Last updated: 2026-04-28
Privacy Policy
This Privacy Policy explains what personal data MB AI Konsultacijos (“we”, “us”) collects from you when you use withpurpo.se (“the Service”), why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR), the Lithuanian Law on Legal Protection of Personal Data, and other applicable laws.
We are the data controller for the personal data described in this policy.
1. Who we are
MB AI Konsultacijos (company code 306436438) is a small partnership registered in Lithuania, with its registered address at Ulonų g. 1-37, LT-08240 Vilnius, Lithuania.
Contact for any privacy-related question or request: adam@withpurpo.se
We do not have a designated Data Protection Officer under Article 37 GDPR because our processing does not meet the threshold criteria, but adam@withpurpo.se is the dedicated contact point for all data protection matters.
2. What data we collect
We collect three categories of personal data.
2.1 Survey responses
When you complete the survey, we collect:
- Your answers to 28 survey questions, including ratings on validated psychological instruments and free-text answers about your interests, lived experience, hobbies, and goals
- Your country of residence (required for jurisdiction-correct recommendations)
- Optionally: your name (or nickname), age range, and the words you write in open-text questions
These responses are stored as a single record in our database and used to generate your personalized Report.
2.2 Account and contact data
When you proceed to checkout, we collect:
- Your email address
- Your given consent for transactional communications (required to deliver the Report)
- Your given consent for marketing communications (optional, separately captured)
2.3 Payment data
Payment is processed by Stripe. We do not receive, store, or have access to your full card number. Stripe shares with us only the metadata needed to confirm a payment succeeded, refund a payment, or comply with our tax obligations:
- Transaction ID
- Last 4 digits of the card and card brand
- Billing country (for VAT and tax reporting)
- The amount and currency of the transaction
2.4 Technical data
When you visit the Service, we automatically collect:
- IP address (used for fraud and abuse prevention; truncated to 24 bits before retention)
- Browser type and operating system (for compatibility debugging)
- Referrer URL (the page you arrived from)
- Pages viewed and time spent (basic analytics)
We do not use third-party advertising trackers or behavioral profiling cookies. We do not sell your browsing data.
3. Why we collect this data — legal bases
We process each category of data under a specific legal basis under Article 6 GDPR.
| Data category | Purpose | Legal basis |
|---|---|---|
| Survey responses | Generate your personalized Report | Performance of contract (Art. 6(1)(b)) |
| Email + name | Deliver the Report; provide customer support; comply with tax record-keeping | Performance of contract; legal obligation (Art. 6(1)(b), Art. 6(1)(c)) |
| Payment metadata | Process and reconcile payments; comply with accounting and tax law | Legal obligation (Art. 6(1)(c)) |
| Marketing email signup | Send occasional product updates (only if you opted in) | Consent (Art. 6(1)(a)) |
| Technical data | Operate, secure, and improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Country and age range | Tailor jurisdiction- and life-stage-appropriate recommendations | Performance of contract |
You can withdraw consent for marketing emails at any time using the unsubscribe link or by emailing us. Withdrawing consent does not affect lawful processing that occurred before withdrawal.
4. Sharing your data — who receives it
We share your data with a small number of service providers, only as necessary to operate the Service. We do not sell your data. We do not share your data with advertising networks, data brokers, or any party for marketing purposes outside our own.
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase (database hosting) | Storing survey responses, user records, payment confirmations | EU (Frankfurt region) | EU-located storage; processor agreement |
| Stripe (payment processing) | Charging your card; processing refunds | US (with EU operations) | Standard Contractual Clauses; PCI-DSS Level 1 |
| Resend (email delivery) | Sending transactional and (if opted-in) marketing email. Resend embeds a small tracking pixel in delivered emails to record open events; this data is used solely to verify deliverability and is not sold or shared further. You can disable this by configuring your email client to not load remote images. | US/EU | Standard Contractual Clauses |
| Anthropic (AI generation) | Generating the AI-drafted Report from your survey responses | US | Standard Contractual Clauses; data not used to train models |
| Vercel (web hosting) | Serving the website | US (with EU edge) | Standard Contractual Clauses |
| Sentry (error monitoring) | Capturing technical errors for debugging | US | Standard Contractual Clauses; PII scrubbed |
| Plausible (privacy-friendly analytics) | Aggregate page-view metrics, no personal identifiers | EU | EU-located, no cookies |
| Affiliate networks (Awin, Impact, PartnerStack, FirstPromoter, direct vendor programs) | Tracking referrals from links in your Report so vendors can pay commissions to MB AI Konsultacijos | US/EU | Click events and non-identifying referral IDs only — no name, email, or survey data shared |
Some vendors recommended in your Report are linked through affiliate programs. When you click a link in your Report and complete a qualifying action with the vendor, the vendor reports the referral to its affiliate network, which then attributes the commission to MB AI Konsultacijos. The data shared with these networks is limited to the click event and the vendor’s standard transaction metadata. We do not share your name, email, survey responses, or any other personal data with affiliate networks. The networks operate under their own privacy policies.
When data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to maintain GDPR-equivalent protection.
5. AI processing — how Anthropic receives your data
Your survey responses are sent to Anthropic (the maker of Claude, the language model that drafts your Report) for the sole purpose of generating that draft.
What you should know:
- Anthropic processes the data under Standard Contractual Clauses as our processor.
- Anthropic’s standard policy is not to use API inputs or outputs to train its models, and we transmit your data through the API (not through any consumer interface).
- The draft is reviewed line-by-line by a human (Adam) before being sent to you. The human reviewer sees your survey responses to assess Report accuracy.
- We do not transmit your email address, payment information, or full identity to Anthropic — only the survey content needed to generate the Report.
For full transparency about AI authorship, see our AI Disclosure.
6. How long we keep data
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.
| Data | Retention period | Why |
|---|---|---|
| Survey responses + Report | 7 years from purchase | Customer support; refund eligibility; tax records (Lithuanian law: 5–10 years for accounting records) |
| Email address (transactional) | 7 years from last interaction | Legal obligation; ability to support past customers |
| Email address (marketing) | Until you unsubscribe, plus 30 days for processing | Consent-based |
| Payment data | 10 years (Lithuanian accounting law) | Legal obligation |
| Server logs | 30 days | Security; troubleshooting |
| Sentry error reports | 90 days | Debugging |
| Backup copies | Up to 30 days after deletion | Standard backup retention |
After the retention period expires, your data is deleted or anonymized. Anonymized data (with all personal identifiers stripped) may be retained indefinitely for product improvement and statistical analysis.
7. Your rights under GDPR
If you are in the EU, UK, EEA, or any jurisdiction with comparable data protection law, you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Correct any inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data (subject to retention obligations) |
| Restriction (Art. 18) | Restrict how we process your data while a dispute is resolved |
| Portability (Art. 20) | Receive your data in a portable, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7) | Withdraw any consent you have given (e.g., marketing) |
| Complaint (Art. 77) | Lodge a complaint with a supervisory authority |
To exercise any of these rights, email adam@withpurpo.se with your request. We will respond within 30 days, as required by Article 12 GDPR. We may need to verify your identity before fulfilling your request — in practice, this means responding from the email address you used to purchase.
We do not charge a fee for these requests, except in rare cases where requests are manifestly unfounded or excessive (Article 12(5) GDPR).
If you believe we have not handled your request properly, you may lodge a complaint with the Lithuanian data protection authority:
State Data Protection Inspectorate
L. Sapiegos g. 17, LT-10312 Vilnius
ada@ada.lt
https://vdai.lrv.lt
If you live elsewhere in the EU, you may complain to the supervisory authority in your country of residence.
8. Cookies and similar technologies
We use a small number of strictly necessary cookies and one analytics cookie.
| Cookie | Purpose | Duration |
|---|---|---|
session_id | Track your survey session so you can pause and resume | 7 days |
__stripe_* | Set by Stripe during checkout for fraud prevention | Per Stripe’s policy |
We do not use:
- Advertising cookies
- Behavioral profiling cookies
- Third-party tracking cookies
- Facebook Pixel, Google Ads, or similar marketing tags
Plausible Analytics (which gives us page-view metrics) does not use cookies and does not collect personal identifiers.
You can clear cookies through your browser settings at any time. Clearing the session_id cookie will reset your survey progress.
9. International data transfers
Some of our processors are located outside the European Economic Area (EEA), primarily in the United States.
When data is transferred outside the EEA, we rely on legally recognized safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission, signed with each processor that transfers data outside the EEA
- Where applicable, the EU-US Data Privacy Framework (for processors certified under it)
- Additional technical and organizational measures (encryption in transit, encryption at rest)
You can request copies of the SCCs we have in place by emailing adam@withpurpo.se.
10. Children
The Service is not intended for and is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted personal data, contact us and we will delete it.
11. Security
We use reasonable technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.3)
- Encryption at rest in Supabase storage
- Access controls (only Adam, as the principal, has access to customer records)
- Two-factor authentication on all administrative accounts
- Regular software updates and dependency patching
- A small attack surface (we run a minimal stack and avoid storing data we don’t need)
No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the Lithuanian supervisory authority within 72 hours, as required by Article 33 GDPR.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent change.
If we make material changes that affect how we use your existing data, we will notify you by email (using the email address associated with your purchase) at least 30 days before the changes take effect.
13. Contact
Privacy questions, requests, complaints:
MB AI Konsultacijos
Attn: Privacy
Ulonų g. 1-37, LT-08240 Vilnius, Lithuania
Email: adam@withpurpo.se
We will respond to all privacy-related correspondence within 30 days.
This Privacy Policy is written to be readable. It is not a substitute for personalized legal advice. For matters specific to your situation or the data of your own customers, consult a licensed attorney specializing in EU data protection law.