When you join the Billateral waitlist, we collect your email, anything you write in the optional note, your IP address, and your browser's user-agent. We use it to confirm your spot, send a welcome receipt and occasional product updates, reply if you wrote us, and stop bots from flooding the form. Every email has a one-tap unsubscribe button. We don't sell your data and we don't run advertising pixels. We do use one product-analytics tool (PostHog, listed in § 05) to understand how the waitlist gets used and to capture client-side exceptions. To get a copy of what we have or to delete it, email our privacy team.
Who we are
This is the privacy policy for Billateral (the website at billateral.io). Billateral is a project of Skrrt LLC, a Wyoming limited liability company. References to "we," "us," and "our" mean Skrrt LLC. We are the data controller for the personal data described in this policy.
What we collect
When you join the waitlist
- Your email address.
- Anything you type in the optional note field.
- Your IP address (read from request headers).
- Your browser's user-agent string (truncated to 500 chars).
- The timestamp of submission.
- Which list you signed up for ("user" or "fund").
When you email us
The contents of your message and any reply thread.
Product analytics — what PostHog sees
We run PostHog (listed in § 05) to understand how the waitlist gets used. PostHog captures page views, a small set of explicit events (e.g. waitlist_modal_opened, waitlist_signup_succeeded), and unhandled client-side exceptions. After you submit the waitlist form, your email is sent to PostHog as the distinct identifier so the same person isn't double-counted across visits. Requests are routed through a first-party path on this domain to keep them clear of basic ad blockers; the destination is still PostHog Inc. in the United States.
What we don't collect
- No advertising pixels (Meta, X/Twitter, LinkedIn, Google Ads).
- No session-replay tools (FullStory, LogRocket, Hotjar).
- No third-party tracking scripts beyond PostHog.
- No advertising or cross-site tracking cookies.
Server logs from our hosting provider (Vercel) and DNS provider (Cloudflare) capture standard request metadata — IP, timestamp, path, user-agent, response status — for security and debugging. Those logs are retained according to each provider's own retention rules.
Why we collect it
Under the GDPR we have to name a "lawful basis" for each piece of processing. Here it is in one table:
| What | Why | Lawful basis |
|---|---|---|
| Hold your spot; send the welcome receipt; tell you when access opens. | Consent (Art. 6(1)(a)) | |
| Optional note | Help us prioritize what we build first. | Consent |
| IP address | Per-IP rate limit (max 5 signups/hour) — abuse prevention. | Legitimate interests (Art. 6(1)(f)) |
| User-agent | Diagnose form errors; spot abuse patterns. | Legitimate interests |
| Email reply contents | Continue the conversation you started. | Consent |
Under "legitimate interests," we keep the data minimal, store no more than we need, and use it only for the purposes listed above.
How we use it
- To confirm you joined the waitlist (the welcome receipt email).
- To send a small number of further emails as access opens up or the product changes.
- To respond when you reach out to us.
- To rate-limit submissions and prevent abuse.
- To debug and operate the website.
We don't use your data for automated decision-making or profiling.
Who we share with
We use a small set of vendors ("sub-processors") to run the service. Each one is bound by its own privacy commitments and a data-processing agreement with us.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting, CDN, request logs | United States |
| Neon (Databricks) | Postgres database — waitlist records | United States |
| Resend | Transactional email delivery | United States |
| PostHog Inc. | Product analytics — page views, waitlist events, exception capture | United States |
We do not sell your personal information. We do not share it for cross-context behavioral advertising. We disclose information only:
- to the sub-processors above, under their own privacy terms;
- if we're required to by law (subpoena, court order, valid legal process);
- to protect the rights, property, or safety of anyone; or
- in connection with a merger, acquisition, or sale of all or part of Skrrt LLC's assets — in which case we'll notify you by email.
Where your data lives
Our servers and sub-processors are located in the United States. If you're in the European Economic Area, the United Kingdom, Switzerland, or another region with cross-border transfer rules, your data is transferred to the US under the Standard Contractual Clauses maintained by each of our sub-processors. You can request copies of those clauses by emailing our privacy team.
How long we keep it
- Waitlist record (email, note, IP, user-agent): kept while we operate the waitlist, or until you ask us to delete it — whichever comes first.
- Server logs: subject to our hosting and DNS providers' retention (currently 30 days for Vercel logs; Cloudflare zone analytics aggregate after 30 days).
- Email correspondence: kept while it's useful to the conversation; deletable on request.
When the waitlist is replaced by the live product, we'll either migrate your record (with notice) or delete it, depending on what you prefer.
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Delete your data ("right to erasure");
- Object to or restrict processing;
- Portability — receive your data in a structured, common format;
- Withdraw consent at any time (this won't affect lawful processing that already happened).
If you're a California resident, the CCPA gives you additional rights: to know, delete, correct, opt out of "sales" (we don't sell), and not to be discriminated against for exercising those rights.
To make any request, email our privacy team. We'll verify it's you (usually by checking your email matches what we have on file) and respond within 30 days for GDPR requests / 45 days for CCPA requests.
If you live in the EEA, the UK, or Switzerland and you believe we've mishandled your data, you can complain to your local data protection authority. You can also email us first — we'd rather just fix it.
Cookies and tracking
The Billateral site does not use advertising pixels or cross-site tracking. We don't use Meta Pixel, X/Twitter Pixel, LinkedIn Insight Tag, Google Ads, FullStory, LogRocket, or Hotjar.
Product-analytics storage
PostHog stores a first-party distinct ID in your browser (cookie or local storage, depending on your browser) so visits aren't double-counted. This is a single, first-party identifier on billateral.io — not a cross-site tracker. After you submit the waitlist form, that ID is replaced by your email address (the identifier we already have on file).
Strictly necessary cookies
Our hosting and DNS providers may set cookies that are essential for the site to function — for example, Cloudflare's __cf_bm cookie for bot detection. Under the EU ePrivacy Directive these are exempt from the consent requirement because they are strictly necessary to deliver the service you asked for.
If we ever add advertising or cross-site tracking cookies, we will show a consent banner to EEA/UK visitors and update this policy before doing so.
Children
Billateral is not directed at children. We do not knowingly collect personal data from anyone under 13 (United States) or under 16 (European Economic Area). If you believe a child has submitted information, email our privacy team and we'll delete it.
Security
- Traffic to and from the site is served over HTTPS (TLS 1.3).
- Database storage is encrypted at rest (AES-256, via Neon).
- Access to administrative systems is gated by SSO and 2FA.
No system is perfect. If you discover a vulnerability, report it to our security team. We'll respond promptly and we won't pursue good-faith security research.
Changes to this policy
If we make material changes, we'll update the effective date at the top of this page and, where required, notify you by email. Today's version is v1.