Supp/Privacy Policy

Privacy Policy

Last updated: February 6, 2026

1. Introduction

Supp ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Supp platform ("Service").

This policy applies to all users: organization administrators and agents who manage the dashboard, and end-customers who interact with Supp-powered widgets.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Organization name
  • Password (stored as a cryptographic hash, never in plain text)

2.2 Conversation Data

When end-customers use Supp-powered widgets, we process the messages they submit for intent classification. This data is stored in your organization's workspace and is accessible only to your authorized team members.

2.3 Usage and Analytics Data

We collect anonymized usage data including:

  • Classification counts and response times
  • Feature usage patterns within the dashboard
  • Rate-limiting data using privacy-safe fingerprints (SHA-256 hashed IP + truncated User-Agent, not raw IP addresses)

2.4 Billing Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials. We retain only Stripe customer and subscription identifiers necessary to manage your billing.

2.5 Cookies

We use strictly necessary cookies for session management and rate-limiting. We do not use advertising or tracking cookies. Cookies we set include:

  • supabase-auth-token: Authentication session cookie
  • demo_used / preview_week_count: Rate-limiting cookies for demo and preview features

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Classify customer support messages using our AI model
  • Process billing and manage your credit balance
  • Send transactional emails (account verification, billing receipts, refund updates)
  • Enforce rate limits and prevent abuse
  • Generate anonymized analytics for your dashboard
  • Improve the accuracy of our classification model
  • Respond to support requests

4. Data Sharing and Disclosure

We do not sell your personal information. We share data only in the following circumstances:

  • Service providers: We use Supabase for database and authentication, and Stripe for payment processing. These providers are bound by their own privacy policies and data processing agreements.
  • Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred as part of that transaction.
  • With your consent: We may share information with third parties when you explicitly authorize us to do so.

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+
  • API keys are encrypted at rest using AES-256-GCM
  • Row Level Security (RLS) enforces strict data isolation between organizations
  • Service role credentials are never exposed to the browser
  • Rate limiting, CSRF protection, and input sanitization on all endpoints
  • Regular security audits of the codebase and infrastructure

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Conversation data: Retained according to your organization's settings. You can delete conversations at any time from the dashboard.
  • Usage tracking (demo/preview): Anonymized rate-limiting records are automatically purged after 90 days.
  • Billing records: Retained as required by applicable tax and accounting laws (typically 7 years).
  • Refund requests: Retained indefinitely for audit and dispute resolution.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data, subject to legal retention requirements
  • Portability: Request a machine-readable export of your data
  • Objection: Object to the processing of your data for specific purposes

To exercise these rights, contact us at privacy@supp.support. We will respond within 30 days.

8. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

← Terms of ServiceBack to home →