HubVanta Privacy Policy

We follow a “minimum viable data” principle. We only collect information needed to enable accounts, improve features, or meet legal obligations. This typically includes the fields you authorize through OAuth plus automatically generated product logs.

• Account Information

  When you sign in with Google we receive your Supabase user ID, email, display name, avatar, and any optional preferences you save in-app.

• Product Usage

  We log the tools you access, templates used, generation counts, favorites, and other interactions. These events are tied to your user ID for personalization but are anonymized in analytics whenever possible.

• Device & Logs

  To defend against abuse we capture browser metadata, locale, coarse location, and IP-derived region to detect security anomalies and troubleshoot incidents.

Data is used solely to deliver essential functionality, personalize experiences, and keep the platform stable. We do not sell or rent your personal information unless you explicitly consent or the law demands disclosure.

• Authenticate you and maintain Supabase sessions so you can save prompts and preferences.

• Rank navigation, recommend workflows, and highlight tutorials based on your frequently used models.

• Monitor performance, fix bugs, and detect unusual or policy-violating activity.

• Send service updates, security alerts, or required action notices.

Account and application data live in Supabase-managed PostgreSQL, Storage, and Realtime services with encryption at rest and row-level-security. Production maintenance access is tightly limited and sensitive operations are moving toward audited service accounts.

We only share data with service providers that are required to deliver HubVanta features, and we send only the fields necessary for each integration. Every partner is bound by contract and data-protection clauses.

• Google OAuth: used for authentication and reading your public profile only; we never access Drive, Contacts, or other scopes.

• Vercel Analytics / Plausible: aggregate telemetry that helps us measure performance and relies on anonymized cookies or fingerprinting.

• Model vendors (Midjourney, Flux, etc.): receive only the prompts and metadata you submit when generating content.

You can manage OAuth access through Google’s security center and may request data export or deletion at any time. We aim to respond within 30 days or explain why additional time is needed.

• Email privacy@hubvanta.com using the same address tied to your Google login so we can verify ownership.

• Deletion requests remove personal data and preferences from Supabase, though anonymized logs may be retained for security.

• If you are covered by EU, UK, or other regional privacy laws, mention it in your email so we can apply the appropriate process.

We retain essential data while your account remains active. If you are inactive for 12 months we may anonymize or delete personalized records. Changes to this policy will be announced in-product, and continued use constitutes acceptance.