Legal — but readable
Privacy
Policy.
The short version: I collect what I need to run the platform, nothing sketchy. I don't sell your data. Your stuff is yours. Google (Firebase) stores it on their servers. You have the right to see, change, or delete your information. That's it, really — but read on for the full picture.
01 — Who This Applies To
This Privacy Policy applies to everyone who visits 3amceo.com or apps.3amceo.com, and especially to anyone who creates an account. The platform is operated by David Birnie, an individual based in Chatham, Ontario, Canada.
If you're in Canada: this policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL). If you're elsewhere in the world, these Canadian standards give you a pretty solid baseline of protection.
02 — What I Collect
Here's what ends up in my systems when you use the platform:
- Account info: Your name, email address, and the sign-in method you chose (Google, Facebook, or email/password).
- Profile info you provide: Business stage, reason for signing up, country — all optional, used only to make newsletter content relevant to you.
- App data: Tasks you create in OAK, ideas in Idea Vault, field log entries, habits — whatever you put into the tools. This is stored in your Firestore document.
- Consent records: A timestamp of when you accepted the Terms of Service and agreed to receive the newsletter. This is legally required under CASL.
- Usage metadata: When you last logged in. That's about it for tracking.
I don't collect your location, your device specs, your browsing history, or anything else beyond what's listed above.
03 — How I Use It
Your data is used for exactly three things:
- Running the platform — so your tasks sync across devices, your account works, and the apps function correctly.
- Sending the newsletter — updates about the $20K Challenge, new features, and whatever I'm building or learning. You consented to this when you signed up, and every email has an unsubscribe link.
- Making your experience relevant — the optional profile fields (stage, reason, country) help me send you content that actually applies to you. Nothing more.
I don't use your data to train AI models, run ads, profile you for third parties, or anything else beyond the above.
04 — Where It's Stored (Firebase / Google)
This platform is built on Firebase, which is Google's infrastructure. That means:
- Your account is authenticated through Firebase Authentication.
- Your data lives in Cloud Firestore (Google's NoSQL database).
- Firebase servers are primarily located in the United States, though Google operates globally.
By using this platform, you acknowledge that your data is processed by Google under their Firebase Privacy and Security terms. Google acts as a data processor on my behalf — they store and protect the data, but they don't own it and they don't use it for their own advertising purposes under these agreements.
Translation: Your data goes through Google's servers because that's what the apps run on. It's the same infrastructure that powers a huge chunk of the internet. It's secure, encrypted, and Google doesn't get to sell your task list.
05 — The Newsletter & CASL
Canada's Anti-Spam Legislation (CASL) requires that I have your explicit, documented consent before sending you commercial electronic messages. Here's how that works on this platform:
- When you create an account, you check a box confirming you want to receive the newsletter. That checkbox is required — no box checked, no account.
- The date and time of your consent is recorded as a timestamp in Firestore.
- Every newsletter email will include a clear, working unsubscribe link.
- If you unsubscribe, your email is removed from the sending list. Your account stays active.
Honest sidebar: the newsletter doesn't fully exist yet. When it launches, it'll be updates about the challenge, new apps, honest entrepreneurship stuff, and whatever I'm learning at 3am. No spam. No affiliate junk. No "10 productivity hacks" listicles.
06 — Your Rights Under PIPEDA
As someone whose data I hold, you have the following rights:
- Access: You can ask me what data I have about you. I'll tell you.
- Correction: If something's wrong — your name, your email — you can ask me to fix it (or fix it yourself in the app settings when that feature exists).
- Deletion: You can request that your account and all associated data be deleted. I'll remove your Firestore document. Firebase may retain it in backups briefly — that's on their infrastructure, not something I control.
- Withdraw consent: You can withdraw newsletter consent at any time by unsubscribing or emailing me directly.
- Complaint: If you think your privacy rights have been violated, you can complain to the Office of the Privacy Commissioner of Canada.
To exercise any of these rights, email me: david.cp.birnie@gmail.com. I'll respond within a reasonable timeframe.
07 — Social Sign-In (Google & Facebook)
If you sign up using Google or Facebook, I receive only the basic profile information those services share: your name, email address, and profile photo. I don't receive your contacts, your posts, your friends list, or anything beyond what's needed to create your account.
Your relationship with Google or Facebook is governed by their own privacy policies. I have no control over what they collect on their end.
08 — Paid Tiers & Gumroad
When paid tiers launch (Pro and Builder), payments will be processed through Gumroad — a third-party payment platform. When you make a purchase through Gumroad, your payment and billing information goes directly to them, not to me. I only receive confirmation that you've purchased a tier, so I can update your account access.
Gumroad has their own privacy policy. I'll link to it properly when paid tiers go live.
09 — Cookies & Local Storage
The apps use browser local storage to remember your preferences — things like whether you've chosen dark or light mode. Firebase also sets cookies to maintain your authenticated session.
I don't run analytics trackers, ad pixels, or third-party tracking scripts. If that ever changes, I'll update this policy and be upfront about it.
10 — Data Security
Firebase uses industry-standard security practices: data is encrypted in transit (HTTPS/TLS) and at rest. Access to your Firestore document is controlled by Firebase Security Rules — only you (authenticated) can read and write your own data.
I'm one person building this at 3am. I take security seriously, but I'm not a dedicated security team. If you discover a vulnerability, please email me directly rather than exploiting it.
11 — Children's Privacy
This platform is not directed at children under 13. If you're under 13, please don't create an account. If you're 13–17, please make sure a parent or guardian is aware you're using the platform. If I become aware that a child under 13 has created an account, I'll delete it.
12 — Skeets AI Assistant & API Keys
3AM CEO includes Skeets — an AI-powered assistant that helps you with business strategy, productivity, and momentum. Here's what you need to know about how Skeets handles your data:
- Your API key: To activate Skeets, you provide your own Google Gemini API key. That key is stored in your Firestore user document (encrypted at rest by Google). It is not shared with any third party, logged in plain text, or used for anything other than sending your messages to Google's Gemini API on your behalf.
- Conversation data: Your Skeets conversations are stored in a private Firestore subcollection under your user account. Only you can access your session history. You can delete it at any time from Dashboard → Settings → Skeets → Clear Session History.
- AI-generated content: Skeets' responses are generated by Google's Gemini AI. They are not professional financial, medical, or legal advice. Skeets will remind you of this in any conversation touching those areas. Always consult a qualified professional for advice in those domains.
- No AI training on your data: Your conversations with Skeets are not used to train any AI model — not by me, and not by Google under the Firebase/Gemini API terms applicable to this use case.
- Google's Gemini API: When you send a message to Skeets, it is transmitted to Google's Gemini API. This is subject to Google's Gemini API Terms of Service and their privacy practices. Review those terms to understand how Google handles prompts.
13 — Mental Health, Safety & Crisis Detection
Your wellbeing matters more than your productivity metrics. Here's how the platform handles sensitive situations:
- Automated crisis detection: The Skeets chat system includes a client-side content filter that detects language associated with self-harm or suicide (e.g., "kill myself," "suicidal"). When detected, Skeets immediately stops all business-related conversation and displays crisis support resources — specifically Canada's 988 Suicide Crisis Helpline and Crisis Services Canada (1-833-456-4566).
- This is not a mental health platform: Skeets is a business productivity tool, not a mental health service. It is not a substitute for professional mental health care, crisis counselling, or therapy.
- No surveillance: The crisis detection runs locally in your browser. Flagged messages are not sent to a server, logged separately, or reported to any authority as a result of detection. The system simply presents you with resources.
- If you are in crisis: Please call or text 9-8-8 (Canada's Suicide Crisis Helpline, free, 24/7) or 1-833-456-4566 (Crisis Services Canada). For emergencies, call 911.
14 — Changes to This Policy
If I make significant changes to this privacy policy, I'll post a notice in the dashboard. Continued use of the platform after a policy update means you've acknowledged the changes.
Last major update: May 2026 (initial version — Skeets AI clauses added May 2026).