Pending counsel review. This page is placeholder copy drafted by AI and has not been reviewed by a licensed attorney. It is not legal advice. Final version will replace this content before general availability.

Privacy Policy

Last updated: 2026-05-14 · Effective date: 2026-05-14

1. What we collect

When you use Business Ops Toolkit, we collect and store the following:

Account data: email address, hashed password, authentication tokens, workspace identifier.
Profile data: name, company, role, and onboarding answers you provide.
OAuth tokens: access/refresh tokens for the third-party services you connect (Google, Slack, Stripe, Meta, LinkedIn, and others). Tokens are encrypted at rest using a master key (OAUTH_MASTER_KEY) that is separate from your data.
Product usage: AI prompt inputs, AI outputs, content drafts, memories, projects, contacts, time entries, and other content you create inside the product.
Operational logs: request metadata, error reports, and audit events needed to operate the service.

2. How we store it

User data is stored in Supabase (PostgreSQL) with row-level security so your workspace data is not accessible to other customers. OAuth tokens are additionally encrypted at rest. Backups are taken on a rolling schedule and retained for operational recovery.

3. Third-party sub-processors

To deliver the product we share the minimum data needed with the following processors:

OpenRouter, HuggingFace: AI model inference -- receives your prompt inputs.
Stripe: billing and subscription management -- receives billing details.
Sentry: error monitoring -- receives error metadata and stack traces (flag-gated, see cookie notice).
OAuth connectors (27+ providers): receive tokens you explicitly authorize; each provider governs its own data use.
Vercel: hosting and edge delivery.
Supabase: database and authentication.

4. Data retention

We keep your account data for as long as your account is active. When you delete your account, we delete your data within 30 days except where we are required to retain it for legal, billing, or audit reasons. You can request an export or deletion of your data at any time (see Section 6).

5. Encryption and security

Data is encrypted in transit (TLS 1.2+) and at rest. OAuth tokens get an additional layer of encryption using a separate master key. We follow industry-standard practices for key rotation, access logging, and incident response, though no system is perfectly secure.

6. Your rights

Depending on where you live, you have the right to:

Access the personal data we hold about you.
Delete your account and associated data.
Export your data in a portable format.
Correct inaccurate information.
Opt out of non-essential processing (analytics, error reporting).

To exercise any of these rights, email us using the contact below.

7. Children's privacy

Business Ops Toolkit is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will remove the account.

8. AI prompt and output handling

Prompt inputs are sent to the AI provider you have configured (OpenRouter or HuggingFace) and may be retained by those providers according to their own policies. We do not use your prompts or outputs to train our own models. Outputs are stored in your workspace only.

9. Changes to this policy

We will post material changes to this policy on this page and update the "Last updated" date. For significant changes, we will email active account holders.

Contact
Questions about privacy? Email brandon@bpocm.com.