Your Privacy Matters (Even to Our MVP)
We're a small team with big privacy standards. This policy explains how we handle your data with the same care we'd want for our own. Spoiler: we're not selling your data to aliens.
🚀 TL;DR (The Privacy Cliff Notes)
📋 The Full Story (Because Lawyers Love Details)
Personal Information
When you sign up, we collect basic info like your name, email, and company details. Think of it as a digital handshake—we need to know who we're working with!
- Name and email address (for account creation and communication)
- Company information (to understand your business context)
- Payment information (processed securely through Stripe)
- Usage data (to improve our service and help you succeed)
Technical Information
We automatically collect some technical data to keep things running smoothly:
- IP addresses and browser information (for security and troubleshooting)
- Usage patterns and feature interactions (to improve user experience)
- Error logs and performance metrics (to fix bugs before you notice them)
- Cookies and similar technologies (to remember your preferences)
Service Delivery
Providing, maintaining, and improving our platform so you can focus on building.
Communication
Sending important updates, support responses, and the occasional "we miss you" email.
Security
Protecting your account and our platform from bad actors and technical issues.
Analytics
Understanding how you use our service to make it better (anonymized when possible).
We Don't Sell Your Data
Let's get this out of the way first: we're not in the business of selling your personal information. Your data is valuable to us for improving our service, not for selling to the highest bidder.
Service Providers
We work with trusted third-party services to keep things running:
- Stripe: For secure payment processing
- Cloudflare: For CDN and security services
- Vercel: For hosting and deployment
- Database providers: For data storage and management
Legal Requirements
We may share data if required by law, but we'll always try to notify you first (unless we're legally prevented from doing so). We're not fans of surprises either.
We employ a "defense in depth" strategy to protect your information. This means we use multiple layers of security controls throughout our systems.
Encryption
All data is encrypted in transit (using TLS 1.2 or higher) and at rest (using AES-256). Think of it as sending an armored truck inside another armored truck.
Access Controls
Strict least-privilege access controls ensure only authorized personnel can access your data on a need-to-know basis.
Security Training
Our team undergoes regular security and privacy training. We want our human firewall to be as strong as our digital one.
Incident Response
We have a formal incident response plan to act quickly and transparently in the event of a security issue.
In the unlikely event of a data breach that affects your personal information, we have a policy to notify you and the relevant authorities as required by law, without undue delay. Our priority is to protect your data and be transparent with you. We'll provide you with a description of the breach, the type of data involved, and the steps we're taking to mitigate its effects.
All our third-party service providers are vetted through a risk-based assessment process. We review their security and privacy practices to ensure they meet our standards before we entrust them with any data. We also have data processing agreements (DPAs) in place where required. A list of our key sub-processors is available upon request.
To improve our services, we may use artificial intelligence (AI) and machine learning (ML) technologies. Primarily, this involves analyzing usage data to identify trends, enhance features, and optimize performance. We are committed to transparency and will not use your personal data for automated decision-making that has a legal or similarly significant effect on you without your explicit consent. All AI/ML models are trained on anonymized or aggregated data where possible to protect your privacy.
Our systems and processes are designed with principles from leading security and privacy frameworks in mind, including SOC 2, ISO 27001, GDPR, and CCPA. While we may not hold formal certification for all frameworks at all times, our architecture is built to be compliant and auditable, ensuring a high standard of data protection and operational excellence. For payments, we utilize a fully PCI-DSS compliant third-party processor to handle cardholder data.
Certifications In Progress
We are actively working towards achieving SOC 2 Type II and ISO 27001 certifications. This demonstrates our ongoing investment in and commitment to enterprise-grade security and compliance. We expect to complete these audits in the near future and will update our customers on our progress.
We keep your data only as long as we need it to provide our service to you and for legitimate and essential business purposes, such as maintaining the performance of the service, making data-driven business decisions about new features, complying with our legal obligations, and resolving disputes.
Account Data
We keep your account data as long as your account is active. If you close your account, we will delete your personal information within a commercially reasonable timeframe (typically 90 days), unless we are required to retain it for legal reasons (like for tax or accounting purposes).
Usage Data
Anonymized usage data may be kept indefinitely for analytical purposes. We can't improve if we can't remember what worked!
Backup Lifecycle
Our systems are backed up regularly to prevent data loss. These backups are stored securely and are encrypted. Data in backups is retained for a maximum of 30 days, after which it is permanently deleted. If you request data deletion, your data will be removed from our live systems immediately and from our backups within 30 days as the backup cycle completes.
This Privacy Policy is a living document, reviewed at least annually and updated as needed to reflect changes in our practices or legal requirements. The version history is maintained internally. Our commitment to your privacy is ongoing.
Access
Request a copy of all the personal data we have about you.
Correction
Update or correct any inaccurate information in your account.
Deletion
Request deletion of your personal data (with some legal exceptions).
Portability
Export your data in a machine-readable format.
To exercise any of these rights, just reach out to us at [email protected]. We'll respond within 30 days (usually much faster).
If you are a resident of the European Economic Area (EEA) or California, you have certain data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.
- The right to be informed: That's what this privacy policy is for!
- The right to object to processing: You can object to us processing your data for marketing purposes.
- The right to restrict processing: You can ask us to "freeze" your data.
- Rights in relation to automated decision making and profiling: We don't currently do this, but if we did, you'd have rights. We prefer human intelligence (and humor).
For our California users, we do not "sell" your personal information as defined by the CCPA. We are not in the business of selling data. We're in the business of building great software.
Depending on the situation, we act as either a "data controller" or a "data processor". This distinction is important for understanding our obligations and your rights.
- We are the Data Controller of your account information (e.g., your name, email address, billing info). This is data that we collect from you to provide our service and manage our relationship with you.
- We are the Data Processor of the content you create, upload, or manage using our services (e.g., customer data you input into the platform). You are the data controller for this data, and we process it on your behalf according to your instructions. Our Data Processing Addendum (DPA) further details these responsibilities.
For users in the EEA, we process your personal data under the following lawful bases:
- Consent: We may process your data if you have given us specific consent to use your personal information for a specific purpose.
- Contractual Necessity: We process your data to fulfill our contractual obligations to you (i.e., to provide the service you signed up for).
- Legitimate Interests: We may process your data when it is reasonably necessary to achieve our legitimate business interests, such as improving our service, marketing, or for security purposes.
- Legal Obligation: We may process your data where we are legally required to do so in order to comply with applicable law.
To exercise any of your data protection rights, please email our Data Protection Officer at [email protected]. To protect your privacy and security, we may require you to verify your identity before processing your request. This may involve asking you to provide information that we can match with our existing records. We will respond to all valid requests within the timeframe required by law (typically 30 days).
We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. You can control cookie settings through your browser.
Cookie Consent Controls
When you first visit our site, you will see a cookie banner that allows you to provide, manage, and withdraw your consent for different categories of cookies. You can change your preferences at any time by clicking the "Manage Cookies" link in our website footer. We respect your choices, and necessary cookies will be used to remember your consent preferences.
Types of Cookies We Use:
- Strictly Necessary Cookies: These are essential for you to browse the website and use its features, such as accessing secure areas of the site. They must be present for the Service to function.
- Performance Cookies: Also known as Analytics Cookies, these collect information about how you use our Service, like which pages you visited and which links you clicked on. This data is aggregated and anonymized and is used only to improve how our Service works.
- Functionality Cookies: These cookies allow our Service to remember choices you have made in the past, like what language you prefer or your user name and password for automatic login.
- Marketing Cookies: These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers.
We're based in the United States, but our service providers may be located in other countries. We ensure that any international transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland comply with applicable data protection laws. We rely on the following safeguards for such transfers:
- Standard Contractual Clauses (SCCs): We use SCCs as approved by the European Commission for data transfers to third countries without an adequate level of data protection.
- Data Privacy Framework (DPF): For transfers to US-based service providers, we verify if they are certified under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, which provides a lawful basis for these transfers.
These measures ensure that your data is protected with the same high standards, no matter where it is processed.
Our service is not intended for children under 13 years of age. We don't knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.
We may update this privacy policy from time to time. We'll notify you of any material changes by posting the new policy on this page, updating the "Last Updated" date, and/or sending you an email notification. Your continued use of our service after any changes constitutes acceptance of the new policy.
Some web browsers may transmit "Do Not Track" (DNT) signals. At present, there is no industry standard for recognizing or responding to DNT signals, so like most services, we do not currently alter our practices when we receive a DNT signal. We will continue to monitor the development of DNT standards.
For any questions, concerns, or requests related to your privacy, please don't hesitate to reach out. Our Data Protection Officer is your dedicated point of contact.
Email: [email protected]
Mailing Address: For formal notices, a physical mailing address can be provided upon request by contacting our DPO.
Response Time: We aim to respond to all privacy inquiries within 48 hours.
Still Have Questions?
We're committed to transparency and protecting your privacy. Don't hesitate to reach out if you need clarification on anything.