Privacy Policy

1. Who we are

Morning Thesis is operated by Aquila Strategies LLC ("we", "us", "our"), based in Florida, USA. This policy explains what information we collect when you subscribe to or use Morning Thesis, how we use it, and the choices you have. By using the service you agree to this policy.

2. Information we collect

Information you provide directly: your email address, optional name, newsletter preferences, account credentials, and (for paid subscribers) billing details processed by our payment provider — we never see full card numbers.

Information collected automatically: IP address, approximate geolocation derived from IP, browser and device type, pages viewed, referrer URL, timestamps, email open/click metadata, and basic product analytics. Authentication cookies are set so you can stay signed in.

We do not collect: Social Security numbers, government IDs, full payment card numbers, biometric identifiers, precise GPS coordinates, or sensitive categories under GDPR Art. 9 unless you explicitly volunteer them.

3. How we use information

We use information to deliver the newsletter and any features you request, manage your account, process payments, send transactional and (with your consent) marketing emails, prevent abuse and fraud, improve the product, and comply with legal obligations. We do not sell personal information. We do not use it for automated decisions with legal effects. We do not use it to train third-party AI models.

4. Who we share data with

We name every recipient so you know exactly who has your data:

• Vercel — hosting, CDN, and serverless infrastructure. Receives request metadata and all data the service handles.
• Stripe — payment processing for paid subscriptions. Receives name, billing address, and payment details.
• Resend — transactional and newsletter email delivery. Receives email address, name, and message metadata.
• NextAuth (Auth.js) — authentication. Manages email, hashed password, and session tokens within our own database.
• Postgres database provider — durable storage of account, subscription, and newsletter data.
• Law enforcement — only when legally compelled (subpoena, court order, lawful request), and only what the order requires.

We do not share with data brokers or advertising networks. In the event of a corporate transaction (merger, acquisition, sale of assets), information may transfer to the successor entity subject to this policy.

5. Cookies and tracking

We use strictly-necessary cookies (login session, CSRF token) and functional cookies (preferences, theme). We do not run third-party advertising trackers or cross-site marketing pixels. We honor the Global Privacy Control (GPC) signal as an opt-out of sale/sharing under CCPA, and we honor browser Do Not Track by disabling non-essential analytics.

6. Your rights

You may request access to, correction of, or deletion of the personal information we hold about you. You may unsubscribe from marketing or newsletter emails at any time using the link in every email. To exercise any right, email eron@aquilastrategies.xyz. We respond within 30 days.

California residents (CCPA / CPRA)

You have the right to know the categories of personal information we collect, request deletion, request correction, and opt out of sale or sharing — we do not sell or share for cross-context behavioral advertising. To submit a verifiable consumer request, email eron@aquilastrategies.xyz with subject "CCPA Request" and verify with the email on file. We will not discriminate against you for exercising these rights.

EU / UK residents (GDPR / UK GDPR)

Lawful bases: contract performance, legitimate interest (security, fraud prevention, product improvement), consent (marketing), and legal obligation. You have the right of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority. Transfers from the EU/UK to the United States rely on Standard Contractual Clauses or our processors' EU–US Data Privacy Framework certifications.

7. Children's privacy

Morning Thesis is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. If we discover that we have collected personal information from a child under 13, we will delete it within 30 days of discovery. Parents and guardians can email eron@aquilastrategies.xyz with subject "COPPA — Child Data Request" and we will respond within 10 business days.

8. Data retention

Account data is retained for the life of the account plus 30 days after deletion. Transaction records are retained for 7 years for tax and accounting law. Marketing email lists are retained until you unsubscribe. Server logs are retained for 90 days. Backups roll on a 30-day cycle.

9. Security

We protect your information with TLS 1.2+ in transit, encryption at rest, hashed passwords (bcrypt), principle-of-least-privilege access controls, and provider-side automated backups. No system is 100% secure. If we discover a breach affecting your personal information, we will notify you without undue delay and, where applicable, within 72 hours of confirming the incident per GDPR Art. 33 and applicable state breach-notification laws.

10. International transfers

The service is hosted in the United States on Vercel. If you access the service from outside the United States, your information may be transferred to and processed in the United States.

11. Changes to this policy

We may update this policy as our practices change. Material changes will be communicated via the updated "Last updated" date at the top of this page and, for changes affecting accounts, by email to registered users.

12. Contact

Privacy questions, rights requests, and security disclosures: email eron@aquilastrategies.xyz.