Privacy Notice — Sphere

Effective Date: 2026-06-12
Last Updated: 2026-06-14

This Privacy Notice describes how Next Automation Labs LLC (“we,” “us,” “our”) collects, uses, shares, and retains personal information in connection with Sphere (sphere.nextautomation.us, the “Service”). It is written for the actual data flows of the Service — not generic SaaS template language. If a clause does not match how the Service actually operates, that is a bug; please report it to [email protected].

1. Categories of Data Collected

We collect the following categories of personal information:

Account information: email address, display name, password hash. Used for authentication and member identification.
Attempt content: prompt text, claude_output, submission jsonb, simulated scenario data (scenario_variants_jsonb), rubric scores, overall_score, exit-prompt responses, trust-threshold responses, shadow-agent grades, decision_type, and the simulated: true regulatory discriminator. Captured on every Sphere lab attempt and persisted to the sphere_lab_attempts table.
Scoring outputs: rubric_scores jsonb (six-axis fluency vector), overall_score numeric, intent dimensions (icp_segment, workflow_role, asset_class, deal_size_band, geography, capital_stack, fund_size, portfolio_size, tenure_proxy) extracted to sphere_intent_signals for tier upsell + affiliate routing analytics.
Onboarding answers: role, ai_experience, primary_goal, weekly_time_commitment, biggest_frustration, learning_mode, proactive_opt_in, asset_class, deal_size_band, geography, capital_stack, fund_size_millions, country_of_residence, training_data_consent. Persisted to sphere_onboarding_profile.
Verified-operator submissions: firm_name, linkedin_url, company_domain, aum_disclosed_band, verified_operator_tier, verified_at, verification_method. Persisted to sphere_onboarding_profile plus an audit row in sphere_operator_verification_queue with snapshotted submitted_* fields, reviewer fields (reviewed_by, reviewed_at, review_notes), and queue status.
Member expertise profile: ICP segment, agent slug, underwriting assumptions (cap-rate floor, rent growth, expense ratio, exit cap, vacancy, capex per unit), underwriting stance, deal-size band, geography scope, sponsor-quality bar, voice norms, bad-news framing, preference patterns, red-flag triggers, provenance source, confidence, member confirmation status, and source attempt ids. Persisted to sphere_member_expertise. Inferred rows stay drafts until you confirm them.
Product analytics events: PostHog client + server events (page views, feature usage, attempt counts). Aggregated, with member identification limited to internal user_id tied to your account.
Operational logs: Sentry error traces, server-side request logs, ETL run telemetry. May include user_id and request context but do not include attempt content beyond ID references.
Network identifiers: IP address and user-agent string from incoming HTTP requests. Used for rate limiting (held in Node.js process memory and cleared on a 5-minute rolling window — no database persistence), standard server request logs on our VPS, and error-monitoring traces in Sentry. We do not use IP for geolocation inference or member profiling.
Affiliation metadata (optional): organization affiliation (organization_id, org_role within the organization) and student-status verification (institution name, expected graduation year, verified flag). Collected only if you opt into the relevant onboarding flow (Claim Org or Verify Student). Used for tier eligibility, organization-level features (org dashboards, team leaderboards, branded share-cards), and student-pricing eligibility.

We do not collect government-issued identifiers (SSN, passport number, driver's license number), date of birth, phone number, residential address (beyond country-of-residence at the country-code level), payment card numbers (handled by upstream payment processor — see Third Parties below), or biometric data.

2. Purposes

We use the categories above for the following purposes:

Service delivery: authenticating you, persisting and replaying your attempts, scoring rubric outputs, generating Companion (Nova) suggestions, displaying your fluency progression and certifications, surfacing leaderboards and library artifacts.
AI grading model improvement: training and evaluating the rubric and shadow-agent grading systems. Limited to attempts from US-based users with training_data_consent: true (the default for non-data-protection-jurisdiction users — see Section 8 below).
Operator playbook synthesis: weekly markdown playbooks distilled from member-confirmed expertise profiles of verified operators (verified_operator_tier >= 1) with consent. The export view requires member_confirmed = true, known country, no opt-out tombstone, and verified-operator tier. Output artifacts carry lineage: member_confirmed_expertise provenance metadata in their frontmatter.
Member expertise export posture: D7 member expertise export is internal-only in v3.1. Member-confirmed expertise profiles are used inside Sphere and Next Automation Labs owned products, including operator-playbook synthesis, and no separate external recipient is active.
Intent-signal pattern derivation: weekly extraction of icp_segment + workflow_role + intent dimensions from sphere_lab_attempts to sphere_intent_signals. Used internally for tier-upsell prioritization, affiliate routing, and product roadmap signals.
Product analytics: PostHog event stream (aggregated). Used for funnel analysis, feature adoption, and roadmap prioritization.
Operations and security: error monitoring (Sentry), abuse detection, rate limiting, capacity planning.
Communications: transactional email (account, sign-off, billing) and (with your consent) feature-update emails.

We do not use your data for advertising targeting outside the Service. We do not currently sell personal information.

3. Third Parties

We share personal information with the following third parties only as needed to operate the Service:

Supabase (Supabase, Inc.) — hosting provider for our Postgres database and Storage (snapshot archive). Data Processing Agreement (DPA) in place. Supabase processes data on our behalf as a service provider/processor under CCPA. Storage bucket sphere-snapshots archives JSONL training corpus + operator-playbook markdown. Supabase Auth also delivers transactional email (magic links, account verification) on our behalf; we do not use a separate email vendor in v3.1.
OpenAI / Anthropic (via OpenRouter, OpenRouter, Inc.) — stateless API for the Claude/grader model paths. Per OpenRouter's enterprise terms and the underlying provider terms, our prompts and outputs are NOT used to train OpenAI or Anthropic foundation models. OpenRouter routes requests, does not retain content beyond transient logs, and acts as a service provider/processor.
Anthropic (direct, Anthropic, PBC) — a subset of internal generation paths (the doc-engine for proposal and lesson authoring) call Anthropic's API directly under our enterprise terms. The same no-training-on-content protection as the OpenRouter path applies.
PostHog (PostHog, Inc.) — product analytics platform. DPA in place. Receives aggregated event stream tied to our internal user_id; does not receive attempt content.
Sentry (Functional Software, Inc., dba Sentry) — error monitoring. Receives stack traces, request context, user_id where applicable. Does not receive attempt content or onboarding answers.
GitHub Actions (GitHub, Inc.) — orchestration runtime for our weekly ETL pipelines (golden-paths snapshot, intent-signal extraction, operator-playbook synthesis). Runs on our behalf inside our private skool repository. Does not egress user data outside the Sphere data plane (Supabase Postgres + Storage); ETL writes go to Supabase Storage via service-role API.
Skool (Skool Inc.) — community and billing platform. Skool is the upstream membership system for sphere.nextautomation.us. We receive member webhook events (account creation, plan change, revocation) via signed webhooks. Skool processes payment data on its own behalf as the merchant of record for Sphere subscriptions; Sphere does not handle payment cards.
Hosting: the Service runs on a self-hosted VPS we operate. CDN/edge caching is not in use in v3.1. Standard server logs (IP address, user-agent, request path) are retained per Section 4.

We do not currently sell personal information for monetary consideration. We interpret “sharing” broadly per CCPA Section 1798.140(ah) and document any third-party data flows in this section. If a new third-party flow is introduced, we will update this notice and provide 30 days' notice per Section 9 (Changes).

4. Retention

Live database rows (sphere_lab_attempts, sphere_intent_signals, sphere_onboarding_profile, sphere_member_expertise, sphere_operator_verification_queue, all related operational tables): retained while your account is active. v3.1 honors deletion requests via opt-out tombstones (data_collection_opt_outs), which immediately exclude you from all future ETL extractions; downstream consumers of existing snapshots also filter you out. Live rows are manually deleted by the founder within 30 days of a deletion request emailed to [email protected]. Automated 90-day post-deletion wipe of live rows is planned for v3.2.
Storage snapshots (sphere-snapshots/golden-paths/{date}/*.jsonl, sphere-snapshots/operator-playbook/{date}/*.md, sphere-snapshots/intent-signals/{date}/*.jsonl): retained indefinitely for audit-defensibility (SEC Marketing Rule, Form ADV recordkeeping, and general compliance posture). Snapshot files are immutable once written; consumers honor opt-out tombstones (rows in data_collection_opt_outs) so post-opt-out processing is filtered out at read time.
Snapshot manifest (sphere_snapshot_manifest): retained indefinitely. Contains sha256 + row_count per snapshot file. Used for chain-of-custody audit.
Opt-out tombstones (data_collection_opt_outs): retained indefinitely. The opt-out itself is the durable record; deleting it would defeat its purpose.
PostHog events: retained per PostHog's default retention (typically 7 years, configurable). Aggregated only; raw events are not joined back to identifiable account data outside our platform.
Sentry errors: retained per Sentry's default retention (typically 90 days for error events).

If you need a different retention window for a specific table or category (e.g., a regulator request, contractual obligation), email [email protected].

5. CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know what personal information we collect, the categories of sources, the purposes, and the categories of third parties with whom we share it.
Right to delete personal information we have collected, subject to recordkeeping floors.
Right to opt-out of sale or sharing of personal information. We do not currently sell personal information; we interpret “sharing” broadly per CCPA Section 1798.140(ah).
Right to non-discrimination for exercising any of the above rights. We will not deny service, charge different prices, or provide a different level of service based on your exercise of CCPA rights.
Right to limit use of sensitive personal information. Sphere does not collect sensitive personal information as defined by CCPA §1798.140(ae) (we do not collect SSN, precise geolocation beyond country-code, biometric data, religious/philosophical beliefs, sex life or orientation, mail/email content beyond what users post, or genetic data).

Opt-out mechanism (v3.1) is email-only: to opt out of training data use, email [email protected] with the subject line “CCPA opt-out” and your account email. We will process opt-out requests within 15 business days per CCPA Section 1798.130(a)(2). On receipt, we manually insert a row into the data_collection_opt_outs table; all ETL read paths immediately filter out your user_id from future extraction, and downstream consumers of existing snapshots filter your user_id out as well.

In-app self-serve opt-out via the /profile privacy tab is deferred to v3.2 and is not available in v3.1. Email is the supported opt-out channel for v3.1.

To exercise any other CCPA right (right to know, right to delete, right to non-discrimination), email [email protected]. We will respond within 45 days (with one 45-day extension permitted per CCPA §1798.130(a)(2)).

6. General US Rights

For users in US states with general consumer-privacy rights statutes (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.) or for any US user, we honor the following on email request to [email protected]:

Access — receive a copy of personal information we hold about you
Rectification — correct inaccurate data
Deletion — delete personal information (subject to recordkeeping floors per Section 4 above)
Portability — receive a structured, commonly-used, machine-readable copy of your data

You may also exercise access, rectification, and deletion via account settings where supported in-app.

7. Children

The Service is not intended for users under 18. We do not knowingly collect personal information from minors. If we learn we have collected personal information from any minor, we will delete it. Consistent with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501-6506), we treat any data from a child under 13 with priority deletion and will not knowingly continue to collect, use, or disclose such information. If you believe a minor has created an account, email [email protected].

8. International Users

The Service is operated from the United States. Users in the European Union, United Kingdom, European Economic Area, or Switzerland: your attempts are NOT included in our training corpus.

We achieve this by setting training_data_consent = false automatically when your country of residence (which you select at onboarding) is in our data-protection-jurisdiction list. The list contains 32 country codes (EU 27 member states + UK + EEA non-EU + Switzerland) and is maintained at lib/data-protection-jurisdictions.ts in our source repository. The geo-fence is enforced at the read-path level: the sphere_golden_paths SQL VIEW filters on training_data_consent = true, and the extract-intent-signals.ts ETL script applies the same filter. Member expertise exports use sphere_member_expertise_export_v with the same consent and known-country gates plus member_confirmed = true.

You may use the Service normally regardless of country. We do not run a GDPR-spec opt-in flow because we do not collect for training-corpus purposes from your jurisdiction. If you change your country of residence in account settings, the geo-fence flag flips on the next country submission. Past attempts will not be retroactively tombstoned — they would have been excluded by the geo-fence at extraction time anyway, so there is no derived training data referencing them. Future attempts will follow the new flag.

If you want stronger guarantees (e.g., full deletion of any pre-existing live rows), email [email protected] and we will process your request under the Section 6 General US Rights framework, which we extend to international users on request as a courtesy posture.

9. Changes to Notice

We may update this Privacy Notice from time to time. Material changes will be communicated via:

Email to your account email address, and
An in-app banner on the Service

We will provide at least thirty (30) days' notice before material changes take effect. Continued use of the Service after the effective date of an updated Notice version constitutes your acknowledgement of the updated Notice. The “Last Updated” date at the top will reflect the most recent revision.

For non-material changes (typo fixes, clarifications that do not change data flows, rights, or obligations), we may publish the change without prior notice.

10. Contact

For all privacy requests (CCPA opt-out, right-to-know, deletion, rectification, access, portability, complaints, questions about this Notice):

[email protected]

For general inquiries unrelated to privacy:

[email protected]

We aim to respond to privacy requests within 15 business days per CCPA Section 1798.130(a)(2) and within 45 days per CCPA Section 1798.130(a)(2) for substantive responses (with one 45-day extension permitted).