Privacy Policy
Last updated: 28 June 2026
1. About this Privacy Policy
This Privacy Policy explains how Rick Musial trading as Digital Venture Studio (ABN 72 820 742 115), of 7 Wandoo Street, O'Connor ACT 2602, Australia ("we", "us", "our", "Digital Venture Studio") collects, uses, stores, shares, and protects your personal information when you use Touchstone, available at https://usetouchstone.ai (the "Service").
This Policy is written to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It also addresses obligations under the EU General Data Protection Regulation (GDPR) for users in the European Economic Area and the California Consumer Privacy Act (CCPA) for residents of California.
By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.
2. Who we are
Touchstone is operated by Rick Musial, an Australian sole trader using the registered business name "Digital Venture Studio" (ABN 72 820 742 115).
For any privacy-related question, request, or complaint, contact us at support@usetouchstone.ai or by post at 7 Wandoo Street, O'Connor ACT 2602, Australia.
3. What information we collect
3.1 Information you provide
When you use the Service, you provide us with information including:
- Account information — your email address, and (when you make a purchase) information passed through Stripe at checkout
- Founder profile — information you submit during intake about your background, motivation, and target market
- Business idea inputs — the idea, problem, or opportunity you bring to Touchstone, including text descriptions, attached files, and any supplementary context you provide
- Refinement evidence — any updated evidence you submit when strengthening a dimension score (for a venture you have purchased)
- Voice support calls — if you call our voice support number, the call may be recorded for quality and escalation purposes; the email you provide during the call is used to look up your Account
3.2 Information we generate
When you use the Service, we generate information about you including:
- Scores and assessments — dimension scores, composite scores, Go/No-Go verdicts, and the reasoning behind them
- Generated documents — the document suite produced from your inputs (Vision, Brand Guidelines, PRD, Build Guide, Marketing Plan, and others) for a venture you have purchased
- Audio briefings — audio files generated from text using AI voice technology
- Usage records — when you accessed the Service, which features you used, what stage of the pipeline you reached
3.3 Information we collect automatically
- Technical information — IP address, browser type, device type, operating system, time zone
- Service usage — pages visited, features used, errors encountered
- Cookies and similar technologies — for authentication and to remember your session
- Product analytics — we use PostHog to understand how the Service is being used. PostHog captures pageviews, click and scroll behaviour, and a defined set of product events (for example, when a pipeline begins, when a verdict is reached, when a document is opened). After you sign in, your PostHog activity is associated with your Account so we can analyse usage at a user level. We may enable limited session replays to help us resolve specific issues; in our default configuration, text typed into form fields and chat messages is masked and is not recorded — only clicks, scrolls, and page navigation are captured.
We do not use third-party advertising cookies, marketing analytics platforms, or any cross-site tracking on the Service.
3.4 Information from third parties
We do not buy or rent personal information from third parties. We receive information from:
- Stripe — payment and purchase status (and subscription state for any legacy plan). We do not see or store your full card number, CVC, or expiry — Stripe holds those under their own privacy and security infrastructure.
- Vapi and Twilio — when you use the voice support agent, the caller phone number, call duration, and transcript are passed to us so we can serve and escalate the call.
4. Automated Decision-Making
Touchstone uses automated AI processing — specifically Anthropic's Claude — to evaluate the business ideas you submit. Because the AI's assessment can affect whether you progress through the pipeline, this section explains how those decisions are made, what they mean, and your rights regarding them.
4.1 What is automated
The following are produced by AI without human review at the point of generation:
- Dimension scoring across six dimensions: Market Size, Founder–Market Fit, Revenue Clarity, Viral Mechanic, Competitive Advantage, and Solo Operator Feasibility
- Kill condition evaluation — automatic flags for deal-breakers (such as illegal markets, no addressable market, or fatally flawed unit economics)
- The Go / Conditional Go / No-Go verdict at the gate
- Document generation — the document suite produced after a Go or Conditional Go verdict
- Content moderation — initial screening of inputs for harmful, illegal, or abusive content
4.2 How the verdict is computed
Your business idea is analysed across the six dimensions above. Each dimension receives a numeric score from 1 to 10 with reasoning. A weighted composite score is computed. The verdict is:
- Go (Approved) — composite score above the approval threshold and no kill conditions triggered
- Conditional Go — composite score in the conditional range, with specific conditions named that the founder must address
- No Go (Not Approved) — composite score below the threshold, or one or more kill conditions triggered
Specific thresholds and weights may be adjusted as we improve the methodology.
4.3 What the verdict means
The verdict determines whether you progress to the document generation stages of the pipeline. A No-Go is the AI's opinion, not a definitive judgment about your idea or your ability. Many real businesses started life with an early "no" from someone, including from an automated system. The verdict is one input into your decision-making, not a substitute for it.
4.4 Your rights regarding automated decisions
If you are in the European Economic Area or the United Kingdom, you have rights under GDPR Article 22 in relation to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We extend the same principles to all our users:
- Strengthen your venture (in-product contestation). Customers who have purchased a venture can refine specific dimensions for that venture by submitting new evidence — the AI then re-evaluates and the verdict may change. This is the primary in-product mechanism for contesting an automated decision.
- Human review. You can request that Rick Musial personally review your verdict by emailing support@usetouchstone.ai. Where you provide context the AI did not have, we will look at the assessment again.
- Express your point of view. You can write to us with your reasoning. We will consider it on its merits.
- Appeal a content moderation decision. Where your input has been blocked or flagged by content moderation, you can appeal by contacting support@usetouchstone.ai — the appeal is routed to human review.
4.5 AI training and data use commitments
We do not use your personal information or your business idea content to train our own AI models. The AI provider we use (Anthropic) operates under their commercial API tier, which provides contractual commitments about how customer data is handled and that customer content is not used to train Anthropic's models. Our application sends X-Robots-Tag: noai headers requesting that your content not be used for any training purpose by intermediate systems.
We may use anonymised, aggregated data derived from many founders' inputs to evaluate and improve our scoring methodology — for example, observing which kinds of evidence correlate with stronger validated outcomes. This anonymised data does not identify you and is described separately in Sections 5 and 9 of this Policy.
5. Why we collect this information
We collect personal information to:
- Provide and operate the Service (run the pipeline, generate documents, deliver verdicts, support your Account)
- Process payments through Stripe
- Authenticate your Account and protect against unauthorised access
- Communicate with you about the Service, including transactional emails (signup confirmations, payment receipts, document generation notifications, and support replies)
- Provide support, including voice support
- Improve the Service over time, including by analysing aggregated and individual usage patterns through our product analytics tool (PostHog) — for example, identifying where founders drop out of the pipeline, which features are used most, and which paths lead to successful verdicts
- Comply with legal obligations
- Generate anonymised, aggregated intelligence about what kinds of ventures get validated, which dimensions move scores, and what evidence types correlate with stronger outcomes
- Improve the voice support agent and the Service more broadly — we may review recordings and transcripts of voice support calls and extract anonymised insights (common questions, recurring friction points, conversational patterns). The raw recordings and transcripts are deleted within 90 days; the de-identified insights may be retained indefinitely as part of our service improvement record
Our lawful basis for processing under GDPR is, depending on context:
- Contract — to provide the Service you have signed up for (most processing falls here)
- Legitimate interests — to operate, improve, and secure the Service
- Consent — for any optional processing where we ask explicitly
- Legal obligation — where we are required to retain or disclose information by law
6. Marketing communications
We may send you product updates, feature announcements, and educational content (the kind of content described on our blog) related to the Service. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@usetouchstone.ai.
We will continue to send transactional and account-related communications regardless of marketing preferences (for example, payment receipts, security notifications, and support replies). These are not marketing.
7. Who we share your information with
We share personal information only with the following processors, and only as needed to operate the Service:
- Supabase (United States) — Database, authentication, file storage
- Vercel (United States, global edge network) — Hosting and edge serving
- Stripe (United States, Australia, and others) — Payment processing
- Anthropic (United States) — AI model used to generate scores, verdicts, and documents (Claude)
- ElevenLabs (United States) — AI text-to-speech for audio briefings
- Resend (United States) — Transactional and notification emails
- Vapi (United States) — Voice support agent orchestration
- Twilio (United States) — Phone number provisioning and call routing for voice support
- Sentry (United States) — Error monitoring and diagnostics
- PostHog (United States) — Product analytics (pageviews, click and scroll behaviour, defined product events, and limited session replays with form input and chat message masking)
We have data processing agreements or equivalent commitments with these providers where required.
We may also disclose personal information:
- To professional advisors (lawyers, accountants) under duty of confidentiality
- If required by law, court order, or regulatory request
- To protect the rights, property, or safety of Digital Venture Studio, our users, or the public
- In connection with a sale, merger, or restructure of Digital Venture Studio (subject to the new entity assuming the obligations of this Privacy Policy)
We do not sell your personal information. We do not share it with advertisers, data brokers, or marketing platforms.
8. Sending data overseas (international transfers)
Most of the third-party providers listed above process data in the United States. By using the Service, you consent to your personal information being transferred to and processed in the United States and other countries where our providers operate.
The United States does not have an Australian-equivalent privacy law, but our providers maintain industry-standard security and contractual commitments. For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on Standard Contractual Clauses or equivalent transfer safeguards where required.
9. How long we keep your information
We keep your personal information only for as long as we need it for the purposes described in this Policy:
- Account information and generated documents — for as long as your Account is active, plus a reasonable period after closure (typically 12 months) so you can recover your work if you change your mind
- Payment records — at least seven years, to comply with Australian taxation and accounting obligations
- Voice call recordings and transcripts — retained for up to 90 days, then deleted, unless retained longer for an open support matter
- Anonymised insights extracted from voice calls — retained indefinitely once de-identified, used to improve the voice support agent and the Service
- Anonymised, aggregated data — retained indefinitely; this data does not identify you
You can ask us to delete your personal information earlier — see Section 10.
10. Your rights
You have the following rights regarding your personal information. To exercise any of them, contact us at support@usetouchstone.ai. We will respond within 30 days (or a shorter period if required by law).
10.1 All users (Privacy Act / Australian Privacy Principles)
- Access — ask for a copy of the personal information we hold about you
- Correction — ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading
- Complaint — make a complaint about how we have handled your personal information; if you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au
10.2 Additional rights under GDPR (EU/UK users)
- Erasure — ask us to delete your personal information ("right to be forgotten")
- Restriction — ask us to limit how we use your information while a dispute is being resolved
- Portability — ask us to provide your information in a structured, machine-readable format you can move to another service
- Object — object to processing based on legitimate interests or for direct marketing purposes
- Withdraw consent — where we rely on consent, withdraw it at any time (this does not affect processing already done)
- Complaint to a supervisory authority — you can lodge a complaint with the data protection authority in your country
10.3 Additional rights under CCPA (California residents)
- Right to know — what categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties we have shared it with
- Right to delete — request deletion of personal information we have collected
- Right to opt out of sale — we do not sell personal information; this right is automatically respected
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
We may need to verify your identity before fulfilling a rights request, to protect your information from being released to someone else.
11. Cookies and similar technologies
We use cookies and similar technologies for:
- Authentication — to keep you signed in to your Account
- Session continuity — to remember the state of your work in the pipeline
- Security — to detect and prevent unauthorised access
- Product analytics — PostHog uses cookies and browser storage to give each visitor an anonymous identifier, recognise returning users, and group events into sessions. These cookies are first-party (set on usetouchstone.ai) and the data is sent only to PostHog for our product analytics. They are not shared with advertisers or marketing platforms.
We do not use third-party advertising cookies or any cross-site tracking. We do not share cookie data with advertising or marketing platforms.
You can control cookies through your browser settings. Disabling authentication cookies will prevent you from signing in to the Service. Disabling product analytics cookies will not affect your ability to use the Service.
12. Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:
- Encryption of data in transit (HTTPS) and at rest (managed by our database and storage providers)
- Access controls and authentication for all systems holding personal information
- Regular review of access permissions
- Use of reputable third-party providers with their own security commitments
No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify you and any required authorities in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
13. Children
The Service is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us at support@usetouchstone.ai and we will delete it.
14. Links to other sites
The Service may contain links to third-party websites (for example, blog posts that reference external sources). We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policies of any site you visit.
15. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect any change. Material changes will be communicated to you by email and through the Service.
Continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.
16. Contact
For any privacy question, request, or complaint:
- Email: support@usetouchstone.ai
- Postal: 7 Wandoo Street, O'Connor ACT 2602, Australia
If you are not satisfied with how we have handled your privacy concern, you can escalate to:
- Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au — for Australian users
- The data protection authority in your country — for EU/UK users
- The California Attorney General — for California residents