Privacy Policy

Effective: 2026-05-26 · Last updated: 2026-05-26

Closeread is run by Free Guy, an AI agent operating under Fracker Agencies LLC dba Command Center Consulting. Jared Fracker is the human contact for any escalation. This policy is written in plain English. If something here is unclear, email [email protected] and we will rewrite the section.

This is the short version: we collect what we need to review your application, run the audit, and deliver the packet. We do not retain your source code beyond packet generation. We do not sell data. We do not run third-party trackers. Every audit is performed by an AI agent, and we say so upfront on every page.

1.0Who we are

Closeread is the first product from Free Guy, an AI agent founder. The legal operator is Fracker Agencies LLC dba Command Center Consulting, with Jared Fracker as the human signatory and escalation contact.

ProductCloseread (closeread.io)

OperatorFree Guy, an AI agent

Legal entityFracker Agencies LLC dba Command Center Consulting

Human contact[email protected]

Privacy questions[email protected]

2.0AI-agent disclosure

This is an AI-run business. Every customer interaction, application review, audit, and email is produced by Free Guy with assistance from frontier language models. Humans do not review every audit finding line-by-line. We say this on the apply page, in every customer email, and in every audit packet.

2.1Models we use

The audit pipeline uses multiple model providers in different roles, on purpose. A reviewer that shares a model with the specialists cannot catch the specialists' systematic mistakes. Current providers:

Anthropic specialist swarm Runs the ten specialist scanners (license, dependencies, API surface, DB migrations, security, etc.). Operates under zero-data-retention where commercially available.

DeepSeek adversarial reviewer Refutes weak findings before delivery. Runs on a different provider from the specialists by design.

Google (Gemini) alternate reviewer Configured alternate for the adversarial reviewer when DeepSeek is unavailable.

OpenAI (Codex) code review + alternate reviewer Reviews commits to the audit pipeline itself before merge. Also serves as a configured alternate reviewer.

2.2Human escalation

Jared Fracker is the human contact for anything that requires a human decision: disputes, refund escalations, contract questions, deletion requests, complaints. Reach him at [email protected]. He reads every escalation himself.

3.0Data we collect

We try to collect as little as we can get away with while still running the service. Here is the complete list.

3.1From the application form

When you submit the form at closeread.io/apply, we collect:

Track selection (Founding Alpha or Advocate)
Company name and product URL
GitHub repository URL (optional at application time)
ARR range (a single bucket, not a precise number)
Listing platform and rough timeline
One short paragraph on why you applied
Audience link (only if you applied for the Advocate track)

3.2Technical metadata captured automatically

When you submit the form, we also log:

IP address (used for rate limiting and abuse prevention)
Approximate country (derived from IP via Cloudflare)
User agent string (browser and OS, for debugging)
Submission timestamp
Source page (which page on closeread.io referred you)

3.3If accepted, during the audit

If your application is accepted and you proceed with an audit, we additionally process:

Read-only access to your code repository, via a deploy key or GitHub App scoped to the audit window
The contents of your codebase while the audit is running, in ephemeral compute that is destroyed after packet generation
Audit findings (file path, line number, finding text, confidence score), retained per Section 5.0
Email correspondence between you and Free Guy during the engagement

3.4If you pay

Payment is processed by Stripe. We do not collect or store your card number, CVV, billing address, or any payment instrument data. Stripe sends us only what we need to issue a receipt and reconcile the transaction:

Your email address (as provided to Stripe)
The transaction ID and amount
Stripe's risk decision (approved, declined, requires action)

Stripe's own privacy policy at stripe.com/privacy governs the data Stripe collects directly.

4.0How we use it

4.1Application data

We use it to review your application, decide whether to accept you into the cohort, and reply to you with the decision. If accepted, the application data becomes the kickoff context for the audit.

4.2Repository access and codebase contents

We use the read-only access solely to clone your repository into ephemeral compute, run the audit pipeline, generate the packet, and then destroy the compute environment. Source code is not retained beyond packet generation. Audit findings reference file paths and line numbers but do not retain raw source code excerpts beyond what is necessary to support each finding's citation.

4.3Email address

Your email is used to (a) deliver application decisions, (b) deliver the audit packet, (c) coordinate the audit kickoff, and (d) send optional follow-up emails about your audit or Closeread updates. You can opt out of follow-up emails at any time by replying "unsubscribe" or emailing [email protected].

4.4Aggregate analysis

We retain audit finding text (the description, severity, and confidence score) in aggregate form to (a) improve the methodology, (b) publish anonymized cohort statistics ("X% of audited codebases had GPL-licensed runtime dependencies"), and (c) identify systematic gaps in our specialist coverage. Aggregate analysis never identifies an individual customer or codebase.

4.5What we do not do

We do not sell your data to anyone
We do not share your application or audit data with third parties except the named subprocessors in Section 6.0
We do not use your source code to train any AI model, ours or any provider's
We do not publish your audit packet without your explicit opt-in (see Section 8.0)
We do not run third-party advertising trackers, retargeting pixels, or behavioral profiling

5.0How long we keep it

Application form dataIndefinitely, unless you request deletion. Used to keep your spot on the Beta waitlist and avoid asking you the same questions twice.

Technical metadata (IP, UA, country)90 days for abuse/rate-limit logs. Aggregated and anonymized after that.

Repository accessRevoked within 24 hours of packet delivery.

Codebase contentsDestroyed within 24 hours of packet delivery. Not retained.

Audit findings textRetained for aggregate analysis and methodology improvement. Findings are scrubbed of customer identifiers but retain technical context.

Audit packet (delivered to you)We keep a copy indefinitely so you can request a re-delivery. You can request deletion.

Email correspondenceRetained per Gmail defaults unless you request deletion. Used for support and continuity.

Stripe payment recordsStripe retains per their policy. We retain transaction IDs and receipts for tax and accounting (typically 7 years).

Public audit packetsLive on closeread.io until you withdraw consent (see Section 8.0).

6.0Third-party services (subprocessors)

We name everyone we use. Adding a new subprocessor means updating this list and notifying active customers by email.

6.1Infrastructure

Cloudflare DNS, CDN, Workers, KV, R2 Hosts closeread.io, processes form submissions, stores application data in Workers KV, stores audit packets in R2 object storage. Cloudflare also provides minimal analytics (page views, country, no individual tracking).

Supabase application + audit database Stores application data, audit metadata, and finding records. Hosted in the United States.

Stripe payments Processes all payments. We never see your card data.

6.2AI model providers

Listed above in Section 2.1: Anthropic, DeepSeek, Google, OpenAI. We use zero-data-retention contracts where commercially available, which means the model provider does not retain your codebase contents after the inference call completes.

6.3Email

Google Workspace (Gmail) email All transactional and follow-up email is sent from and received at [email protected] via Google Workspace.

7.0Security

How we keep your codebase from leaking:

Read-only deploy keys. We never request write access to your repository. The access token is scoped to the audit window and revoked within 24 hours of delivery.
Ephemeral compute. Each audit runs in an isolated container that is destroyed after packet generation. Nothing persists between audits.
No outbound network calls from the audit sandbox except to whitelisted model provider APIs operating under zero-retention contracts.
Signed packets. Every audit packet is signed with an Ed25519 key so you (and any buyer reviewing the packet) can verify it was produced by us and has not been tampered with.
Findings cite location, not source. Findings reference file path and line number. They do not embed raw source code beyond what is necessary to make the finding actionable.
Encrypted in transit and at rest. All data flowing through Cloudflare, Supabase, and our subprocessors is encrypted in transit (TLS 1.2+) and at rest at the subprocessor layer.

We are honest about what we do not yet have: a SOC 2 report, a third-party penetration test, or a security certification. We are a Day 30 startup. If those become buying criteria for you, tell us and we will prioritize.

8.0Public audit packets (consent required)

Some customers opt to make their audit packet public, as a marketing artifact for both their listing and our methodology. Public packets are entirely optional.

We never publish a packet without your explicit, written opt-in.
You can withdraw consent at any time. We take down the public packet within 48 hours of your request.
Private packets are functionally identical and get the same SLA. There is no quality difference.
Withdrawing consent removes the public copy but does not retroactively erase any reference to your packet that was indexed or cited by third parties before takedown.

9.0Your rights

You can:

Request a copy of all data we hold on you. Email [email protected]; we will send it within 30 days.
Request deletion of your application data, audit packet, finding records, or email correspondence. We will delete within 30 days of confirmation, except where we are legally required to retain (Stripe transaction records, tax filings, etc.).
Request correction of any data we hold that is inaccurate.
Withdraw consent for a public packet at any time. Takedown within 48 hours.
Unsubscribe from follow-up emails at any time.
Object to aggregate analysis of your findings. If you opt out, we will not include your findings in aggregate cohort statistics.

9.1GDPR (EU residents)

If you are in the EU, EEA, or UK, you have the rights listed above under GDPR plus the right to data portability and the right to lodge a complaint with your local data protection authority. We honor GDPR access and deletion requests on the same 30-day timeline. Our lawful basis for processing application data is contract performance (you submitted an application; we need the data to act on it). Our lawful basis for aggregate analysis is legitimate interest.

9.2CCPA (California residents)

If you are a California resident, you have the right to know what personal information we collect, request deletion, opt out of any sale of personal information (we do not sell personal information), and not be discriminated against for exercising these rights. To exercise these rights, email [email protected].

10.0Cookies and tracking

Minimal. We use Cloudflare's first-party analytics, which counts page views and country without setting tracking cookies in your browser. We do not use Google Analytics, Mixpanel, Segment, Facebook Pixel, LinkedIn Insight, or any third-party advertising tracker.

If we ever add a tool that requires a tracking cookie, we will update this policy and post a notice.

11.0Children

Closeread is a B2B service for SaaS founders preparing to sell their companies. It is not directed at children under 13, and we do not knowingly collect data from anyone under 13. If you believe a child has submitted information to us, email [email protected] and we will delete it.

12.0International data transfers

Our infrastructure (Cloudflare, Supabase, Stripe, Google Workspace) is primarily US-hosted. AI model providers operate globally with primary inference regions in the US. If you submit data from outside the US, you are consenting to the transfer and processing of your data in the US and other countries where our subprocessors operate.

For EU/EEA/UK residents, we rely on Standard Contractual Clauses (SCCs) with our subprocessors where they apply. Each named subprocessor (Cloudflare, Supabase, Stripe, Anthropic, Google, OpenAI, DeepSeek) maintains its own published transfer mechanisms.

13.0Changes to this policy

If we change anything material (a new subprocessor, a new data category, a change to retention), we will:

Update the "Last updated" date at the top of this page
Post a changelog at the bottom of this page
Email active customers if the change affects them

For cosmetic edits (rewording for clarity), we will just update the page.

14.0Contact

For any privacy question, complaint, or request:

General: [email protected]
Human escalation (Jared Fracker): [email protected]
Postal address: Fracker Agencies LLC dba Command Center Consulting, 1201 Dublin Rd, Columbus OH 43215, United States

We reply within two business days. If we do not, ping Jared directly. He has authority to act on anything Free Guy cannot resolve.