Legal

Privacy Policy

How Supercase collects, uses, and protects information about you — including GDPR and CCPA rights.

Last updated April 20, 2026

This Privacy Policy describes how Supercase (“Company”, “we”, or “us”) collects, uses, and protects information about you when you use our software-as-a-service platform (the “Service”). It applies to all users of Supercase and should be read alongside our Terms of Service.

Information we collect

Information you provide

We collect information you provide directly to us:

  • Account information (name, email address, organization details)
  • Payment information (processed securely through third-party providers)
  • Content you create or upload (business cases, proposals, templates)
  • Communication data (support requests, feedback)
  • Usage data (features used, time spent, frequency of use)

Information collected automatically

We automatically collect certain information when you use our Service:

  • Device information (IP address, browser type, operating system)
  • Usage analytics (pages visited, features used, session duration)
  • Log data (access times, error logs, performance metrics)

How we use information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process transactions and manage your account
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze usage patterns and trends
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

Sharing and disclosure

We do not sell, trade, or rent your personal information. We may share your information in the following circumstances:

Service providers (subprocessors):
With trusted third-party vendors who assist us in operating the Service. A current list is available at /legal/subprocessors.
Legal requirements:
When required by law or to protect our rights and safety.
Business transfers:
In connection with a merger, acquisition, or sale of assets.
Consent:
With your explicit consent for specific purposes.

Data security

We protect your information with technical and organizational measures, including TLS 1.2+ encryption in transit and AES-256 encryption at rest. Customer data is isolated at the database layer through row-level security policies keyed to your organization. Secrets are stored in our hosting provider’s encrypted secret store, never in source control, and all production changes are reviewed before merge.

A fuller description of our security posture — including authentication, application security, logging, and incident response — is available at supercase.ai/legal/security.

Data retention

We retain your information for as long as your account is active or as needed to provide the Service. We may retain certain information for legitimate business purposes or as required by law, even after account termination.

Your rights and choices

Depending on your location, you may have the following rights:

Access:
Request access to your personal information.
Correction:
Request correction of inaccurate information.
Deletion:
Request deletion of your personal information.
Portability:
Request a copy of your data in a portable format.
Restriction:
Request restriction of processing.
Objection:
Object to certain types of processing.

To exercise these rights, please contact us at hello@supercase.ai.

Cookies and tracking

We use cookies and similar technologies to enhance your experience, analyze usage patterns, and personalize content. You can control cookie settings through your browser preferences, though some features may not function properly if cookies are disabled.

International data transfers

Your information may be transferred to and processed in countries other than your own, including through our subprocessors. We rely on the safeguards offered by those subprocessors, which include standard contractual clauses and adequacy-decision arrangements where applicable.

Children's privacy

Our Service is intended for business use by adults. It is not directed to children, and we do not knowingly collect personal information from children under 13 in the United States or under 16 in the European Economic Area and the United Kingdom. If we become aware that we have collected personal information from a child below the applicable age without verified parental consent, we will take steps to delete that information promptly. Parents or guardians who believe we may have collected information from a child may contact us at hello@supercase.ai.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically.

Regional addenda

GDPR compliance (EEA and UK users)

Data controller

Supercase acts as the data controller for personal information collected through our Service. Questions about our data practices, or requests relating to your rights as a data subject, can be sent to hello@supercase.ai.

Lawful basis for processing

We process personal data based on the following lawful grounds:

Contract performance:
To provide and maintain the Service.
Legitimate interests:
For service improvement, security, and analytics.
Consent:
For marketing communications and optional features.
Legal obligation:
To comply with applicable laws and regulations.

Data subject rights under GDPR

EU and UK residents have the following rights:

  • Right of Access (Article 15): Obtain confirmation of processing and access to your data
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Request deletion of your data
  • Right to Restrict Processing (Article 18): Limit how we use your data
  • Right to Data Portability (Article 20): Receive your data in a structured format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making (Article 22): Human review of automated decisions

Breach notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33 and 34.

Regional addenda

CCPA compliance (California residents)

California consumer rights

California residents have the following rights under the California Consumer Privacy Act:

  • Right to Know: Know what personal information is collected and how it’s used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale of personal information
  • Right to Non-Discrimination: Equal service and pricing regardless of privacy choices
  • Right to Correct: Request correction of inaccurate personal information

Categories of personal information collected

We collect the following categories of personal information:

  • Identifiers (name, email address, account information)
  • Commercial information (purchase history, usage data)
  • Internet activity (browsing history, device information)
  • Professional information (job title, organization details)

Do not sell my personal information

We do not sell personal information to third parties. If this policy changes in the future, we will update this notice and provide you with the opportunity to opt out.

Exercising your rights

To exercise your CCPA rights, please contact us at hello@supercase.ai. We will respond to your request within 45 days and may require verification of your identity.

Questions about this document?

Email hello@supercase.ai. For enterprise customers, we also offer a data processing addendum.