Privacy Policy

Last updated: June 18, 2026

1. Introduction

Milestones Lab ("we," "us," or "our"), operated by Monart Agency, is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your data.

By creating an account and using the Milestones Lab platform ("Service"), you acknowledge that you have read and understood this Privacy Policy. This policy applies to all users of the Service, regardless of location.

2. Data We Collect

We collect the following types of data when you use our Service:

Account Information

• Email address
• Full name
• Location (city, country)
• Profile information you choose to provide (artist name, bio, genre, links)

Usage Data

• Pages visited and features used
• Session duration and frequency
• Device type, browser, and operating system
• IP address (anonymized for analytics)

Content You Create

• Contacts and CRM data
• Projects, tasks, and notes
• Files and documents you upload
• Checklist progress and tool outputs

Payment Information

• Payment processing is handled entirely by Stripe
• We do not store your credit card numbers, CVV, or full payment details on our servers
• We receive only a transaction confirmation, billing email, and subscription status from Stripe

3. How We Use Your Data

We use the data we collect for the following purposes:

• Provide the Service: To operate and maintain your account, deliver features, and enable your use of the platform
• Improve features: To analyze usage patterns and feedback to improve existing features and develop new ones
• Send transactional emails: To send account-related communications such as password resets, subscription confirmations, and important service updates (powered by Resend)
• Prevent abuse: To detect and prevent fraudulent activity, spam, and violations of our Terms of Service

We do not sell your personal data. We do not use your data for advertising purposes. We do not share your data with third parties for their marketing purposes.

4. Third-Party Services

We use the following third-party services to operate the platform. Each has their own privacy policy governing how they handle data:

• Supabase — Database hosting and user authentication
• Resend — Transactional email delivery
• Mapbox — Map rendering and geocoding for the industry directory
• Stripe — Payment processing and subscription management
• Vercel — Application hosting and deployment

We only share the minimum data necessary with each provider for them to perform their service. We encourage you to review the privacy policies of these third-party services.

5. Google API Data & Sensitive Data Protection

Milestones Lab offers an optional Gmail integration that allows users to send and view professional emails directly within the platform. This integration uses the Google Gmail API and requires explicit user consent via OAuth 2.0 before any data is accessed.

Data Accessed via Google APIs

• gmail.send — Used to send emails on behalf of the user from their connected Gmail account. Emails are sent only when the user explicitly composes and sends a message through the platform.
• gmail.readonly — Used to display email threads and replies within the platform's CRM view, so users can see conversation history without leaving the app.
• userinfo.email — Used to identify which Gmail account has been connected.

How We Protect Sensitive Data

• Encryption in transit: All communication between Milestones Lab and Google APIs is encrypted using TLS 1.2 or higher. All data transmitted between the user's browser and our servers is encrypted via HTTPS.
• Encryption at rest: OAuth access tokens and refresh tokens are stored in our database (Supabase on AWS), which uses AES-256 encryption at rest. Access to these tokens is restricted to the authenticated token owner via Row-Level Security (RLS) policies.
• Minimal data storage: We do not store the content of Gmail messages on our servers. Email content is fetched in real-time from the Gmail API and displayed to the user. Only metadata (subject line, send date, recipient) is stored in activity logs for the user's own CRM tracking.
• No sharing with third parties: Google user data obtained through the Gmail API is never shared with, sold to, or made accessible to any third party. It is used solely to provide the email functionality within the user's own account.
• No use for AI/ML training: We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.
• User control: Users can disconnect their Gmail account at any time from Settings → Account. Upon disconnection, all stored OAuth tokens are immediately deleted from our database.
• Access control: Only the authenticated user who connected their Gmail account can access their email data. No other user, team member, or administrator can view another user's Gmail data.

Milestones Lab's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Cookies

We use only essential cookies that are strictly necessary for the operation of the Service:

• Authentication cookies: To keep you securely signed in to your account
• Session cookies: To maintain your session state as you navigate the platform

We do not use advertising cookies. We do not use third-party tracking cookies. We do not use cookies for behavioral profiling or retargeting.

7. Data Retention

We retain your data as follows:

• Active accounts: Your account data, content, and usage data are retained for as long as your account remains active
• Deleted accounts: Upon account deletion, all personal data will be permanently deleted from our systems within 30 days
• Anonymized analytics: Aggregated and anonymized usage data (which cannot be used to identify you) may be retained indefinitely for statistical and analytical purposes
• Backups: Your data may persist in encrypted backups for up to 30 additional days after deletion, after which backups are cycled and permanently removed

8. Your Rights

Depending on your location, you may have the following rights under applicable data protection laws (including the GDPR, CCPA, and similar regulations):

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of any inaccurate or incomplete personal data
• Right to deletion: Request deletion of your personal data (subject to legal retention requirements)
• Right to data portability: Export your data in a structured, machine-readable format (JSON export is available in Settings)
• Right to object: Object to the processing of your personal data for certain purposes
• Right to withdraw consent: Withdraw your consent to data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• Right to non-discrimination: Exercise your privacy rights without receiving discriminatory treatment (CCPA)

To exercise any of these rights, please contact us at hello@milestoneslab.com. We will respond to your request within 30 days.

9. International Transfers

Your data is stored on Supabase servers, which are hosted on Amazon Web Services (AWS) infrastructure. Your data may be transferred to and processed in countries other than your country of residence.

Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and other measures required by applicable data protection laws, to protect your personal data in accordance with this Privacy Policy.

10. Children

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a user under 18 has created an account, we will take steps to promptly delete their account and associated data.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@milestoneslab.com so we can take appropriate action.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you at least 30 days in advance via email to the address associated with your account.

The "Last updated" date at the top of this policy indicates when the most recent revisions were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

hello@milestoneslab.com

We aim to respond to all inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.