Customer Privacy Notice
Your privacy is and will always be enormously important to us. Our Privacy Notice is designed to provide transparency into our data practices in a format that is easy to read and navigate. Please read the sections below to understand how we collect, use, share, and safeguard your information in order to offer you the most seamless AI-powered social media management experience imaginable.
Last Updated: November 11, 2025
Privacy From Day One
Your SupaTeam platform generates social media content, business research data, customer feedback insights, and email outreach analytics. To protect your privacy from the moment you start using our service, SupaTeam does not associate the platform data generated by your usage with your identity or account by default. As a result, no one but you would have knowledge of your activities, content creation history, or business insights. Your in-platform experiences are also protected.
From features such as AI-generated content, to social media posting on your behalf, your information is kept private and secure, ensuring the usage data collected is not linked to your identity or account.
SupaTeam's AI agents are equipped with advanced decision-making capabilities designed from the ground up to protect your privacy while providing intelligent automation features such as content creation, audience research, and campaign optimization. To support these features, AI analytics data from the agents is processed directly without leaving your organization by default. In order for AI insights to be shared with SupaTeam for service improvement, your consent is required and can be controlled through your account settings at any time.
Additionally, from social media integrations to email outreach tools, your connected services are designed to protect your privacy. SupaTeam aims to collect a minimum amount of personal data necessary for operating your campaigns, providing services to you, and for improving your platform experience. We are also committed to only share your personal data when needed to operate or service your account, or we will ask for your permission.
Information We May Collect
We may collect three main types of information related to you or your use of our products and services:
- Information from or about you
- Information from or about your platform usage
- Information from or about your connected services
Depending on the SupaTeam products and services you request, own, or use, not all of these types of information may be applicable to you.
Gmail API Usage
SupaTeam's Luna agent uses Gmail API to track email responses from business prospects. This section explains exactly what Gmail data we access and how we use it.
Scopes Requested
gmail.readonly
Purpose: Read incoming email responses from prospects who reply to Luna's outreach campaigns.
What we access:
- Unread emails in your Gmail inbox
- Only emails that are replies to Luna campaigns
- Email headers and body content for AI analysis
What we DO NOT access:
- Emails unrelated to our campaigns
- Email attachments
- Your entire inbox history
- Emails in other folders
gmail.modify
Purpose: Mark processed emails as "read" to prevent duplicate processing.
We only remove the UNREAD label after processing. We do NOT delete emails, modify content, move emails, or add other labels.
Your Control: You can revoke SupaTeam's Gmail access at any time through your Google Account Settings (Security → Third-party apps with account access). You can also pause the Luna agent or delete your organization account.
Security Measures
- Thread Validation:Every email is validated against existing campaign threads to prevent unauthorized access
- Sender Verification:Validates sender domains to prevent email spoofing
- Rate Limiting:Maximum 3 responses per hour and 15 per day per prospect
- Encryption:OAuth tokens encrypted using AES-256
- Audit Logging:All interactions logged with timestamps and validation results
Third-Party Services
We use various third-party services to power our platform. Data is only shared with service providers necessary for platform functionality.
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic Claude | AI decision-making for all agents | Text prompts, content, prospect data, feedback |
| Supabase | Primary encrypted database | All user accounts, organizations, posts, campaigns |
| ImageKit | Media library management | Images, videos uploaded by users |
| Meta Platforms | Social media posting (Instagram, Threads, Facebook) | Posts, captions, media, engagement metrics |
| Gmail API | Email response tracking (readonly) | Email responses, thread IDs, headers |
| Resend | Email sending for campaigns | Email addresses, subject, body, tracking data |
| Google Maps | Business research | Search queries, business listings, locations |
| Stripe | Payment processing | Payment information (stored by Stripe) |
We Do NOT Sell Your Data: We do not sell, rent, or trade your personal information to third parties for marketing purposes.
Data Security
We implement comprehensive security measures to protect your data:
Encryption
- At Rest: AES-256 encryption for sensitive credentials
- In Transit: All communications over HTTPS/TLS
- Tokens: OAuth tokens encrypted in database
Authentication
- Multi-Tenant: Row Level Security policies
- Sessions: JWT-based authentication
- Commands: WhatsApp authorization with audit trail
Monitoring
- Audit Logs: All interactions logged with timestamps
- Rate Limiting: Anti-abuse measures implemented
- Anomaly Detection: Unusual patterns flagged
Access Control
- Organization Isolation: Data segmented by tenant
- Role-Based: Admin and member permissions
- Webhook Security: HMAC-SHA256 verification
Your Rights and Controls
Data Access Rights
- View Your Data: Access all agent activities via dashboard
- Export Your Data: Export organization data and reports
- Update Your Data: Edit settings and configurations
- Delete Your Data: Delete account and all associated data
Agent Control
- Pause/Resume: Control each agent individually
- Configure Behavior: Set frequency, thresholds, schedules
- Manual Triggers: Trigger agent runs via commands
Integration Control
- Revoke Gmail: Disconnect via Google Account Settings
- Disconnect Social Media: Remove Instagram, Threads, Facebook
- Remove Databases: Disconnect external customer databases
Data Retention
We retain your data for different periods depending on the type:
| Data Type | Retention Period |
|---|---|
| User Account Data | While account is active; deleted upon termination request |
| Agent Memory | Top 100 memories per agent; older automatically deleted |
| Social Media Posts | Indefinitely for analytics unless manually deleted |
| Email Campaigns | Indefinitely unless manually deleted |
| Security Audit Logs | Indefinitely for compliance and security |
Privacy Questions
If you have questions about this Privacy Policy or want to exercise your data rights, please contact us:
This Privacy Policy was last updated on November 11, 2025. We may update this policy from time to time. Material changes will be communicated via email or dashboard notification.