Data Controller
The data controller for personal information collected through Effable (effable.me) is Wish-Machine, Inc., a Delaware C-corporation and the operator of the Effable product. You can reach us at andrewwang@wish-machine.com for any question, request, or complaint about how your personal information is handled.
We have not appointed an EU or UK representative under GDPR Art. 27 because we do not yet meet the thresholds requiring one. We will update this section if that changes.
What we collect
To run Effable we collect:
- Account data: email, OAuth identity (Google), display handle.
- Authored content: the AI clone you author or distill.
- Source materials you upload: blog posts, PDFs, image and video recordings, URLs.
- Usage data: requests to your clone, MCP tool calls, page views, error logs.
- Payment data: payout addresses (Base wallet, Stripe Connect account), invoice records.
Knowledge items you mark as Public on/dashboard/knowledgeare visible to anyone visiting your profile page (humans and agents alike); private items, which are the default, are visible only to you and your AI clone.
Biometric data
This is the section that mattered to you when you signed up.
When you upload video as a source material, our distill worker may extract visual features as a technical step in producing your AI clone:
- facial keypoints if video is involved (used to identify the creator in their own footage, never for identification of third parties),
- embeddings derived from the above.
We commit to:
- Purpose limitation. Biometrics are used solely to render your clone — never sold, never shared with advertisers, never shared with other Effable creators.
- Storage minimization. Raw biometric features (facial / visual) are encrypted at rest and discarded after distillation completes; only the distilled clone is retained long-term.
- Revocation. Withdraw consent in Settings → your clone is paused, biometric features are purged, and we retain only what’s legally required.
- No cross-creator linkage. We never use one creator’s biometric data to identify another person who appears in third-party content.
Where applicable jurisdictions require explicit biometric consent (e.g., Illinois BIPA, Texas CUBI, GDPR Article 9), the Welcome screen and this section serve as that consent record.
Chat visitors (effable.me/<handle>)
When you chat with a creator's AI clone at effable.me/<handle> we receive:
- The text of every message you send.
- Your IP address (we hash it via HMAC before storing — we don't keep your raw IP).
- A locally-generated anonymous session ID (cookie + localStorage).
- The AI's responses (so we can audit and improve quality).
How that data is used
- AI response generation. Your messages are sent to Anthropic Claude (the underlying LLM provider) along with the creator's distilled persona. Anthropic processes the data per their commercial terms (https://www.anthropic.com/legal/privacy). They don't train on Effable data per our contractual terms.
- Lead classification. After every exchange, a separate AI call categorizes whether your message looked like high intent (investor inquiry, recruiter outreach, partnership proposal, customer interest) or low intent (casual fan chat). If high-intent OR if you shared contact info (email / LinkedIn / handle / etc.) we summarize the exchange and surface it to the creator's inbox at /dashboard/leads. This is the only path by which the creator sees individually-identified messages from you.
- Rate limiting & abuse prevention. We count chat volumes per IP (via the HMAC-hashed IP) to prevent abuse. Hashed IP counters expire after 24h.
- Aggregate analytics. We compute weekly aggregates (total chats, intent breakdown) for each creator's dashboard. These aggregates never include your individual messages or contact info.
How long we keep it
- Chat messages: retained for 12 months unless the creator deletes them sooner.
- Lead records (high-intent exchanges + contact info): retained indefinitely at the creator's discretion (creators can delete via their inbox).
- Hashed IPs in rate-limit counters: 24 hours.
Your rights as a chat visitor
- Access: email andrewwang@wish-machine.com to request a copy of any data we hold about you (we'll need a fact pattern to identify your records since we don't keep your raw IP or your real identity).
- Deletion: email the same address; we'll delete all lead records you appear in within 30 days.
- Opt-out of classifier: you can chat without lead classification by closing the consent modal — the chat is then disabled.
- EU / UK visitors (GDPR): sending your messages to Anthropic to render the AI reply you requested is processed under Art. 6(1)(b) (performance of a contract — the chat you initiated). Lead classification and surfacing your contact info to the creator's inbox is processed under Art. 6(1)(a) (your explicit consent, given when you clicked "I understand"). Per Art. 7, that consent is freely given, specific, informed, and unambiguous — you can decline in one click and withdraw at any time by emailing andrewwang@wish-machine.com without affecting prior lawful processing.
- California visitors (CCPA): we don't sell your personal information; we share it with Anthropic only as a service provider; you have the right to know, delete, and limit per §1798.100, §1798.105, §1798.121.
Chat subprocessors (per-message data flow)
When a visitor sends a chat message, these external services see it (or a derivative of it). Each gets only the data needed to perform their function:
- Anthropic (Claude API) — receives your message text + the creator's persona at chat time.
- Supabase (Postgres + storage) — receives the database rows we persist (messages, leads).
- Resend (transactional email) — receives only the creator's email + a notification subject line when a lead is captured; never receives visitor message content.
- Vercel (web hosting) — receives the HTTP request to render pages; passes message text along to our API.
How we use what we collect
Strictly to operate Effable: authenticate you, render your clone, settle payments, prevent abuse, comply with law. We don’t train foundation models on your content. We don’t sell or rent your data.
Subprocessors
We use the following processors. Each has its own privacy commitments; we DPA them where applicable.
- Anthropic — LLM inference for clone rendering.
- Supabase — database, auth, storage (US region).
- Modal — compute for distill worker.
- Cloudflare — edge cache for MCP traffic.
- Stripe — fiat metered billing and creator payouts.
- Coinbase Commerce / x402 facilitator — USDC settlement on Base.
- Resend or equivalent — transactional email delivery.
Your rights
Across all jurisdictions, you can:
- access your data,
- correct or update it,
- export your raw uploads and clone configuration,
- delete your account (data tombstoned in 30 days, purged from backups in 90),
- withdraw biometric consent specifically (separately from account deletion).
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights regarding your personal data, under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — you can ask us to delete your data, subject to legal retention obligations.
- Right to restriction — you can ask us to suspend processing in certain circumstances.
- Right to data portability — you can request a machine-readable export of the data you provided.
- Right to object — you can object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent — where processing relies on consent, you can withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint — you can complain to your national data protection authority. EEA residents can find their authority at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents can contact the Information Commissioner’s Office at ico.org.uk. Swiss residents can contact the Federal Data Protection and Information Commissioner at edoeb.admin.ch.
To exercise any of these rights, email andrewwang@wish-machine.com. We will respond within one calendar month, which we may extend by up to two further months where strictly necessary, with notice.
California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of the sale or sharing of personal information. Effable does not sell your personal information. Submit a CCPA request to andrewwang@wish-machine.com.
Retention
Account data: while your account is active. Raw uploads and clone configuration: until you delete them. Logs: 90 days. Payment records: 7 years (tax / legal hold). Biometric features: discarded post-distill (not retained).
Data Processing Agreements
We have a Data Processing Agreement (DPA) with Anthropic that contractually restricts their use of your messages to delivering the chat service — they may NOT train foundation models on Effable data per our contract. We also have or are pursuing equivalent processor agreements with our other subprocessors listed above, each of which limits their use of your data to the specific function they perform for us.
International data transfers
Our subprocessors operate in the United States (Anthropic, Vercel, Modal, Resend, Stripe, Cloudflare) and in Europe / global regions (Supabase, Coinbase Commerce). For visitors located in the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) with our US-based subprocessors, and on the EU-US Data Privacy Framework where the recipient is certified under it. You can request a copy of the relevant transfer safeguards by contacting us at the address below.
Cookies & browser storage
We use a small amount of first-party browser storage to operate the service:
effable.chat-consent.<handle>— localStorage key recording the date you accepted the chat consent notice for a given creator.- An anonymous session ID used to maintain your chat session.
- A first-party cookie set by our auth provider (Supabase) when you sign in as a creator.
We do not use third-party advertising or analytics cookies. We do not run cross-site trackers.
Children's privacy
Effable is not intended for users under 16 in the EEA / UK, or under 13 in the United States (per COPPA). We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, contact us at andrewwang@wish-machine.com and we will delete it.
Changes to this policy
We may update this policy. The “Last updated” date at the top of this page shows the current version. Material changes — for example adding a new subprocessor or introducing a new use of your data — will be announced on this page at least 30 days before they take effect, and where required by law we will also notify you by email.
Contact
For privacy questions, data subject requests, or complaints, contact andrewwang@wish-machine.com. We are not required to appoint a Data Protection Officer under GDPR Art. 37 (we do not process special-category data at scale and we are not a public authority), but the founder handles all such requests personally.
Effable is a product of Wish-Machine, Inc., a Delaware C-corporation, United States.