Privacy Policy

SupaSec ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the SupaSec platform ("Service").

SupaSec acts as the data controller for the personal data processed through the Service. This policy applies to all users regardless of location, with additional provisions for users in the European Union / European Economic Area (GDPR) and Brazil (LGPD).

We collect the following categories of data:

Account Information

• Name, email address, and phone number provided during registration
• Authentication credentials (managed via Supabase Auth)
• Subscription tier and billing information (processed by Stripe)

WhatsApp Messages & Media

• Text messages from groups and direct conversations accessible via your linked device
• Media files (images, audio, video, documents) shared in conversations
• Message metadata (timestamps, sender identifiers, group identifiers)

OAuth Connector Data

• Access and refresh tokens for Google and Microsoft services
• Calendar events, email metadata, and file references accessed through connectors

Usage & Analytics Data

• Dashboard usage patterns and feature interactions
• Error logs and performance metrics
• IP address and approximate geolocation (country-level, for locale detection)

Cookies

• locale — First-party functional cookie storing your language preference (1 year)
• ip-country — First-party functional cookie storing your detected country code for locale and GDPR detection (30 days)

We process your data for the following purposes:

• Service delivery: Processing WhatsApp messages to provide AI-powered assistance, scheduling, and commitment tracking
• Memory building: Creating semantic episodes, entities, and relationships from your conversations to provide contextual assistance
• Skill execution: Executing skills such as meeting scheduling, image analysis, and commitment tracking on your behalf
• AI processing: Generating AI responses and suggestions using anonymized context sent to language model providers
• Communication: Sending account-related notifications, security alerts, and service updates
• Service improvement: Analyzing usage patterns to improve features and fix issues

For users in the EU/EEA, we process your personal data under the following legal bases (Article 6 GDPR):

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to, including message handling, memory building, and skill execution
• Legitimate interests (Art. 6(1)(f)): Service security, fraud prevention, usage analytics for service improvement, and enforcing our terms. We balance these interests against your rights and freedoms
• Consent (Art. 6(1)(a)): Where required, such as for optional features, marketing communications, or processing specific categories of data. You may withdraw consent at any time

For users in Brazil, we process your personal data under the following legal bases (Article 7 LGPD):

• Contract performance (Art. 7, V): Processing necessary to fulfill the service agreement
• Legitimate interest (Art. 7, IX): Service security, improvement, and analytics, conducted with respect to your fundamental rights
• Consent (Art. 7, I): For optional processing activities. Consent may be revoked at any time without affecting the lawfulness of processing based on consent before its withdrawal

When you link your WhatsApp account, SupaSec passively listens to all conversations accessible through the linked device. Here is how we handle your messages:

• Encryption at ingestion: Messages are encrypted with your personal AES-256-GCM key immediately upon receipt, before storage. Plaintext message content is never stored in the database
• Per-user isolation: Each user's data is processed in an isolated sandbox. Your encryption keys are unique to your account
• Anonymization before AI processing: Before any message content is sent to external AI providers, personal identifiers (names, phone numbers, locations) are replaced with anonymous placeholders. Results are de-anonymized only within your encrypted sandbox
• No human access: SupaSec staff do not have access to your decrypted message content. All processing is automated
• Group messages: Group messages are stored passively for context building only. SupaSec does not respond in groups unless explicitly invoked

We implement a zero-trust security architecture to protect your data:

• Per-user encryption keys: Each user has a unique master key derived via HKDF, with separate sub-keys for messages, episodes, entities, and OAuth tokens
• AES-256-GCM encryption: All sensitive content is encrypted with AES-256-GCM, an authenticated encryption algorithm that provides both confidentiality and integrity
• Scoped database roles: Different services access only the database tables they need. No single service has full database access
• Encrypted media storage: Media files are encrypted with your personal key before storage in Cloudflare R2
• Service-to-service authentication: Internal communications use HMAC-SHA256 signed tokens with short expiry
• Audit logging: Security-relevant events (auth failures, service access) are logged for monitoring

We use the following third-party processors to deliver the Service. All processors are bound by data processing agreements:

Data sent to AI providers (OpenAI, Moonshot) is anonymized before transmission. These providers do not receive identifiable personal data.

Your data may be transferred to and processed in countries outside your country of residence. When we transfer personal data from the EU/EEA or Brazil to third countries, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms ensuring adequate data protection
• Adequacy decisions: Transfers to countries recognized by the European Commission as providing adequate data protection
• Supplementary measures: Technical safeguards including encryption at rest and in transit, pseudonymization, and access controls

For users registered in the European Union or European Economic Area, we store primary database data in Supabase's EU region to minimize cross-border data transfers. Certain processing (e.g., AI model inference, CDN caching) may occur in other regions but is protected by the safeguards described in Section 9.

• Active accounts: Your data is retained for as long as your account remains active and is necessary to provide the Service
• Post-cancellation: Upon account cancellation, your data is retained for 30 days to allow for account recovery. After 30 days, all personal data is permanently deleted
• Billing records: Payment and invoice records may be retained for the period required by applicable tax and accounting regulations
• Security audit logs: Retained for 90 days, then automatically purged

If you are located in the EU/EEA, you have the following rights under Articles 15–22 of the GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): Request that we limit the processing of your personal data
• Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right regarding automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce legal effects
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with your local supervisory authority

To exercise any of these rights, contact our Data Protection Officer (see Section 16).

If you are located in Brazil, you have the following rights under Articles 18–19 of the LGPD:

• Confirmation of processing (Art. 18, I): Confirm whether we process your personal data
• Access (Art. 18, II): Access your personal data held by us
• Correction (Art. 18, III): Request correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion (Art. 18, IV): Request anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability (Art. 18, V): Request portability of your data to another service provider
• Information about sharing (Art. 18, VII): Know which public and private entities your data has been shared with
• Revocation of consent (Art. 18, IX): Revoke consent at any time
• Contact ANPD: File a complaint with the Autoridade Nacional de Proteção de Dados (ANPD)

To exercise any of these rights, contact our Encarregado de Dados (see Section 16).

SupaSec uses only first-party functional cookies. We do not use advertising cookies, third-party analytics cookies, or tracking pixels.

Because we use only strictly necessary / functional cookies, no cookie consent banner is required under GDPR or LGPD.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us immediately.

Our Data Protection Officer (DPO) / Encarregado de Dados can be reached at:

• Email: Click to reveal email

We will respond to all data protection inquiries within 30 days of receipt. For GDPR requests, we will respond within 1 month as required by Article 12(3).

We may update this Privacy Policy from time to time. When we make material changes, we will provide at least 30 days' advance notice via email or a prominent notice on the dashboard before the changes take effect.

We encourage you to review this policy periodically. Your continued use of the Service after the updated policy becomes effective constitutes your acceptance of the changes.

If you have any questions about this Privacy Policy, please contact us:

• General inquiries: hello@supasec.bot
• Privacy inquiries: Click to reveal email
• Website: https://supasec.bot