Privacy Policy

Last updated April 27, 2026

This privacy policy covers The Bird Bath Terminal web platform and Chrome extension, operated by First 100 Consulting LLC ("First 100," "we," "us"). We've tried to write this in plain English. If anything is unclear, email ryan@first100.io.

1. Information we collect

Account information

When you register, we collect your email address and a password (stored as a bcrypt hash with a unique per-user salt). We also record the invite code used to create your account and your IP address at signup.

Usage data

• Session data: Session tokens, IP addresses, and last-active timestamps for login management and security monitoring.
• Audit log: Each authenticated API call is recorded with session token, endpoint, IP address, user agent, status code, and timestamp. We do not log the request body. Retained for 90 days in the live database; longer in encrypted backups.
• Ask Terminal queries: Your chat questions and the AI-generated responses are stored so you can resume conversations. These are associated with your session, not your identity outside our system.
• Watchlists & preferences: Practice IDs you save and your UI preferences (default views, export presets) are stored in our database.
• Billing data: Stripe customer ID and subscription status. Payment cards never touch our servers — they are handled directly by Stripe.

Chrome extension

The Chrome extension sends the current page's domain to our server (with your authenticated session) to check for practice matches. We do not log the URL paths you visit. Widget preferences are stored locally in your browser.

2. Information we do NOT collect

• Browsing history beyond the current page domain (extension only)
• Third-party analytics, tracking pixels, advertising SDKs, or fingerprinting tools
• Payment card details (Stripe handles these; we receive only a customer ID and subscription metadata)
• "Sale" of personal data to anyone, ever — we do not engage in sale or sharing of personal information as defined under CCPA, CPRA, or similar state laws

3. How we use your information

• Authentication: verifying your identity and managing your session
• Feature delivery: chat history, watchlists, exports, billing
• Security: rate limiting, bulk-extraction detection, audit logging
• Service communications: password resets, security alerts, billing notifications, material policy changes

We do not use your data for advertising, retargeting, or model training by third parties.

4. Veterinary practice data

The Terminal's primary dataset is business information about U.S. veterinary practices — practice names, addresses, phone numbers, websites, services, and (where publicly available from state veterinary boards) the names and license numbers of licensed veterinarians at each practice. Specifically:

• Practice business information (name, address, phone, website, services, hours, ownership) is sourced from practice websites, public business directories, news sources, public real-estate records, and state-of-incorporation filings.
• Veterinarian names and license numbers are sourced from publicly available state veterinary board licensing records.
• Reviews and ratings are aggregated from third-party sources including Yelp; we attribute these to their original sources.
• Estimated revenue, parent-company inferences, hiring signals, and other computed fields are model-generated estimates based on public information and proprietary research. They are estimates only and may be inaccurate.
• We do not collect or publish personal cell phone numbers or personal home addresses of individuals.

If you are a veterinarian and want your name or license information removed from a practice record, submit a request at /privacy/request or email ryan@first100.io. We will respond within 45 days.

Important: the Terminal is not a consumer reporting agency. Terminal data is for practice-level commercial intelligence only and may not be used for FCRA-regulated purposes (employment screening, credit decisions, etc.). See our Terms of Service for details.

5. Cookies

We use two cookies, both first-party and operationally necessary:

• pokemon_session — session login. HttpOnly, Secure, SameSite=Lax, expires after 7 days. Server-side sessions also expire after 60 days of inactivity.
• pokemon_csrf — CSRF protection. Secure, SameSite=Lax, 24-hour rotation.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

6. Data storage & security

Account data is stored in PostgreSQL hosted on Render (US-Oregon). Practice data is stored in SQLite on the same host. All traffic is TLS 1.2+. All databases are encrypted at rest. Passwords are bcrypt-hashed with per-user salts. We maintain audit logs of every API request and run automated bulk-extraction detection. See /security for the complete control list.

7. Data retention

• Account data: retained while your account is active. Deleted within 30 days of account closure or upon a verified deletion request.
• Chat history: retained for the life of your account.
• Audit logs: 90 days hot (live database), longer in encrypted backups for security and compliance purposes.
• Login attempt records: 7 days (used only for the rate-limit window).
• Billing records: as required by tax and accounting regulations (typically 7 years).

8. Your rights

Under California's CCPA/CPRA, Texas TDPSA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and similar U.S. state laws, you have rights to:

• Access — receive a copy of personal data we hold about you
• Delete — request removal of your account and associated personal data
• Correct — fix inaccurate personal information
• Opt out — confirm your data is not "sold" or "shared" (it isn't)
• Non-discrimination — exercise any of the above without service penalty

Submit a request at /privacy/request (preferred — gives you a tracking ID) or email ryan@first100.io. We will respond within 45 days. We may need to verify your identity before processing certain request types.

9. Subprocessors

We use the following third parties to operate the Terminal. The complete list, with regions and access scope, is at /subprocessors:

• Render — web hosting and PostgreSQL database
• Cloudflare — content delivery, TLS termination, web application firewall
• Stripe — subscription billing and payment processing
• Anthropic — AI processing for Ask Terminal queries (no model training on customer data)
• Google Workspace (Gmail SMTP) — transactional email (password resets, security alerts)
• Google Fonts — typography

If we add or change subprocessors that materially affect customer data handling, we will update /subprocessors and notify subscribed customers at least 14 days before the change takes effect.

10. Children

The Terminal is a B2B platform intended for use by businesses and licensed professionals. We do not knowingly collect personal information from anyone under 18. If we learn we've inadvertently collected such information, we will delete it.

11. International transfers

The Terminal currently operates from U.S. infrastructure and serves U.S. customers. We do not knowingly process data of EU or UK residents. If you are an EU/UK customer with data residency or transfer requirements, contact ryan@first100.io — we can sign Standard Contractual Clauses on request.

12. Security incidents and breach notification

If we determine that a security incident has resulted in unauthorized access to your personal information, we will notify you by email at the address associated with your account within thirty (30) days of confirming the incident, except where law enforcement requests delay or where applicable law requires a different timeline. Notification will include the nature of the incident, the categories of information involved, and the steps we are taking to mitigate the incident. Where required by state breach notification laws, we will also notify the appropriate regulators.

13. Changes to this policy

We may update this policy as the platform evolves. The "last updated" date at the top reflects the latest revision. Material changes will be communicated via email or in-app notification at least 14 days before they take effect, except where a shorter period is required by law or to address a security incident.

14. Contact

First 100 Consulting LLC
Dallas, Texas
Email: ryan@first100.io
Data subject requests: /privacy/request