Privacy Policy
Last updated: April 24, 2026
Life at the Improv is operated by StanHattie LLC, an Iowa limited liability company. This policy explains what we collect, why we collect it, who else handles it on our behalf, how long we keep it, and the rights you have over it. We tried to write it in plain English. The legal address at the bottom is the contact for any privacy question this page does not answer.
What's in here
1. What we collect
You give us
- Account info: email address, display name, optional headshot URL.
- Profile / portfolio: actor profile fields you fill in (age range, height, training, reels, social links). Coach profile fields if you teach (bio, specialties, rates, virtual availability).
- Practice content: scene chat transcripts with the AI, journal entries, scripts you upload, lesson plans, homework, take video recordings, classroom session notes, wall posts.
- Voice and video: audio captured for the AI scene partner is sent to Anthropic / OpenAI / ElevenLabs / Hume for processing in real time. Take recordings you choose to save are stored on Backblaze B2 in your account.
- Roster info (coaches only): student names, ages, contact info, session notes, attendance.
- Payment info: collected and stored by Stripe, not by us. We see your subscription tier and the last 4 digits of the card on file via Stripe's customer portal.
Captured automatically
- Device + browser metadata (user agent, timezone, language).
- IP address (hashed for rate limiting and abuse detection).
- Page views, clicks, session duration via Google Analytics 4 and Microsoft Clarity, only after you accept cookies.
- Authentication audit log (email, time, magic-link or passkey, IP hash) for security review.
2. How we use it
- Run the platform: scene practice, classroom mode, lesson plans, scripts, billing.
- Improve AI features (we never train third-party models on your content; see Sharing).
- Send transactional email: magic-link sign-in, billing receipts, classroom invites.
- Send product email if you opt in: feature updates, monthly digests. Every marketing email has an unsubscribe link.
- Detect and stop abuse: rate limits, fraud, bot signups, account takeover.
- Comply with legal obligations: tax records, lawful subpoenas, financial audit.
3. Legal basis (GDPR)
If you are in the EU / UK / Switzerland we rely on:
- Contract: you signed up, we provide the service.
- Legitimate interest: security, abuse detection, basic product analytics on aggregate data.
- Consent: optional analytics cookies (GA4, Clarity), product marketing email. You can withdraw at any time without losing access to the platform.
- Legal obligation: tax retention, lawful response to legal process.
4. Sharing & subprocessors
We do not sell your personal data. We do not "share" it for cross-context behavioral advertising (CCPA term). Your scene practice content is never used to train any AI model.
The companies below process data on our behalf so we can run the service. Each one is bound by a data processing agreement.
| Service | Purpose | Where |
|---|---|---|
| Railway | Application hosting and Postgres database | United States |
| Cloudflare | DNS, CDN, Workers (frontend hosting) | Global |
| Stripe | Subscription billing and Stripe Connect coach payouts | United States / Ireland |
| Resend | Transactional email delivery | United States |
| Migadu | Inbound email hosting (support@, hello@, mike@) | European Union (Switzerland) |
| Backblaze B2 | Object storage for take recordings and uploaded media | United States |
| Anthropic (Claude API) | AI scene partner, AI feedback, AI generation | United States |
| OpenAI | Optional voice synthesis on Free tier | United States |
| ElevenLabs | Voice synthesis on Pro and above | United States |
| Hume | Emotion-aware voice synthesis on Coach and above | United States |
| Groq | Whisper speech-to-text transcription on Pro and above | United States |
| Google Analytics 4 | Aggregate site analytics, only with cookie consent | United States |
| Microsoft Clarity | Session replay and heatmaps, only with cookie consent | United States |
| Twilio | SMS reminders for booked coaching sessions (opt-in) | United States |
| Apollo.io | B2B contact enrichment for coach outreach (no consumer data) | United States |
5. Cookies & analytics
Essential cookies: a session cookie (improv_session) and a CSRF cookie keep you logged in and protect form submissions. These do not require consent because the site cannot function without them.
Optional cookies: Google Analytics 4 and Microsoft Clarity load only if you click Accept on the cookie banner. Click Decline and we do not load them at all. Your choice is stored in a cookie called cookie_consent for one year.
6. Retention
- Active accounts: data is retained while the account is active.
- Inactive accounts (no login for 12 months): we email at month 10 to ask you back, archive at month 12, and hard delete at month 18.
- Deleted accounts: personal fields are anonymized within 30 days and rows are hard deleted within 90 days, except for transaction records we are required to keep.
- Transaction records (Stripe charges, invoices, tax info): 7 years per IRS rules.
- Audit log (sign-in attempts, admin actions): 2 years minimum.
- Take video recordings: kept until you delete them, with a 30-day soft delete bin first.
7. Your rights (GDPR / CCPA)
You have the right to:
- Access: request an export of all data tied to your account.
- Correct: edit your profile, or email us if a field isn't editable.
- Delete: ask us to wipe your account and the content tied to it. We honor this within 30 days.
- Portability: get a machine-readable copy of your data (JSON or CSV).
- Restrict: ask us to limit specific processing while we resolve a dispute.
- Object: opt out of legitimate-interest processing (we will look at it case by case).
- Withdraw consent: pull back from analytics cookies or marketing email any time, no consequences for your access to the platform.
- Complain: lodge a complaint with your data protection authority. We hope you'll talk to us first.
Email support@latihq.com with the request. We respond within 30 days. We will never charge you for exercising a right.
8. Children's data (COPPA, FERPA)
Account holders must be 13 or older. If you are a school or coach using the roster to track students under 13, you are the data controller for those students; we are the processor and we follow COPPA-compliant practices. We do not advertise to students. Student data is not used to train AI models. Parents may request access or deletion via the school or directly via support@latihq.com.
9. Security
HTTPS everywhere, HSTS preload. Passwordless auth: magic-link via Resend (15-minute one-time token, hashed at rest) plus optional WebAuthn passkey. Sessions are HMAC-signed cookies with server-side revocation rows. Database backups daily on Railway. Sensitive secrets live in environment variables, not in source. Webhooks are signature-verified.
10. International data transfers
Most of our processors are in the United States. If you are in the EU / UK we rely on Standard Contractual Clauses with each subprocessor where required. Migadu is in Switzerland (adequacy decision).
11. Changes to this policy
If we materially change how we process your data we'll email account holders and update the date at the top of this page. Continued use after the change date counts as acceptance.
12. Contact
StanHattie LLC
731 SE Alices Rd PMB 1035
Waukee, IA 50263, United States
support@latihq.com
(833) 278-5002