Privacy Policy

1. What we collect

• Account data: email, name, password hash, organization membership, role.
• Project content: the descriptions, task lists, comments, and files you create in the product.
• Usage signals: pages visited, feature interactions, error reports, anonymized performance telemetry.
• Billing data: handled by Stripe (we don’t see card numbers; we store your Stripe customer ID and subscription status).

2. How we use it

• Run the product: host your projects, send your notifications.
• Generate AI plans from your descriptions — your text is sent to the AI provider (see §4) and returned to you. Outputs are saved against your account.
• Improve the product using aggregated, anonymized signals — not your raw content. If we ever train a model on customer content, we’ll ask you first.
• Enforce usage limits, detect abuse, respond to security incidents.
• Send transactional email (verify, reset, important product notices).

3. Who sees it inside ChangePilot

Your project content is visible only to you and the teammates you invite. Within an organization, administrators can see their org’s projects per our role-based-access rules. ChangePilot staff access customer data only for support (at your request), security investigation, or legal compliance — and the access is logged.

4. Sub-processors (third-party vendors)

We use the following vendors to operate the Service:

• Supabase — authentication and database (PostgreSQL).
• Vercel — application hosting and CDN.
• Stripe — payment processing.
• Resend — transactional email delivery.
• Anthropic and Google — AI model providers that process the text you submit to the planner. They process content for us under enterprise data-processing terms and do not retain it for training.
• Sentry — error monitoring. Sensitive fields are scrubbed before reports are sent.
• Upstash — rate-limiting and caching.

5. Retention and deletion

We keep your data while your account is active. If you close your account, we retain your data for 30 days so you can recover it, then delete or anonymize it within 90 days except where a law requires longer retention (e.g. tax records).

Document imports — when you import past operational documents via /import, the default retention is permanent so we can re-extract new insights as our models improve. You can change this in Settings → Imports to 90 days / 6 months / 12 months / 24 months / extract-only (we delete the original once the import has been extracted and you've reviewed it). When a retention window passes, we automatically delete the original files; structure we've already extracted from them is kept. You can also delete any individual file or entire batch at any time. We never use imported documents to train AI models. See our security posture for the full data-handling commitments specific to imports.

6. Your rights

You can access, correct, export, or delete your personal data. Export your account data anytime from Settings → Data Export, or request any of the above via /contact and we’ll respond within 30 days.

If you’re in the EEA, UK, California, or another jurisdiction with specific privacy rights (GDPR, CCPA, etc.), those rights apply. The lawful bases we rely on are contract (to provide the Service) and legitimate interest (to operate and secure it).

7. Cookies and similar technologies

We use strictly necessary cookies for authentication and session management, and a small number of functional cookies for preferences (dark mode, feature-flag bypass for developers). We don’t use advertising cookies.

8. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our database and storage providers. Responsible-disclosure contact: see /contact.

9. Changes to this Policy

We may update this Policy as the Service evolves. If the change is material, we’ll notify you by email or in-product notice at least 14 days before it takes effect.

10. Contact

Questions or requests: /contact.