PacketProof

Draft — pending legal review. This page describes how PacketProof handles personal data in plain language while we finalise our binding privacy policy.

Privacy summary

Data we collect

  • Account data — email, name, hashed password (managed by Supabase Auth).
  • Workspace content — evidence titles, descriptions, files you upload, framework links, questionnaires, answers, audit log rows.
  • Billing data — Stripe customer + subscription identifiers. Card data never touches PacketProof.
  • Operational logs — server logs from Vercel; minimal request metadata.

How we use it

  • To run the product features you sign up for.
  • To send transactional email (invites, password reset, optional digests).
  • To process payment via Stripe.
  • To diagnose bugs and security incidents.

We never sell personal data and we never use it to train third-party AI models. AI generation sends to the configured AI provider only: the question text, the cited evidence ids and titles, a description of up to 600 characters per item, and — for text-format evidence (plain text, Markdown, CSV, JSON) only — a single extracted-text excerpt of up to 1 500 characters. Raw evidence files, source URLs, and storage filenames are never sent.

Subprocessors

See /subprocessors for the canonical list.

Retention

  • Workspace content stays until the workspace is deleted.
  • Audit log rows are append-only; we keep them for the lifetime of the workspace.
  • Backups are kept for 30 days by Supabase.

Your rights (GDPR)

Email support@packetproof.io for access / export / deletion requests. We respond within five working days.

PacketProof is a preparation tool. This page is a draft summary, not a binding privacy notice.