Privacy

What we collect.
Where it lives.
What we don’t do with it.

This page describes what the site actually does: an account system, a Stripe subscription, an AI-assisted trip planner, a Printful-fulfilled welcome-kit shop, a newsletter, and two analytics tools. Nothing here was lifted from a generator.

Last updated · May 20, 2026

§ 01

Who runs this site

BESTMAN HQ is operated by Belmont Mills LLC. Belmont Mills is also the merchant of record on every Stripe charge — if you’ve paid for BMHQ Unlimited, the line on your card statement reads Belmont Mills, not BESTMAN HQ. The same entity operates the sister site at maidofhonorhq.com and Tour de Fore. Subscriptions and account state are site-namespaced — Stripe sees `metadata.site = "bmhq"` on every BMHQ checkout — so data behind one product never bleeds into another.

§ 02

Accounts

Accounts are email-based. We store your email, a bcrypt-hashed password (we never see or store the plaintext), and the list of plans you’ve saved. Magic-link logins use a one-time token that lives in our session store (Upstash Redis) for 15 minutes and is deleted on first use — used links don’t re-issue access.

Sessions ride on a single first-party cookie (`pmp-session`) with a 30-day TTL. It holds a random session ID — no personal data, no tracking pixels — set HTTP-only and SameSite=Lax. That’s the only identity cookie on the site.

§ 03

What we collect when you plan a trip

The wizard collects what you type into it: destination preferences, group size, budget tier, vibe, must-do activities, the groom’s drink/food/music notes, anything you flag about dietary or accessibility needs. To generate your itineraries (up to three tiers — Weekend Warrior, The Legend, The King), we send those wizard inputs to Anthropic’s Claude API. We don’t put your email or account ID into the prompt — only the trip parameters and the atlas grounding our engine retrieved for the city.

Generated plans and any selections you save are persisted under your account in Redis. Delete a saved plan any time from `/my-trips`.

§ 04

Subscriptions

BMHQ Unlimited is $19.99 a month, billed monthly by Stripe on behalf of Belmont Mills LLC. Stripe handles the card — we never see, store, or transmit it. We receive Stripe’s webhook signals (active, renewed, past-due, canceled) and persist a minimal subscription state under your email so the product can gate features. Cancellation goes through Stripe’s customer portal, one click from your account.

§ 05

Newsletter, lead capture, dropship orders

If you grab the readiness-checklist PDF, drop your email on a city page, or submit a concierge / trip-story form, we store your email plus whatever structured details you provided (city, group size, budget) in our Supabase tables, tagged with the brand (`bestman`) and the source. Lead-magnet captures trigger a five-email welcome sequence over the following days. Every email has a one-click unsubscribe backed by a per-email token — one click ends the sequence.

If you order a welcome-kit product, Stripe handles checkout and Printful handles fulfillment. Printful receives the shipping address + product details required to print and ship the order — they’re a sub-processor for that order only and don’t get added to any list of ours.

§ 06

Analytics

We run PostHog for product analytics — which destinations get viewed, which compare pages get clicked, which wizard steps people abandon — and Vercel Analytics + Speed Insights for traffic-level measurement and page performance. Neither is wired up for cross-site retargeting. We don’t run ads on this site, so there are no ad-network pixels.

We also fetch venue photos through Google’s Places API. Those requests go out from our server — not your browser — so Google sees our project key, not your IP, when a venue card loads its photo.

§ 07

Sharing and selling your information

When you give us your email — to have your plan emailed to you, save a trip, grab the readiness checklist, or reach our concierge — we may share or sell your personal information to relevant vendors and partners so they can follow up with offers for your trip. The categories that may be shared or sold are your identifiers (name, email, phone) and your trip profile (destination, dates, group size, budget tier, and the activities and preferences you selected), together with the behavioral signals we recorded while you used the planner.

Under the CCPA/CPRA and similar laws this is a “sale” or “sharing” of personal information, and you have the right to opt out at any time. Opt out at our Do Not Sell or Share My Personal Information page, or send a Global Privacy Control (GPC) signal from your browser — we honor GPC automatically as an opt-out. Until you opt out, we may share or sell the categories described above. We don’t knowingly collect or sell information from anyone under 18 — the bachelor-party context is adult by default.

§ 08

What we still don’t do

We don’t embed third-party social-media pixels, and we don’t run ad-network retargeting. We honor every opt-out — a Do Not Sell or Share request, or a GPC signal, stops the sharing and sale of your information and overrides anything else. We never share your account password or the private contents of your saved plans.

§ 09

Your rights

Delete your account any time by emailing info@bestmanhq.com from the address on file. Deletion removes your session, password hash, saved plans, lead-form rows, and subscription state. We respond within thirty days. California, EEA, UK, and other statutory-rights residents have the same access, deletion, and portability rights — same email, same response window — plus the right to opt out of the sale or sharing of personal information, which you can exercise at /do-not-sell or via a Global Privacy Control signal.

§ 10

Contact

Privacy questions, deletion requests, and corrections all go to info@bestmanhq.com. The merchant of record and data controller is Belmont Mills LLC.