Popp Media Agency

Privacy Policy

How we collect, use, and protect your information

Effective Date: March 17, 2026 · Last Updated: March 17, 2026

Popp Media Agency LLC ("Company," "we," "us," or "our"), a sole proprietorship owned and operated by Thomas Popp, operates PoppDesk, a unified operating system for personal and business life management, accessible at me.poppmedia.agency (the "Platform").

This Privacy Policy explains how we collect, use, store, share, and protect information in connection with your use of the Platform, and describes the rights you have with respect to your personal information.

PoppDesk is not a public-facing consumer application. Access is strictly limited to: (1) the Platform owner and administrator; (2) invited family members with designated access; and (3) prospective and current business clients who receive a time-limited magic link. No public registration is offered.

By accessing or using the Platform through an invitation or magic link, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

1.1 Information Collected from Business Clients

When a prospective or current business client accesses the Platform through a magic link, we may collect:

  • Contact Information: Full name, business name, email address, and telephone number.
  • Business Information: Industry or sector, current website URL, and general description of business operations.
  • Service and Project Information: Selected service interests, project scope, budget indicators, and timeline expectations.
  • Conversation Data: Messages exchanged during AI-assisted pitch conversations, including questions, responses, and any information voluntarily shared.
  • Session and Technical Data: IP address, browser type, operating system, device identifiers, and approximate geographic location derived from IP address.

1.2 Information Collected from Family Members

Family members granted access to designated areas may have the following collected:

  • Household Inventory Data: Kitchen inventory items, quantities, expiration dates, and associated metadata.
  • Medicine Cabinet Data: Medications, vitamins, first-aid supplies, dosage information, and inventory records.
  • Shopping Lists: Items added to shared shopping lists, including family member assignments.
  • Activity Data: Records of actions taken within the Platform with timestamps.

1.3 Information Collected Automatically

  • Log Data: Server logs capturing access times, pages visited, API endpoints called, and response times.
  • Session Data: Authentication session tokens stored in session cookies.
  • Audit Trail Data: A tamper-evident audit log secured with RSA-signed cryptographic checkpoints.

1.4 Information We Do Not Collect

  • Sensitive financial account credentials (payment processing is handled directly by Stripe)
  • Biometric data
  • Precise real-time geolocation data
  • Social media account credentials or content
  • Information from minors under 13 years of age (see Section 9)

2. How We Use Your Information

2.1 Providing and Operating the Platform

  • Authenticating your identity and maintaining secure access sessions.
  • Delivering features and functionality including AI-assisted pitch conversations and inventory management.
  • Processing and routing requests within the Platform's workflow engine.
  • Generating and sending notifications related to your activity.

2.2 Client Relationship and Business Development

  • Reviewing pitch conversation data to understand client needs and prepare proposals.
  • Communicating regarding your inquiry, proposal, or engagement.
  • Maintaining records of client interactions for service quality.
  • Invoicing and payment processing via Stripe.

2.3 Security and Integrity

  • Detecting, preventing, and responding to fraud and unauthorized access.
  • Maintaining the tamper-evident audit trail.
  • Enforcing rate limits and other protective measures.

2.4 Legal and Compliance

  • Complying with applicable laws, regulations, and legal obligations.
  • Responding to valid legal process, court orders, or law enforcement requests.
  • Protecting the rights and interests of Popp Media Agency LLC.

We do not use your personal information for advertising, behavioral tracking, or sale to third parties under any circumstances.

3. AI and Automated Processing

3.1 AI-Assisted Pitch Conversations

Prospective clients who access PoppDesk via a magic link may engage with an AI-powered conversational advisor. This feature uses the OpenAI API to generate responses based on the messages you send. Your conversation messages are transmitted to OpenAI for processing. Conversation transcripts are stored in our database.

The AI advisor does not make binding commitments on behalf of Popp Media Agency LLC. All AI-generated outputs are subject to human review before any formal proposal is made.

3.2 AI-Assisted Medicine Advisor

The medicine cabinet feature includes an AI advisor that assists with identifying medications, vitamins, and health supplies. This feature uses the OpenAI API and may query publicly available databases including OpenFDA, DailyMed, and OpenFoodFacts.

The AI medicine advisor is informational only and is not a substitute for professional medical advice, diagnosis, or treatment. Always consult a licensed healthcare provider regarding medical questions.

3.3 Internal AI Agents

Certain internal operations are powered by AI agents using the Anthropic Claude API. These agents are used exclusively for internal business operations and are not directly accessible to clients or family members.

3.4 No Automated Decision-Making with Legal Effect

No decisions that produce legal or similarly significant effects are made solely through automated processing without human review.

3.5 Data Transmitted to AI Providers

When you interact with AI-powered features, message content and relevant context may be transmitted to third-party AI API providers (OpenAI or Anthropic) for processing. We maintain data processing agreements with these providers. We recommend reviewing OpenAI's Privacy Policy and Anthropic's Privacy Policy.

4. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information.

4.1 Service Providers

We engage third-party service providers who process data on our behalf. These providers include:

  • OpenAI — AI model inference for pitch conversations and medicine advisor.
  • Anthropic — AI model inference for internal agents.
  • ElevenLabs — Voice synthesis for audio features.
  • Stripe — Payment processing. We do not store card numbers or full payment credentials.
  • OpenFDA / DailyMed / OpenFoodFacts — Public health databases queried for product information.

4.2 Legal Obligations

We may disclose information to comply with a subpoena, court order, or legal process; protect safety, rights, or property; or detect and respond to fraud or security threats.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction with notice as required by law.

5. Data Storage and Security

5.1 Storage Location

All Platform data is stored on servers located in the United States.

5.2 Workspace Isolation

PoppDesk uses strict workspace isolation. Personal, business, and client workspaces are maintained as separate data domains. All database queries are scoped to a specific workspace identifier, preventing cross-workspace data access.

5.3 Security Measures

  • Authentication: Session-based authentication with multi-factor authentication (MFA) support.
  • Transport Security: All data encrypted in transit using TLS (HTTPS).
  • Application Security: CSRF, XSS, and content injection protections via CSP headers and input sanitization.
  • Credential Encryption: Sensitive credentials encrypted using a KMS-like encryption system.
  • Audit Integrity: Tamper-evident audit trail with RSA-signed cryptographic checkpoints and monotonic sequence numbers.
  • Rate Limiting: Public-facing endpoints are rate-limited to prevent abuse.
  • Access Control: Access by invitation or time-limited magic link only. No open registration.

While we implement industry-reasonable security practices, no method of data transmission or electronic storage is completely secure. We cannot guarantee absolute security.

6. Data Retention

  • Audit Trail Data: Retained for a minimum of fifteen (15) years, secured with cryptographic checkpoints for legal and evidentiary purposes.
  • Client Data: Retained for the duration of the business relationship and seven (7) years thereafter, consistent with statute of limitations periods.
  • Household Data: Retained for as long as the family member has active access, and for a reasonable period thereafter.
  • Technical Logs: Retained for up to ninety (90) days, then purged or anonymized.

Audit trail records cannot be deleted or modified without destroying cryptographic integrity and will be retained for their full retention period.

7. Your Rights (California Residents & CCPA)

As a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know

Request disclosure of what personal information we have collected, the sources, the purposes, and the third parties we share it with.

Right to Delete

Request deletion of personal information, subject to legal exceptions including audit trail retention requirements.

Right to Correct

Request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale

We do not sell or share your personal information for cross-context behavioral advertising.

Right to Non-Discrimination

We will not deny services, charge different prices, or provide lesser quality for exercising your rights.

To exercise any of these rights, email [email protected]. We will verify your identity and respond within forty-five (45) days.

8. Cookies and Tracking

PoppDesk uses a minimal, strictly necessary cookie regime. The only cookies set are session authentication cookies — first-party, HTTP-only, and secure — used exclusively to maintain your login state.

We do not use advertising cookies, analytics cookies, third-party tracking pixels, or social media widgets. Your activity on PoppDesk is not tracked by or reported to advertising networks or data brokers.

Because we do not engage in cross-site tracking or behavioral advertising, there is no material change in our practices in response to "Do Not Track" browser signals.

9. Children's Privacy

The Platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Access is controlled by invitation and magic link, and children under 13 are not permitted to independently access the Platform.

If you believe a child under 13 has provided personal information through the Platform without appropriate authorization, please contact us at [email protected].

10. Third-Party Services

PoppDesk integrates with the following third-party services. Your data may be subject to their respective privacy policies:

ServiceRolePrivacy Policy
OpenAIAI inference for pitch & medicine featuresopenai.com
AnthropicAI inference for internal agentsanthropic.com
ElevenLabsVoice synthesiselevenlabs.io
StripePayment processingstripe.com
OpenFDADrug & product databaseopen.fda.gov
OpenFoodFactsNutrition & supplement databaseopenfoodfacts.org

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, features, or applicable law. When we make material changes, we will update the "Last Updated" date at the top. Your continued use of the Platform after a revised policy has been posted constitutes acknowledgment of the updated terms.

12. Contact Information

Thomas Popp

Popp Media Agency LLC

[email protected]

me.poppmedia.agency

For privacy rights requests (including CCPA requests), include "Privacy Request" in the subject line. We will respond within forty-five (45) days.