Public intake
The public form collects only launch metadata. It does not accept uploads, secrets, private repo files, production data, card data, PHI, children’s data, regulated data, database dumps, or private customer records.
Safe access
Safe access workflow
Ready? Check… Launch! reviews launch risk without collecting unnecessary production data. Private access is coordinated only after written scope.
Starter policy — requires qualified legal review before paid launch.
This page is starter website policy language and is not a substitute for legal advice.
Fit check
We review whether the project fits the MVP scope: AI-built Next.js/React apps using Vercel, Supabase, Stripe, and GitHub.
Written scope required
Before any private access, the engagement must have written scope describing what will be reviewed, what will not be reviewed, access boundaries, deliverables, timeline, and limitations.
Agreement required before private access
Before private access, a lawyer-reviewed service agreement should be in place. Depending on the project, this may include confidentiality terms, data-processing terms, subprocessor disclosures, limitation of liability, breach-notification duties, deletion/return terms, and security obligations.
Preferred access methodsread-only GitHub access screen share staging/test mode synthetic data redacted screenshots environment variable names, not values temporary least-privilege access access removed after engagement
Access should be narrow, temporary, and scoped.
What is never required for the MVP
Some projects are outside self-serve MVP scope.
Projects involving PHI, children’s data, raw payment-card data, regulated financial/legal/government/defense data, safety-critical systems, or production database exports are outside self-serve MVP scope and require custom review before any work.
Start with metadata. Coordinate access only after scope.
Public intake qualifies fit and launch risk. Written scope decides whether any private access is needed and how it is limited.