Privacy Policy

This Privacy Policy explains what personal data Supoid ("we", "us") collects, how we use it, and what rights you have. We designed Supoid to collect the minimum needed to run the service. If anything here is unclear, email privacy@supoid.com.

1. Who we are

Supoid is operated by an independent founder. Until a legal entity is incorporated, the service is provided as a sole proprietorship. This section will be updated with the company name and registered address once incorporation completes.

Contact for privacy matters: privacy@supoid.com.

2. What data we collect

Account data

• Email address (required for sign-up)
• Display name and profile image (optional)
• Password — stored as an Argon2id hash, never plaintext
• OAuth identifiers if you sign in with Google or GitHub
• Two-factor authentication secrets (encrypted at rest)

Workspace data

• Workspace name, slug, logo, primary color
• Member list and roles
• Custom domain (if configured)
• Billing plan + Polar customer/subscription identifiers

Feedback data

• Feedback titles, bodies, votes, comments
• End-user data submitted through your public board: optional name and email if the visitor chooses to provide them
• AI-derived metadata: embeddings, cluster summaries, sentiment, and categories

Usage data

• Server logs (request URL, status, latency, hashed IP fingerprint)
• Audit log entries for security-sensitive actions (sign-in, key generation, member changes)
• Analytics events if you have not opted out via the cookie banner

Payment data

All payments are processed by Polar.sh as the merchant of record. We never see or store your card number, CVV, or full billing address. We receive only customer/subscription identifiers and high-level metadata (plan, currency, status).

What we do NOT collect

• Raw IP addresses (we store HMAC fingerprints only)
• Browser fingerprints / cross-site identifiers
• Advertising profiles
• Card numbers (handled by Polar)

3. How we use it

• To operate the service (authentication, workspaces, billing)
• To group similar feedback via AI clustering
• To send transactional and lifecycle email (verification, magic links, status notifications, billing receipts)
• To detect abuse and enforce rate limits
• To audit security-sensitive actions
• To improve the product through opt-in product analytics

4. Legal basis (GDPR Art. 6)

• Contract — to provide the service you signed up for
• Legitimate interest — security, abuse prevention, basic operational logging
• Consent — analytics cookies (revocable any time)
• Legal obligation — invoice records, breach notifications

5. Subprocessors

We rely on the following processors to run Supoid. Each has a Data Processing Addendum in place with us. We notify you here before adding a new subprocessor.

• Vercel (USA / EU) — application hosting and edge delivery
• Supabase (EU — Frankfurt) — Postgres database, object storage
• OpenRouter + Anthropic + OpenAI (USA) — AI inference for clustering, summaries, embeddings
• Polar.sh (USA) — billing, merchant of record
• MailerSend (EU) — transactional email
• Postmark (USA) — inbound email parsing (planned)
• Upstash (EU — Frankfurt) — Redis for rate limiting and cache
• Inngest (USA) — background job orchestration
• Sentry (USA / EU region) — error tracking
• PostHog (EU — Frankfurt) — product analytics (opt-in)

6. International data transfers

Workspace and feedback data lives in the EU (Frankfurt) by default. Some processors (Vercel, Polar, OpenAI, Anthropic, Sentry) operate from the United States. Transfers rely on Standard Contractual Clauses (SCC) and, where applicable, the EU-US Data Privacy Framework.

7. Retention

• Account data — kept until you delete the account. After deletion, a 30-day grace window applies, then hard delete.
• Workspace + feedback data — kept until the workspace is deleted, then 30-day grace, then hard delete.
• Audit log — 90 days on Free, 1 year on Growth, unlimited on Business.
• Server logs — 30 days, IP fingerprints only
• Backups — daily snapshots, 7-day rotation

8. Your rights (GDPR / KVKK)

You can:

• Access what we hold — Settings → Account → Export my data
• Rectify — edit your profile any time
• Erase (right to be forgotten) — Settings → Account → Delete account
• Port — the data export is machine-readable JSON
• Object to processing — opt out of analytics in Settings or via the cookie banner
• Withdraw consent any time
• Lodge a complaint with your local supervisory authority. In Türkiye that is the Kişisel Verileri Koruma Kurumu; in the EU it is your national DPA.

To exercise any of these rights, email privacy@supoid.com. We respond within 30 days (often the same day).

9. Children

Supoid is not intended for children. You must be at least 13 years old to use the service (16 in the European Economic Area). We do not knowingly collect data from anyone below those ages. If you believe a minor has signed up, email us and we will delete the account.

10. Cookies

See our Cookie Policy for the full list. In short: we set strictly necessary cookies for sessions and CSRF; we set analytics cookies only with your consent.

11. Security

See our Security page for technical detail: TLS 1.3, AES-256-GCM at rest for sensitive fields, Argon2id password hashing, RLS on every user-data table, daily backups, audit logging.

12. Changes

We will update this policy when we add subprocessors, change retention windows, or materially alter how we process data. Material changes trigger an email to active workspace owners 14 days before they take effect. The "last updated" date at the top reflects the most recent revision.

13. Contact

Privacy: privacy@supoid.com
Security: security@supoid.com
General: hello@supoid.com