Privacy Policy | The Art of CTO

Last Updated: February 11, 2026

The Art of CTO ("we," "us," or "our") operates the website theartofcto.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Site or use our services. Please read this policy carefully. By using the Site, you consent to the practices described herein.

1. Information We Collect

Information You Provide

We collect information you voluntarily provide when you:

Create an account (name, email address, profile picture via Auth0)
Subscribe to our newsletter (email address, optional first name)
Submit a contact form or inquiry (name, email, message, optional file uploads)
Use interactive tools and save results
Set preferences (topics of interest, email frequency, theme)
Subscribe to a paid plan (billing handled by Stripe; we do not store payment card details)
Interact with our AI Assistant (conversation content)

Information Collected Automatically

When you visit the Site, we may automatically collect:

IP address (hashed for privacy; originals anonymized after 30 days)
Browser type and version, operating system, device type
Pages visited, time spent on pages, referral URLs
Click and scroll interactions, search queries entered on the Site
Country and region (derived from IP address via Cloudflare headers)
Error and performance data (page load times, JavaScript errors)

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Site and its features
Send newsletters, product updates, and marketing communications (with your consent)
Process payments and manage subscriptions
Authenticate your identity and manage your account
Personalize your experience (content recommendations, learning paths, AI responses)
Analyze usage trends to improve our content, tools, and services
Detect, prevent, and address fraud, abuse, and security threats
Respond to your inquiries and provide customer support
Comply with legal obligations

3. Third-Party Services

We use the following third-party service providers to operate and improve the Site. Each provider processes data on our behalf under contractual obligations to protect your information.

Cloudflare (Hosting, Security & Analytics)

Our website is hosted on Cloudflare Pages. Cloudflare provides CDN, DDoS protection, DNS, web application firewall, and edge computing services. Cloudflare Zaraz manages the loading of third-party scripts and enforces consent preferences. Cloudflare may collect technical information (IP addresses, request metadata) for security and performance purposes. View Cloudflare's privacy policy.

Google Analytics 4

We use Google Analytics 4 (via Cloudflare Zaraz) to understand how visitors interact with the Site. GA4 collects page views, events, session duration, and engagement metrics. Google Analytics cookies are only set after you provide analytics consent. View Google's privacy policy. You can opt out at any time using our consent banner or by installing the Google Analytics Opt-out Browser Add-on.

Google Ads & Google AdSense

We use Google Ads conversion tracking and Google AdSense to measure advertising effectiveness and display relevant advertisements. These services use cookies and are only activated after you provide marketing consent. Learn about Google's advertising policies.

Microsoft Clarity & Microsoft Advertising

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Highlight.io (Error Tracking & Session Replay)

We use Highlight.io for error monitoring, performance tracking, and session replay to diagnose and fix technical issues. Highlight.io may record user interactions, network requests, and console errors. Session replay is only active when you have provided analytics consent. View Highlight.io's privacy policy.

Auth0 (Authentication)

We use Auth0 (by Okta) to manage user authentication and account security. When you create an account or log in, Auth0 processes your email address, name, and profile information to verify your identity. Auth0 stores your credentials securely and is SOC 2 Type II certified. View Okta's privacy policy.

Stripe (Payments)

We use Stripe to process subscription payments. When you subscribe to a paid plan, Stripe collects and processes your payment information (card number, billing address) directly. We do not store your payment card details on our servers. Stripe is PCI DSS Level 1 certified. View Stripe's privacy policy.

Brevo (Email Marketing)

We use Brevo (formerly Sendinblue) to manage our email newsletter and transactional emails. When you subscribe, your email address, name, and topic preferences are stored on Brevo's servers. Brevo tracks email opens, clicks, and unsubscriptions to measure engagement. Brevo is GDPR compliant. View Brevo's privacy policy.

Cloudflare AI Gateway

Our AI-powered features (AI Assistant, content generation) use Cloudflare AI Gateway to route requests to large language models. Conversation content you submit is processed to generate responses. We may retain conversation history to provide continuity across sessions. AI features are subject to Cloudflare's privacy policy.

We do not sell, trade, or rent your personal information to third parties. We may share your information with the service providers listed above, who process data on our behalf subject to confidentiality agreements and data processing addendums.

4. Cookies and Tracking Technologies

Cookies We Use

Strictly Necessary Cookies (always active):

auth_session — Encrypted authentication session (expires after 24 hours)
csrf_token — Cross-site request forgery protection
zaraz-consent — Stores your cookie consent preferences

Analytics Cookies (set only after you provide analytics consent):

_ga, _ga_* — Google Analytics client and session identifiers
_clck, _clsk — Microsoft Clarity session identifiers

Marketing Cookies (set only after you provide marketing consent):

Google Ads conversion tracking cookies
Google AdSense advertising cookies

Local Storage

We use browser local storage to enhance your experience. This data stays on your device and is not transmitted to our servers unless explicitly noted:

Consent preferences (synced with our server for GDPR audit trail)
Theme preference (dark/light mode)
Reading list and bookmarked content
Recent search queries (for autocomplete)
Recently viewed pages

Managing Your Preferences

You can manage your cookie preferences at any time using the consent banner that appears on first visit, or by adjusting your browser settings. Note that disabling strictly necessary cookies may prevent the Site from functioning properly.

5. Consent Management

We use a consent management system to ensure analytics and marketing technologies are only activated after you provide explicit opt-in consent. Consent records are stored with a full audit trail, including:

Categories accepted and rejected
Hashed IP address and approximate geographic location
Timestamp and consent version
Link to any previous consent record (for audit trail)

IP addresses stored in consent records are anonymized after 30 days. Consent records expire after 1 year, at which point you will be asked to re-confirm your preferences.

6. Data Retention

Authentication sessions: 24 hours
Consent records: 1 year (IP addresses anonymized after 30 days)
Analytics data: Retained per Google Analytics and Microsoft Clarity default retention periods
Newsletter subscriber data: Until you unsubscribe
Account data: Until you request account deletion
Payment records: Retained as required by tax and financial regulations
AI conversation history: Retained while your account is active
Security logs: 30 days

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate or incomplete data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Request transfer of your data in a machine-readable format
Objection: Object to processing of your data for certain purposes
Restriction: Request restriction of processing
Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@theartofcto.com. We will respond within 30 days.

8. Your Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell your data)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a request, contact us at privacy@theartofcto.com.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States and the European Union, where our service providers operate. When we transfer data outside of the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms to ensure an adequate level of data protection.

10. Unsubscribe from Newsletter

You can unsubscribe from our newsletter at any time by:

Clicking the "Unsubscribe" link at the bottom of any newsletter email
Updating your preferences in your account dashboard
Contacting us at unsubscribe@theartofcto.com

11. Data Security

We implement appropriate technical and organizational security measures to protect your personal data, including:

HTTPS/TLS encryption for all website traffic
Encrypted session cookies (AES-GCM)
CSRF protection on all authenticated API endpoints
IP-based rate limiting and abuse detection
Web Application Firewall (WAF) and DDoS protection via Cloudflare
Secure API connections to all third-party services
IP address hashing and automatic anonymization after 30 days
Regular security monitoring and automated vulnerability scanning
Content Security Policy (CSP) headers to prevent cross-site scripting

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Children's Privacy

The Site is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@theartofcto.com.

13. Do Not Track Signals

We honor Do Not Track (DNT) browser signals. If your browser sends a DNT signal, analytics and marketing technologies will not be activated regardless of your consent preferences. We also respect the Global Privacy Control (GPC) signal.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through a notice on the Site. Your continued use of the Site after changes are posted constitutes acceptance of the revised policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@theartofcto.com
Website: theartofcto.com/contact

← Back to Home