What we collect.
Why we collect it.

We collect the minimum we need to run an invite-only network for senior operators. We don’t sell data, we don’t run ad trackers, and we don’t use your posts to train third-party models. When you delete your account, we delete your data — see the retention section below for what stays around and why.

• Application data — name, email, role, and your written contribution answer. Submitted by you when you apply.
• Account data — name, email, handle, optional organization/city, and your sign-in identity (Google or magic-link).
• Content you post — Asks, Offers, Intros, Signals, and the other post types; comments, reactions, DMs, session RSVPs, and the files you attach.
• Operational telemetry — request logs (IP, timestamp, path), error traces, and security-event records when a file or link is flagged. Used to keep the platform up and the room safe.
• Notification preferences — your toggles on the Notifications settings page.

• Third-party ad-network identifiers.
• Behavioral analytics for advertising — we don’t embed Google Analytics, Meta pixels, or similar trackers.
• Your contacts, your calendar, or your email inbox.
• Anything from outside Guildspace beyond what you choose to link to inside a post.

• To run the network — auth, posts, comments, DMs, search.
• To send the emails you opted into (DMs, sponsor activity, digest cadence, editor announcements) — every email has a one-click unsubscribe.
• To detect abuse — file scanning, URL reputation, rate limits, and editor review of flagged content.
• To make moderation decisions — three editor-confirmed flags in 30 days triggers a sponsorship review.

Other members see your handle, name, role, organization (if you’ve filled it in), and anything you’ve posted. DMs are visible only to the two people in the thread (plus, on legal request, the editors). Editors can read security-flagged content for review purposes only.

Your email address is never shown to other members.

We don’t sell, rent, or trade your data. We do use a few sub-processors strictly to run the service:

• Resend — sends transactional + opted-in emails on our behalf.
• Stripe — handles subscription billing if you upgrade a tier. We never see your card.
• S3-compatible object storage — stores file uploads.
• OpenAI / Anthropic— runs content-classification on posts (auto-flag + intro routing). Posts are sent transiently; providers don’t retain them for training under our configuration.

• Live content — kept as long as your account is active.
• Deleted posts and DMs — removed from the live database within 24 hours. Backups age out within 30 days.
• Deleted accounts — name, email, and profile cleared on request. Posts you authored can be left in place under a tombstoned handle (your call) so threads stay coherent.
• Security records — kept for 12 months for abuse review, then aggregated and stripped of personal identifiers.

You can export your data, correct it, or delete your account from Settings → Account. Members in the EU/UK have the standard GDPR rights (access, rectification, erasure, portability, objection, restriction); email [email protected] and we’ll act within 30 days.

HTTPS-only across the surface, strict Content-Security-Policy with per-request script nonces, signed-in routes gated by session cookies, and file uploads scanned for known malware and sanitized for active content before they’re served. We disclose material breaches within 72 hours of confirmation.

Two cookies, both essential: a session cookie (signs you in) and a small UI cookie (remembers the security-alert dismiss timestamp for editors). No third-party cookies, no ad cookies, nothing else.

We’ll email members about material changes at least 30 days before they take effect. Non-material changes get a note at the top of this page.