Momentum Creator — Privacy Policy

Effective Date: 2026-04-28 · Last Updated: 2026-05-10

1. Overview

This Privacy Policy describes how CWDS OÜ ("Momentum Creator," "we," "us," or "our") handles personal data in connection with:

the Momentum Creator web application (the "Application" or "App"), delivered to verified purchasers via the post-purchase confirmation page;
the Momentum Creator and related websites, including alexzah.com and any subdomain or product page (the "Websites");
purchases, emails, support requests, and other interactions connected to the above (together, the "Service").

We are the data controller for the personal data we handle in connection with the Service. You can contact us at the address in Section 16.

The short version. The Application is designed so that your check-in answers, the cards you generate, your release work, and any notes you add stay on your device. We do not collect them. The Websites (sales pages, checkout, and email flow) do use standard analytics and advertising tools like the rest of the internet — and this Policy explains exactly what they are and how to control them. Purchases pass through a small set of named third parties. We do not sell personal data.

2. Information We Process

We process different categories of data in different contexts. This Section separates them by surface (App vs. Websites).

2.1 Inside the Application (on-device, minimal)

The Application is a 15-minute self-coaching web app. It is designed to operate without sending your in-app content to us. We receive the following limited categories of data from, or on behalf of, App users:

Purchase and license data: order reference, product purchased, price paid, purchase date, and your email address used at checkout. This is used to deliver access and to honour the 30-day money-back guarantee.
Support and bug-report data (only if you choose to send it): your name (optional), your email address, the contents of your message, the browser and operating-system version, and any information you voluntarily include.
Operational network requests (see Section 7): initial page load, optional updates, and webpage fetches from URLs you intentionally open from within the Application.

2.2 On the Websites (standard marketing tools)

When you visit a Website, read a sales page, open a marketing email, or begin a checkout flow, we and our processors may receive:

Device and usage data: IP address, browser type, operating system, referring URL, pages visited, time on page, scroll depth, clicks, and similar analytics signals.
Cookies and similar technologies set by us and by third-party analytics and advertising providers. See Section 6.
Session recordings and heatmaps (via Microsoft Clarity) that record anonymised interactions on the page. Input fields are masked — Clarity is configured so that text you type into form fields, including any reflective content you enter inside the Application, is replaced with placeholder characters before being sent to Microsoft.
Advertising attribution signals (via Meta Pixel) that allow us to measure which ad led to which visit and to build audience lists for retargeting.
Email activity (via our email marketing provider) — open, click, and delivery signals for emails we send you.
Checkout and payment data collected by our payment processor, Stripe, Inc., when you purchase. We receive the transaction outcome and an associated buyer email, but we do not store your full payment-card details.

2.3 Communications You Send Us

If you contact us by email, via a support form, or by replying to a marketing email, we receive the contents of that communication and your email address. We use this to respond and keep a record of the conversation.

3. Information We Do Not Process

We want to be explicit about what we do not collect, because the brand promise of the Application depends on it.

We do not collect, store on our servers, or transmit to any third party:

your check-in answers or self-reported scores;
the Momentum Cards you generate during a session;
the release techniques you select or how you used them;
the 30-second action you commit to at the end of a session;
any notes, reflections, or written content you enter in the Application;
any continuous biometric, audio, video, or location signal from your device;
any microphone, contact, or location data — the Application does not request these permissions;
device advertising identifiers for advertising or cross-app tracking.

We do not:

sell your personal data to any third party;
share your personal data for cross-context behavioural advertising in the meaning of California law;
train any machine-learning model on your in-app content — there is no machine-learning model in the Application that would need to be trained.

4. On-Device App Architecture

Momentum Creator's check-in logic, Gestalt-cycle prompts, the 7 release techniques, the cards you generate, and the action commitments you make all run locally in your browser. The Application does not require a connection to our servers to deliver its core functions. It does not send your in-app content to any third party for analysis.

In short: once the page has loaded, the session runs on your device. That is by design.

5. Local Storage on Your Device

5.1 What Is Stored Locally

Your check-in answers, the Momentum Cards you generate, your selected release techniques, your action commitments, and any notes are stored inside your browser's localStorage on the device you used. That storage is subject to the protections and limitations of your browser and device operating system.

5.2 What You Control

You can delete locally stored Application data by:

using any in-app reset or deletion feature we provide;
clearing your browser's site data for alexzah.com;
using your browser's privacy or "clear history" settings;
performing a full device reset.

Because we do not keep this data on our servers, we cannot recover it if it is lost from your device or browser.

5.3 Browser and Device Sync

Some browsers and operating systems may include site data in account-based sync systems (for example, browser profile sync). Those sync flows are controlled by the browser or platform provider and by the account that is signed in, not by us. You can manage sync behaviour through your browser and device settings.

6. Website Analytics, Advertising, and Cookies

The Websites use third-party tools common to commercial online services. This Section lists them plainly. You can opt out of most of them through your browser or through the consent banner on the Website.

6.1 Tools Currently in Use

Tool	Purpose	Data Handled	Opt-out
Google Tag Manager (GTM)	Tag orchestration	Loads the tags below	Controlled by each tag
Google Analytics 4 (GA4)	Website analytics	Pageviews, events, UTM parameters, device and browser data, pseudonymised IP	opt-out
Microsoft Clarity	Session recordings and heatmaps (with input masking)	Anonymised interaction data on the page; form-field text is masked before sending	opt-out or reject in banner
Meta Pixel + Conversions API (CAPI)	Ad attribution and retargeting (browser pixel + server-side purchase events)	Pageviews and conversion events from the browser; for purchases, a server-to-server message including order data, IP, `_fbp`/`_fbc` cookies, and — only with marketing consent — SHA-256-hashed email and customer reference	Off-Facebook activity controls; reject marketing in the consent banner
Stripe	Payments	Card and transaction data during checkout	Handled by Stripe
GetResponse	Marketing and transactional email	Email address, open and click activity	Unsubscribe link in every email

6.1.1 Server-Side Conversion Measurement (Meta Conversions API)

Server-side advertising measurement (Meta Conversions API): Alongside the browser-based Meta Pixel above, after a successful purchase we send a server-to-server event to Meta's Conversions API (CAPI). This event includes the order amount, currency, product identifiers, your IP address, and the _fbp/_fbc cookies Meta set in your browser. If you accepted marketing cookies in our consent banner (or, where you are outside the EU/EEA/UK/Canada and no banner was required, by default under applicable local law), the event also includes a SHA-256 hashed version of your email and an internal customer reference. We never send your email in plain text. Both browser and server events share an event_id so Meta deduplicates them and counts the purchase only once. If you declined marketing cookies, the server event is sent without your hashed email or customer reference.

6.2 Cookies

The Websites use:

Strictly necessary cookies for checkout, session, and security — these do not require consent;
Analytics and advertising cookies for the tools listed above — these are set only after you give consent via the consent banner, where consent is required by applicable law;
Preference cookies to remember your choices.

You can clear cookies at any time through your browser settings, and you can change your consent choices through the consent banner on the Websites.

6.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals because there is no consensus on how to interpret them. We do honour the Global Privacy Control (GPC) signal where applicable law requires it.

7. Network Access and When Data Leaves Your Device

Separate from core on-device operation, the Application may make limited network requests when one of the following happens:

you load the Application page itself (the HTML, scripts, and assets are served from our hosting and CDN);
you make a purchase, restore a purchase, or verify access;
you choose to send us a support or bug-report message;
you tap a link inside the Application that opens a page on the Websites or on a third-party site;
you take any action that obviously requires a network call.

Information that you intentionally submit through these flows, and the minimum metadata required to complete them, may be transmitted for that specific purpose. These operational requests do not convert the Application into a cloud service and do not transmit your check-in answers, Momentum Cards, release work, action commitments, or notes for any analytic purpose.

8. Third-Party Service Providers

We use a small set of named third parties to run the Service. Each of them has its own privacy policy, and each processes personal data only on our instructions, under a data-processing agreement or a Controller-to-Controller arrangement as appropriate.

Provider	Role	Data Shared	Location
Stripe, Inc.	Payment processor	Payment, buyer email, order metadata	US + local
GetResponse S.A.	Email marketing and transactional email	Email address, opt-in source, open/click activity, buyer tags	Poland (EU)
Google LLC	Analytics (GA4, GTM)	Analytics signals, pseudonymised IP	US + local
Meta Platforms, Inc.	Ad attribution and retargeting (browser pixel + Conversions API)	Pageviews and conversion events (browser); for purchases, server-side events including order amount, IP address, `_fbp`/`_fbc` cookies, and — with marketing consent — SHA-256-hashed email and customer reference	US + Ireland (EU)
Microsoft Corporation	Session analytics (Clarity, with input masking)	Anonymised page interaction data; form-field text masked	US
Cloudways Ltd.	Web hosting for the Websites and Application	Server logs, IP address	EU + US
Cloudflare, Inc.	Content delivery and security	IP address, request metadata	US + edge locations

We do not share personal data with third parties for any purpose other than those described in this Policy, or as required by law.

9. International Data Transfers

Several of the providers above are located in the United States or operate globally. When we transfer personal data of EU/EEA, UK, or Swiss residents outside those regions, we rely on the following safeguards, as appropriate:

Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate by additional technical and organisational measures;
the EU-US Data Privacy Framework and its UK and Swiss extensions, where the recipient is certified;
Article 49 derogations where applicable, for specific operations (such as processing necessary for the performance of a contract you request).

You may request a copy of the safeguards in place for a specific provider by contacting us at the address in Section 16.

10. Legal Basis for Processing (EU/EEA/UK)

When the EU General Data Protection Regulation (GDPR) or the UK GDPR applies, we rely on the following lawful bases:

Performance of a contract — to process your purchase, deliver the Service, operate access, respond to support requests you initiate, and handle refunds under the 30-day guarantee described in our Terms.
Legitimate interests — to secure the Service, prevent abuse and fraud, investigate and resolve bugs, measure the aggregate performance of our Websites and marketing, and improve the product. Where we rely on this basis we balance our interests against your rights, and you may object at any time.
Consent — for non-essential cookies, session recordings, advertising tags, and any optional marketing emails beyond what is necessary to deliver a purchase. You can withdraw consent at any time through the consent banner, your browser, or the unsubscribe link.
Compliance with legal obligations — for tax, accounting, consumer-protection, and regulatory record-keeping.

11. Your Rights

11.1 Rights Under GDPR / UK GDPR

If you are in the EU, EEA, UK, or Switzerland, you have the right, subject to the conditions and limits in the applicable law, to:

access the personal data we hold about you;
request correction of inaccurate or incomplete data;
request deletion of your data ("right to be forgotten"), where one of the grounds in Article 17 GDPR applies;
request restriction of processing in certain circumstances;
object to processing based on legitimate interests;
request data portability in a structured, commonly used, machine-readable format, where the processing is based on consent or contract;
withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
lodge a complaint with a supervisory authority. If you are in Estonia, that authority is the Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate, AKI) — aki.ee. You can also contact the authority in the EU member state where you live or work.

To exercise any of these rights, contact us at the address in Section 16. We will respond within one month, or within two months for complex or numerous requests, as permitted by law.

11.2 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the right to:

know what personal information we collect and how it is used and shared;
request deletion of personal information we have collected;
correct inaccurate personal information;
opt out of sale or sharing — we do not sell personal information, and we do not share it for cross-context behavioural advertising in the meaning of the CPRA;
be free from discrimination for exercising your privacy rights.

11.3 Rights in Other Jurisdictions

Residents of other regions may have additional rights under applicable local law. We honour any non-waivable statutory right you have where you live.

12. Data Retention

We retain personal data only for as long as we need it for the purpose for which it was collected, and for periods required by applicable law. Indicative retention windows:

Category	Retention
Order and access records	For the operational life of the Service, plus the period required by tax, accounting, and consumer-protection law (typically 7 years under Estonian accounting law).
Support and bug-report conversations	Up to 3 years after the conversation, for troubleshooting and dispute resolution.
Marketing email activity	For as long as you remain subscribed, plus a limited period after unsubscribe to honour your opt-out request.
Website analytics (GA4, Clarity, Meta Pixel)	Subject to the retention settings of each tool; GA4 is configured to the shortest retention option compatible with the product.
Payment records via Stripe	Governed by Stripe's retention policy and applicable financial-services law.

When retention periods expire, we delete or anonymise the data.

13. Security

We apply technical and organisational measures appropriate to the sensitivity of the data we handle, including:

transport encryption (HTTPS) on the Websites, the Application, and for all server-to-server calls;
browser-sandboxed local storage for Application content, protected by the operating system and browser;
access controls on administrative systems;
least-privilege access to third-party processors;
prompt review of security advisories affecting our stack.

No security measure is perfect. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority as required by law, and we will notify affected users where applicable law so requires.

14. Children's Privacy

The Service is intended for adults. As stated in our Terms of Use, you must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18. If we learn that we have received personal data of a minor, we will delete it promptly.

If you believe a minor has submitted personal data to us, please contact us at the address in Section 16 so that we can take appropriate action.

15. Changes to This Privacy Policy

We may update this Policy to reflect changes in the Service, applicable law, or our practices. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, give additional notice inside the Application, on our Websites, or by email.

If we ever decide to begin collecting data from inside the Application that we previously did not collect (for example, in-app analytics on your check-in answers or Momentum Cards), we will update this Policy, update the in-app disclosures, and where required by applicable law, we will obtain your consent before the change takes effect for you.

16. Contact

For privacy questions, data-subject requests, or complaints:

CWDS OÜ

Attention: Privacy

Kotkapoja tn 2a-10, Kristiine, 10615 Tallinn, Harju maakond, Estonia

Email: alex@alexzah.com

Support: alex@alexzah.com

If you are in the EU/EEA or the UK, you also have the right to lodge a complaint with your local data-protection supervisory authority. If you are in Estonia, that is the Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate, AKI) — aki.ee.