Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• •Name and email address
• •Password (hashed; we never store plaintext passwords)
• •Profile photo (if provided or obtained via OAuth)
• •OAuth tokens from Google, Apple, or Facebook (if you use social login)

1.2 Integration Data

When you connect third-party services, we collect and store:

• •Gmail: OAuth refresh tokens, email metadata and content (subject, body preview, sender, timestamps) for classification purposes. Only emails identified as customer service are fully processed and stored. Non-CS emails are automatically deleted within 30 days
• •Shopify: OAuth access tokens, order data (order numbers, amounts, status, line items), customer names and email addresses, fulfillment and tracking information, refund history
• •Print-on-Demand Providers (Printify, Printful, Gooten, Gelato): API keys (encrypted), order fulfillment status, tracking numbers, print quality claim data
• •Slack: Webhook URLs for sending notifications (Pro+ plans)

1.3 Customer Service Data

As you use the Service to manage customer support, we process and store:

• •Customer names and email addresses
• •Customer service case records (issue type, priority, status, resolution)
• •Email content and AI-generated draft responses
• •Order and fulfillment data associated with cases
• •Photos uploaded for quality issue documentation
• •Customer satisfaction ratings and case notes
• •Your response templates, playbook configurations, and voice profile data

1.4 Billing Information

Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store your full credit card number, CVV, or bank account details on our servers. Stripe's privacy policy governs the handling of your payment information.

1.5 Usage & Technical Data

• •Feature usage patterns and interaction data
• •AI classification accuracy and response performance metrics
• •Error logs and diagnostic data (collected via Sentry)
• •Browser type, operating system, IP address, and device information
• •Pages visited and referral sources

2. How We Use Your Information

We use the information we collect to:

• •Provide the Service: Classify emails, generate AI responses, execute playbook automations, process refunds, and manage customer cases on your behalf
• •Learn your voice: Analyze your past email responses to match your writing style in AI-generated replies (Pro+ plans only, with your explicit opt-in)
• •Maintain and improve the Service: Debug issues, analyze performance, and develop new features
• •Process payments: Manage subscriptions, billing, and invoicing through Stripe
• •Communicate with you: Send transactional emails (via Resend), account notifications, security alerts, and product updates
• •Ensure security: Detect and prevent fraud, abuse, and unauthorized access
• •Comply with legal obligations: Respond to lawful requests from authorities and fulfill our regulatory requirements

3. What We Do NOT Do

We believe in being explicit about what we will never do with your data:

• ×We never sell your data to third parties, data brokers, or advertisers
• ×We never use your data for advertising or ad targeting
• ×We never train AI models on your specific customer data. Your emails, customer records, and business data are processed by AI to provide the Service, but they are not used to train, fine-tune, or improve general-purpose AI models. We use third-party AI providers (Anthropic, OpenAI) with data processing agreements that prohibit them from training on your data.
• ×We never share your customer information with other Podley users or unrelated third parties
• ×We never store or use your personal emails. Incoming emails are briefly scanned to identify customer service messages. Non-CS emails are automatically filtered and permanently deleted within 30 days

4. Third-Party Data Sharing

We share your data only with the following categories of third parties, solely as necessary to provide the Service:

• AI Providers (Anthropic, OpenAI). Email content and customer context are sent to AI models for classification and response generation. These providers process data under data processing agreements and do not retain your data beyond the API request. They do not use your data to train their models.
• Infrastructure Providers (Supabase, Vercel). Your data is hosted on Supabase (PostgreSQL database) and served via Vercel. Both providers maintain SOC 2 compliance and provide encryption at rest and in transit.
• Payment Processor (Stripe). Billing and subscription data is processed by Stripe. Stripe is PCI DSS Level 1 compliant.
• Error Monitoring (Sentry). Technical error logs may include minimal contextual data. Sentry does not receive your customer content or personally identifiable information.
• Email Service (Resend). We use Resend to send transactional emails to you (not to your customers). Your email address is shared with Resend for this purpose.
• Connected Platforms (Gmail, Shopify, Print Providers). When you connect integrations, data flows between Podley and these platforms as authorized by you. Each platform's own privacy policy applies to data stored on their systems.

We may also disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Security

We implement industry-standard security measures to protect your data:

• •Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+
• •Encryption at rest: All data stored in our database is encrypted at rest. Sensitive fields (API keys, OAuth tokens, integration credentials) are additionally encrypted using AES-256-CBC with dedicated encryption keys
• •Row-Level Security: Our database enforces row-level security (RLS) policies, ensuring that each user can only access their own data
• •Webhook verification: Incoming webhooks from Shopify and Stripe are verified using HMAC signatures to prevent tampering
• •Security headers: We enforce strict HTTP security headers including HSTS, X-Content-Type-Options, X-Frame-Options, and Content Security Policy
• •Rate limiting: Login endpoints and API routes are rate-limited to prevent brute-force attacks
• •Audit logging: All administrative access and significant account actions are logged for security and compliance review

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

• Active accounts. We retain your data for as long as your account is active and as needed to provide the Service.
• Account closure. When you close your account, we schedule deletion of your data within 30 days. Some data may be retained longer if required by law, for legitimate business purposes (e.g., resolving disputes), or to enforce our agreements.
• Customer data deletion requests. When we receive a GDPR-compliant data deletion request (including via Shopify GDPR webhooks), we anonymize the affected customer records by replacing personal identifiers with [REDACTED]. This ensures your case history and analytics remain functional while removing personally identifiable information.
• Billing records. We retain billing and transaction records for up to 7 years as required by tax and financial regulations.
• Audit logs. Security and administrative audit logs are retained for up to 2 years.
• Filtered emails. Emails classified as non-customer-service are automatically deleted from our systems within 30 days of being filtered.

7. Cookies & Tracking Technologies

We use a minimal set of cookies and tracking technologies:

• Essential cookies. Session cookies for authentication and maintaining your login state. These are strictly necessary for the Service to function and cannot be disabled.
• Analytics (optional). We may use PostHog or similar analytics tools to understand how users interact with the Service. These are used solely for product improvement and are not shared with advertisers. You may opt out of analytics through your browser settings or by contacting us.

We do not use advertising cookies, retargeting pixels, or third-party tracking scripts for advertising purposes. We do not sell cookie data or user behavior data to any third party.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

8.1 All Users

• •Access: Request a copy of the personal data we hold about you
• •Correction: Request correction of inaccurate or incomplete data
• •Deletion: Request deletion of your personal data, subject to legal retention requirements
• •Data export: Request a machine-readable export of your data
• •Integration revocation: Disconnect any third-party integration at any time through your account settings
• •Account closure: Close your account at any time, triggering data deletion within 30 days

8.2 European Economic Area (GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

• •Object to processing of your data based on legitimate interests
• •Restrict processing in certain circumstances
• •Data portability: Receive your data in a structured, machine-readable format
• •Withdraw consent at any time for processing based on consent
• •Lodge a complaint with your local data protection authority

Our legal bases for processing your data under GDPR include: performance of a contract (providing the Service), legitimate interests (improving the Service, preventing fraud), compliance with legal obligations, and your consent (where applicable).

8.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• •Know what personal information we collect and how we use it
• •Delete your personal information, subject to certain exceptions
• •Opt out of sale: We do not sell personal information. No opt-out is necessary.
• •Non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise any of these rights, contact us at privacy@podley.com. We will respond to verified requests within 30 days (or 45 days for CCPA requests, as permitted by law).

9. International Data Transfers

Podley is based in the United States. Your data may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction. By using the Service, you consent to such transfers. Where required by GDPR, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard international transfers of personal data.

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you become aware that a child has provided us with personal information, please contact us at privacy@podley.com and we will take steps to delete such information promptly.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will: (a) notify affected users via email within 72 hours of becoming aware of the breach, where feasible; (b) provide details about the nature of the breach, the types of data affected, and the steps we are taking to address it; (c) notify relevant data protection authorities as required by applicable law (including GDPR Article 33). We maintain an incident response plan and will cooperate fully with any investigation.

12. Your Customers' Data

You are the data controller for your end customers' personal data that is processed through the Service. Podley acts as a data processor on your behalf. This means:

• •You are responsible for ensuring that you have a lawful basis to collect and process your customers' data (e.g., consent, legitimate interest, contractual necessity)
• •You are responsible for providing appropriate privacy notices to your customers about how their data is used
• •You are responsible for honoring your customers' data rights requests (access, deletion, etc.) and may use Podley tools to fulfill them
• •Podley processes your customers' data only as instructed by you through your use of the Service

If you require a formal Data Processing Agreement (DPA), please contact us at privacy@podley.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The “Last updated” date at the top will be revised. Your continued use of the Service after changes take effect constitutes acceptance. If you do not agree to the updated policy, you must stop using the Service and close your account.

14. Contact Us