Skip to main content
supagamma®
Legal

Privacy Policy

Effective Date: June 27, 2026

1. Scope

This Privacy Policy describes how SupaGamma ("the Company") collects, uses, discloses, stores, retains, and protects personal information in connection with the Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

The Company may collect the following categories of information:

2.1 Account Information

  • Email address
  • Account identifiers
  • Authentication-related information
  • Support communications

2.2 Usage and Technical Information

  • API requests, timestamps, download volume, and request frequency
  • IP address, browser type, device information, and operating system information
  • Session information, referrer information, and log data
  • Error data, performance and diagnostic data

2.3 Billing and Transaction Information

  • Billing metadata and transaction records
  • Payment status, invoices, and charge history
  • Tax-related information
  • Limited payment-related information processed by third-party payment providers

The Company does not intentionally store full payment card numbers or comparable sensitive payment credentials on its own systems, although such information may be collected, stored, or processed by third-party payment providers.

2.4 Cookie, Tracking, and Advertising Information

The Service may use cookies, pixels, tags, SDKs, local storage, and similar technologies for operational, analytical, security, and marketing purposes. Such technologies may collect or enable collection of:

  • Identifiers
  • Usage behavior and page views
  • Clickstream activity and session data
  • Device identifiers and advertising identifiers
  • Cross-site or cross-device tracking signals, where enabled

3. How We Use Information

The Company may use information for the following purposes:

  • To create, administer, and maintain accounts
  • To authenticate users
  • To issue, manage, and revoke API keys
  • To provide, deliver, and operate the Service
  • To meter usage and calculate charges
  • To process payments and maintain billing records
  • To detect, prevent, investigate, and respond to fraud, abuse, security incidents, and unauthorized access
  • To enforce the Terms of Service
  • To maintain, test, secure, monitor, improve, and troubleshoot the Service
  • To analyze usage trends and performance
  • To comply with applicable legal, regulatory, tax, accounting, and contractual obligations
  • To communicate with users regarding transactional, operational, security, support, and administrative matters

4. How We Disclose Information

4.1 Service Providers and Vendors

The Company may disclose information to vendors, processors, contractors, and service providers that perform functions on its behalf, including authentication, payment processing, analytics, hosting, security, communications, logging, monitoring, support, and related operational services.

4.2 Legal and Compliance Disclosures

The Company may disclose information when it believes in good faith that such disclosure is necessary or appropriate to:

  • Comply with law, regulation, subpoena, court order, or other legal process
  • Respond to lawful requests by public authorities
  • Enforce the Company's rights, remedies, and agreements
  • Protect the safety, rights, property, or security of the Company, users, or others
  • Detect, prevent, or address fraud, abuse, security issues, or technical issues

4.3 Business Transfers

The Company may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, receivership, or other corporate transaction.

4.4 Aggregate or De-Identified Information

The Company may disclose aggregated, de-identified, or anonymized information for lawful business purposes.

5. Third-Party Services

The Service may integrate with or rely upon third-party services, including authentication providers, payment processors, infrastructure vendors, analytics providers, and advertising or tracking technologies.

Third parties may independently collect, receive, or process information in connection with their services and may be governed by their own terms, privacy policies, and practices. The Company does not control and is not responsible for the acts, omissions, security, or privacy practices of any third party.

6. Data Storage and Security

Information may be stored and processed by the Company and its service providers using cloud-based, distributed, or other electronic systems.

The Company implements commercially reasonable administrative, technical, and physical safeguards designed to protect information. However, no security measure is perfect, no system is impenetrable, and the Company cannot guarantee absolute security.

You acknowledge that information transmitted over the internet or stored electronically may be subject to interception, loss, misuse, unauthorized access, alteration, or disclosure despite safeguards.

7. Data Retention

The Company may retain information for as long as reasonably necessary to:

  • Provide the Service
  • Maintain business records
  • Support billing and metering
  • Detect and prevent fraud or abuse
  • Comply with legal, regulatory, tax, accounting, and contractual obligations
  • Resolve disputes and enforce agreements
  • Protect the rights, property, security, and legitimate interests of the Company and others

Retention periods may vary based on the nature of the data, the purposes for which it is used, and the Company's legal obligations. Indicative periods include:

  • Billing and transaction records: up to 7 years, consistent with tax and accounting obligations.
  • Error and diagnostic logs: approximately 90 days.
  • Product-analytics data: up to 12 months for session recordings; aggregated event data may be retained longer.
  • Security audit log: up to 6 years.
  • Account data: deleted or anonymized upon a confirmed deletion request. Transaction records are anonymized and retained for tax purposes, unlinked from your identity.

8. Your Rights and Choices

Subject to applicable law, you may have the right to request access to, correction of, deletion of, or restriction of certain personal information, and to object to or withdraw consent from certain processing activities.

You may also be able to manage or disable cookies and other tracking technologies through your browser settings or device settings. Disabling certain technologies may impair or limit functionality of the Service.

To exercise applicable privacy rights, contact the Company using the information in Section 12.

9. Children's Privacy

The Service is not directed to, and is not intended for use by, individuals under the age of 18. The Company does not knowingly collect personal information from individuals under 18. If the Company learns that it has collected personal information from a minor in violation of this Section, it may delete such information in accordance with applicable law.

10. International Users

The Company may process information in jurisdictions other than the jurisdiction in which you reside. By using the Service, you understand and acknowledge that your information may be transferred to, stored in, and processed in jurisdictions that may have different data protection laws than those of your home jurisdiction.

11. Changes to This Privacy Policy

The Company may revise this Privacy Policy at any time in its sole discretion. Any revised version will be posted on the Service and will be effective on the date stated therein, or upon posting if no effective date is specified. Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Privacy Policy.

12. Contact

Questions, complaints, or requests regarding this Privacy Policy should be directed to: privacy@supagamma.com

13. Subprocessors

The Company uses the following third-party service providers to operate the Service. Each processes a limited subset of personal information for the purpose listed.

ProviderPurposeRegion
SupabaseAccount auth, application databaseIndia (ap-south-1)
RailwayAPI hosting, background workersUS
VercelWebsite hosting, analytics, speed insightsUS (global edge)
Cloudflare R2Bulk data storage for downloadsGlobal
PaddlePayment processing, tax compliance (Merchant of Record)UK / Global
ResendTransactional email (account, billing, support)US
SentryError reporting and uptime monitoringEU
PostHogProduct analytics, session replay (when consented)EU
IntercomLive chat widget (when consented)US
AlchemyPolygon blockchain RPC (no end-user PII)US

This list is current as of the Effective Date above. Material additions will be reflected in a future revision of this Privacy Policy.

Paddle acts as the Merchant of Record and an independent controller for payment data, not as the Company's processor.

14. Cookies and Tracking Technologies

The Service uses cookies and similar technologies in three categories. Essential cookies are always active because the Service cannot operate without them. Analytics and Functional cookies are off by default and only run after you opt in through the consent banner shown on first visit. You can change your choices at any time by clicking Cookie preferences or Do Not Sell or Share in the site footer.

  • Essential — account session (Supabase), shopping cart and theme (local storage), CSRF tokens. Legal basis: performance of a contract.
  • Analytics & performance — PostHog (page views, identify on login, masked session replay), Vercel Analytics, Vercel Speed Insights, Sentry (error reports with IP). Legal basis: consent.
  • Functional — Intercom live chat widget (loads only after opt-in; Intercom receives your IP and chat content when used). Legal basis: consent.

15. Your Rights — EEA & United Kingdom (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention obligations.
  • Restriction — limit how we process your data in specific circumstances.
  • Portability — receive your data in a structured, machine-readable format and transmit it to another controller.
  • Objection — object to processing based on legitimate interests, including profiling and direct marketing.
  • Withdraw consent at any time where processing is based on consent (this does not affect the lawfulness of processing prior to withdrawal).
  • Lodge a complaint with your local data protection supervisory authority — for example, the Irish Data Protection Commission (Ireland), CNIL (France), BfDI (Germany), or the ICO (United Kingdom).

How to exercise these rights: use the self-serve tools in your account settings, or email privacy@supagamma.com. We respond within 30 days (extensions of up to 60 additional days are permitted for complex requests, in which case we will inform you of the delay and reason).

Legal basis for processing: we rely on (a) performance of a contract to provide the Service to you, (b) legal obligation for tax, billing, and accounting records, (c) legitimate interest for fraud prevention, security, and product improvement, and (d) consent for analytics, marketing, and the live chat widget.

International transfers:some of our subprocessors are located outside the EEA / UK — notably Supabase in India and Vercel, Railway, Resend, Intercom, and Alchemy in the United States. Where personal data is transferred outside the EEA / UK, and the destination country does not benefit from an EU adequacy decision (this includes both India and the United States), we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to provide appropriate safeguards.

16. Your Rights — California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the following rights:

  • Right to know what personal information we collect, the categories of sources, the business or commercial purposes, and the categories of third parties with whom we share it.
  • Right to delete personal information we have collected about you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the "sale" or "sharing" of personal information. The Company does not sell personal information for money. However, our use of analytics and live chat providers may constitute "sharing" for cross-context behavioral advertising under the CPRA's broad definitions. You can opt out at any time by clicking Do Not Sell or Share in the site footer or by disabling Analytics and Functional cookies in your Cookie preferences.
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that trigger this right.
  • Right to non-discrimination — exercising any of these rights will not result in denied service, different prices, or reduced quality.

Categories of personal information collected in the past 12 months: identifiers (email, account ID, IP address), commercial information (purchase history, credits), internet activity (page views, API calls, error reports), and inferences drawn from the foregoing (product engagement signals).

How to exercise these rights: email privacy@supagamma.com or use the self-serve tools in your account settings. We verify your identity using the email address on file and respond within 45 days (with a single 45-day extension available for complex requests). You may designate an authorized agent to submit a request on your behalf; the agent must provide written authorization signed by you.