Privacy Policy
We tried to write this the way we’d want to read it — short, honest, no legal mystery. If anything is unclear, ask us.
The short version
- You own your project data. Tasks, decisions, plans, and notes belong to you. We store them so the dashboard works.
- We don’t sell your data. Ever.
- We don’t train AI models on your content.When PAPI calls Claude on your behalf, that goes through Anthropic’s commercial API, which doesn’t train on customer content.
- We collect what we need to make PAPI work— account info, project content you create, light usage telemetry, and standard web logs.
- You can leave at any time.Email us and we’ll delete your account and everything attached to it.
Who we are
PAPI is built and operated by Cathal O’Sullivan, an independent developer based in the EU. PAPI is the “data controller” for the purposes of GDPR. You can reach us at cathal@getpapi.ai or through the contact form.
This policy covers the hosted PAPI dashboard at getpapi.ai and the PAPI MCP server (@papi-ai/server on npm) when it connects to our hosted backend. Hosted is the only supported path right now.
What we collect
Account information
When you sign up, we collect your email address and a password (or your GitHub / Google identity if you use OAuth). If you sign in with GitHub, we also receive your public profile (display name, avatar, GitHub username) and a token that lets us list your public repositories when you ask us to.
Project content
This is the bulk of what PAPI stores. When you run cycles, plans, builds, decisions, reviews, and briefs — through the dashboard or the MCP server — the contents of those artefacts are saved to our database against your account. That includes:
- Task titles, descriptions, scope, status, and free-text notes
- Active decisions, briefs, planning logs, build handoffs
- Build reports, including commit hashes and the list of files changed
- Strategy reviews and reviewer comments
- Project metadata (name, repo URL if you set one)
What we don’t store:we don’t clone your repository or copy your source code into our database. Build reports reference file paths and commits; the actual file contents stay in your repo.
Files you upload
If you upload a brief during onboarding (markdown, text, PDF, or Word, up to 1 MB), we parse it server-side and send the parsed text to Anthropic’s API to extract structured information. The original file isn’t kept— only the extracted result.
Usage telemetry
Light, scoped to your account: which PAPI tools you call, how long they take, milestone events (e.g. “setup completed”), and anonymous page-view + click events on the dashboard via Vercel Analytics. You can disable MCP-server telemetry by setting PAPI_TELEMETRY=off in your local config.
Technical logs
Standard web request logs (IP address, user agent, URL, timestamp) via Vercel and Supabase. We use these to keep the service running and investigate problems.
When you contact us
If you email us or use the contact form, we keep the message and your email so we can reply.
Where it lives
Your data is stored in Supabase (Postgres + Auth) hosted in Ireland (EU, eu-west-1). The dashboard is served from Vercel’s global edge network. Transactional emails (signup confirmations, password resets) go through Resend.
Some processors (Vercel, Anthropic, Resend) operate from the United States. When data leaves the EEA we rely on standard contractual clauses and the providers’ published data protection terms.
Who can access it
Inside PAPI: only you and the PAPI operator (Cathal). The operator only looks at individual project content when investigating a bug or responding to your support request. Aggregate metrics (counts, durations, success rates) are reviewed routinely; specific project contents are not.
Outside PAPI: only the sub-processors listed below, and only the data each of them needs to do their job. We don’t share your data with anyone else.
Note: when you sign up, we add your email to an internal contact list so we can reach out with product updates if needed. Any outbound email we send will include a clear way to opt out.
Sub-processors
These are the third parties that process your data on our behalf:
| Service | What they receive | Privacy policy |
|---|---|---|
| Supabase | All account + project data (Postgres, Auth, Edge Functions). Region: EU (Ireland). | Link |
| Vercel | Hosting; request logs; cookieless analytics + web-vitals. | Link |
| Resend | Recipient email address + the contents of transactional emails (signup, reset, magic link). | Link |
| Anthropic (Claude API) | Brief contents during import; project context for AI-assisted intelligence calls. Anthropic’s commercial API doesn’t train on customer content. | Link |
| GitHub | OAuth identity if you sign in with GitHub; public-repo access if you grant it. | Link |
| OAuth identity if you sign in with Google (email + profile). | Link |
We’re not currently using PostHog, Mixpanel, Sentry, Datadog, Stripe, or any advertising network.
How long we keep it
Account & project data: for as long as you have an account. When you ask us to delete your account, we hard-delete your account and all attached project rows within 30 days.
Telemetry: for as long as you have an account; deleted with your account.
Provider logs:Vercel keeps request logs for a short window (typically days), Supabase keeps auth logs per its policy, and Resend keeps email metadata per its policy. We don’t control these retention windows.
AI providers and your content
PAPI uses Anthropic’s Claudefor several features — brief extraction, planning, strategy reviews, and dashboard intelligence. Anthropic’s commercial API is contractually committed not to train on customer content.
When you run plan or strategy_reviewfrom the MCP server using your own Anthropic API key, those calls go directly from your machine to Anthropic. We don’t see or store those prompts.
Your rights
You have the right to:
- Access a copy of your data
- Correct data that’s wrong
- Delete your account and everything attached to it
- Export your project data in a portable format
- Object to specific processing or withdraw consent
- Complain to your local data protection authority
We currently handle access, deletion, and export requests by email — send a note to cathal@getpapi.ai from the email address on your account, and we’ll respond within 30 days. Self-service versions of these are on the roadmap.
You can already do these yourself today: delete an individual project from Settings, revoke or rotate API keys and OAuth tokens, and disconnect GitHub.
Security
Everything in transit is encrypted with TLS. Passwords are hashed by Supabase Auth (we never see your plaintext password). API keys and OAuth access/refresh tokens are stored as SHA-256 hashes — the raw value is shown to you once at generation; we cannot recover it. Admin routes are restricted to the operator’s account. Database access in production is service-role; multi-tenancy is enforced at the application layer with row-level security as defence in depth.
If you spot a security issue, please email cathal@getpapi.ai. We’ll get back to you fast.
Age requirement
PAPI is intended for users aged 16 and over. We don’t knowingly collect data from anyone younger. If you believe a child has signed up, contact us and we’ll remove the account.
Changes to this policy
We’ll update the “last updated” date at the top whenever this policy changes. For meaningful changes (new sub-processors, new categories of data) we’ll also email registered users.
Contact us
Questions, requests, complaints — all welcome.