← Back to Supabrief

Last updated: May 15, 2026

Privacy Policy

This Privacy Policy explains how {{LEGAL_NAME}} (CIN {{CIN}}, registered office at {{REGISTERED_ADDRESS}}) (“Supabrief”, “we”) collects, uses, discloses, and protects personal data when you use our Service at app.supabrief.com and supabrief.com.

We act as a Data Fiduciary under India's Digital Personal Data Protection Act 2023 (“DPDP Act”), a Data Controller under the EU and UK General Data Protection Regulation (“GDPR”), and a Business under the California Consumer Privacy Act / California Privacy Rights Act (“CCPA / CPRA”) for personal data of our users.

1. Personal data we collect

We collect the following categories of personal data:

  • Account data: name, email address, password (hashed), profile information you choose to provide.
  • Authentication metadata: sign-in timestamps, device user-agent, a SHA-256 hash of your IP address at signup (for abuse prevention — we do not store the raw IP).
  • Content you submit: the text, files, and integration data (Jira issues, Slack messages, GitHub repos, Gong call notes) you paste or import into the Service.
  • Generated output: briefs, battle cards, press releases, and other AI-generated documents the Service produces from your input.
  • Integration credentials: Slack webhooks, Jira tokens, and GitHub personal access tokens that you connect to import source material. These are encrypted at rest with AES-256-GCM.
  • Billing data: subscription tier, billing period, invoice history, GSTIN (if provided). We do not store payment card details — those are handled by Razorpay (PCI-DSS Level 1 certified).
  • Usage data: generation counts, feature usage, error logs, and anonymised performance metrics.

2. How we use your data

We process your personal data for the following purposes:

  • To provide the Service — processing your input through AI providers to generate output, storing your generations, sending generated content to integrations you have connected. Legal basis (GDPR): performance of contract.
  • To bill you — processing payments and issuing GST-compliant invoices. Legal basis: performance of contract; legal obligation (Companies Act §128, GST Act).
  • To prevent abuse — rate-limiting, hashed-IP throttling, fraud detection. Legal basis: legitimate interest in protecting the Service.
  • To send transactional emails — account confirmations, security alerts, billing notices, renewal reminders. Legal basis: performance of contract.
  • To send marketing emails — only if you separately opted in at signup. Legal basis: consent. You may withdraw consent at any time via the unsubscribe link or account settings.
  • To comply with legal obligations — tax, accounting, regulatory disclosures, lawful requests from government authorities.

3. AI processing and international transfers

Your input is sent to third-party AI providers (Anthropic Claude, OpenAI, and Google Gemini) for the sole purpose of generating output you requested. Their handling of your data is governed by their respective terms; we have selected providers whose API terms currently exclude API inputs from being used to train their models. The provider used depends on your plan and current capacity. See our Subprocessors list for the full breakdown.

Personal data may be transferred outside India and the European Economic Area to the following recipients: AWS (data hosting via Supabase, region {{SUPABASE_REGION}}), Vercel (application hosting, US), Stripe / Razorpay (payments, India + US), Google (Gemini API, US), OpenAI (US). For GDPR transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 Module 2). For DPDP transfers, transfers occur to countries not currently restricted by India's notified blacklist.

4. Sharing with third parties (sub-processors)

We share personal data only with the sub-processors listed in our Subprocessor List, each of whom is bound by contract to process data only on our instructions and to maintain appropriate security. We do not sell your personal data, and we do not use it to train third-party AI models.

5. Retention

  • Account data: retained while your account is active and for 30 days after deletion, after which it is permanently erased (except where retention is required by law).
  • Generations and integration credentials: retained until you delete them or your account, then permanently erased within 30 days.
  • Billing records and tax invoices: retained for eight (8) years as required by Indian Companies Act §128 and GST Act §36.
  • Authentication logs: retained for 90 days then deleted.
  • IP-hash records (abuse prevention): retained for 90 days then deleted.

6. Your rights

Subject to applicable law, you have the following rights:

  • Access — request a copy of the personal data we hold about you. (DPDP §11; GDPR Art 15; CCPA right to know.)
  • Correction — ask us to correct inaccurate data. (DPDP §12; GDPR Art 16.)
  • Erasure / deletion — ask us to delete your data, subject to our retention obligations. (DPDP §12; GDPR Art 17; CCPA right to delete.)
  • Portability — receive your data in a structured, machine-readable format. (GDPR Art 20.)
  • Withdraw consent — for processing based on consent, withdraw at any time without affecting prior processing. (DPDP §6; GDPR Art 7.)
  • Object / restrict — object to processing based on legitimate interest or restrict certain processing. (GDPR Arts 18, 21.)
  • Opt out of sale or sharing — California residents can opt out at Do Not Sell or Share My Personal Information. (CPRA.)
  • Lodge a complaint — with your local data protection authority (e.g. India's Data Protection Board, EU member state DPAs, UK ICO, California AG).

To exercise any right, contact our Grievance Officer (see /grievance) or email {{GRIEVANCE_EMAIL}}. We will respond within thirty (30) days (DPDP §13; GDPR Art 12(3)).

7. Security

We implement administrative, technical, and physical safeguards including: TLS 1.2+ encryption in transit, AES-256-GCM encryption of stored credentials, Supabase managed Postgres with row-level security, principle-of-least-privilege access controls, and 72-hour breach notification commitments (DPDP §8(6); GDPR Art 33). See our Security page for detail.

8. Children's data

The Service is not intended for, and we do not knowingly collect personal data from, anyone under 18 years of age. If you believe a minor has provided us data, contact the Grievance Officer for prompt deletion.

9. Cookies and tracking

We use strictly necessary cookies for authentication and CSRF protection. With your consent (collected via the cookie banner shown to EU/UK/CA visitors), we may also use analytics cookies. See our Cookie Policy for details.

10. Grievance Officer (DPDP Act §8(9))

In compliance with the DPDP Act and IT Rules 2021, we have appointed a Grievance Officer:

  • Name: {{GRIEVANCE_OFFICER_NAME}}
  • Email: {{GRIEVANCE_EMAIL}}
  • Postal address: {{REGISTERED_ADDRESS}}
  • Response timeline: within thirty (30) days of receipt

Full grievance procedure at /grievance.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-app at least thirty (30) days before they take effect. The current version date is shown at the top of this page.

12. Contact

General questions: {{SUPPORT_EMAIL}}. Privacy / data-protection requests: Grievance Officer page or {{GRIEVANCE_EMAIL}}.

© 2026 Supabrief AI. All rights reserved.·Legal