Agreement that complies with Article 28 GDPR, and where relevant we rely on the EU Commission's Standard Contractual Clauses for transfers outside the European Economic Area.

Processor	Purpose	Data shared	Location
Stripe, Inc.	Payment processing, refunds, invoicing	Email, billing details, payment method	USA (SCCs)
Upstash, Inc.	Serverless Redis storage for license records and live sessions	License code, email, hashed device fingerprints, session data	USA / EU (your choice of region)
Vercel, Inc.	Hosting of the website, API, and download proxy	Request logs (IP, user-agent), API payloads transiting the backend	USA (SCCs)
Fly.io (Fly Worldwide, Inc.)	Slide conversion (LibreOffice headless) for PitchBoost Web only	The .pptx / .pdf file you upload, deleted within seconds of conversion — never persisted	EU (Frankfurt) — no transfer outside EEA for this hop
Resend, Inc.	Transactional email delivery	Email address, license code, email body	USA (SCCs)
Google LLC	OAuth authentication and Google Slides REST API (Chrome extension only — optional)	OAuth consent, the presentation you choose to open	Ireland / USA (SCCs)
GitHub, Inc.	Hosting the desktop-app release binaries that the download page serves	Public release artefacts only — no personal data	USA (SCCs)

We do not sell, rent, or trade your personal data. We do not run advertising networks or third-party tracking scripts on the website.

6. International transfers

All of our processors listed above are headquartered in the United States. When your personal data is transferred to a country outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) together with supplementary technical and organisational measures (encryption in transit, minimisation, short retention) to ensure an essentially equivalent level of protection.

7. How long we keep your data

• License records (email + code + device fingerprints) — kept for as long as the license is active and the service exists. You can ask us to delete them at any time (see section 9);
• Onboarding follow-up records (hashed email + sequence step) — kept until you unsubscribe (one-click link in every email) or until you request deletion via the rights in section 9, whichever is earlier. We never share these addresses with third parties and they are only used to send you PitchBoost-related product emails;
• Session data (pairing codes, slide contents, ring commands) — automatically deleted 6 hours after creation by the session TTL;
• Transactional emails — retained by Resend for up to 30 days for delivery diagnostics, then purged;
• Payment records — retained by Stripe for the 10 years required by Italian tax law;
• Server logs — retained by Vercel for up to 90 days.

8. Security

We protect your personal data with the industry-standard measures that our hosting, storage, and payment processors provide:

• HTTPS on every endpoint, with HSTS;
• Encrypted storage at rest (Upstash Redis, Stripe);
• Short-lived session data (6-hour TTL) and one-way hashed device fingerprints;
• No card number ever reaches our servers — card processing happens entirely within Stripe's PCI-DSS-compliant environment;
• Access to the backend is restricted to the operator and protected by multi-factor authentication.

9. Your rights under GDPR

As a data subject under the GDPR you have the right to:

• Access — obtain a copy of the personal data we hold about you (Art. 15);
• Rectification — correct inaccurate or incomplete data (Art. 16);
• Erasure — ask us to delete your data, subject to legal retention obligations (Art. 17);
• Restriction — limit our processing while a dispute is resolved (Art. 18);
• Portability — receive your data in a machine-readable format (Art. 20);
• Objection — object to processing based on legitimate interest (Art. 21);
• Withdraw consent — at any time for the optional Google Slides integration (Art. 7(3)).

To exercise any of these rights write to support@pitchboost.io with the email address associated with your license. We respond within 30 days as required by Article 12(3) GDPR.

10. Cookies and tracking

The PitchBoost website does not set any advertising, analytics, or profiling cookie. We do not run Google Analytics, Facebook Pixel, or similar trackers. The Chrome extension and the desktop helper use local storage on your device only to cache your license code and your Google OAuth token (when applicable); nothing is sent to third-party trackers.

11. Children

PitchBoost is a professional tool for presenters and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us and we will delete it.

12. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

13. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or in the law. The “Last updated” date at the top of the page is authoritative. If the change is material we will notify active license holders by email at least 30 days before it takes effect.

14. Contact

Data protection contact: support@pitchboost.io
Subject line suggestion: “GDPR — <your request>”