§ 01

Privacy from day one

Your SupaTeam platform generates social media content, business research data, customer feedback insights, and email outreach analytics. To protect your privacy from the moment you start using our service, SupaTeam does not associate the platform data generated by your usage with your identity or account by default.

From features such as AI-generated content to social media posting on your behalf, your information is kept private and secure, ensuring the usage data collected is not linked to your identity or account.

SupaTeam's AI agents are equipped with advanced decision-making capabilities designed from the ground up to protect your privacy while providing intelligent automation features such as content creation, audience research, and campaign optimization. AI analytics data from the agents is processed directly without leaving your organization by default. In order for AI insights to be shared with SupaTeam for service improvement, your consent is required and can be controlled through your account settings at any time.

Additionally, from social media integrations to email outreach tools, your connected services are designed to protect your privacy. SupaTeam aims to collect a minimum amount of personal data necessary for operating your campaigns, providing services to you, and for improving your platform experience.

§ 02

Information we may collect

We may collect three main types of information related to you or your use of our products and services:

→Information from or about you
→Information from or about your platform usage
→Information from or about your connected services

Depending on the SupaTeam products and services you request, own, or use, not all of these types of information may be applicable to you.

§ 03

Gmail API usage

SupaTeam's Luna agent uses the Gmail API to track email responses from business prospects. This section explains exactly what Gmail data we access and how we use it.

Scope · gmail.readonly

Purpose: Read incoming email responses from prospects who reply to Luna's outreach campaigns.

What we access

→Unread emails in your Gmail inbox
→Only emails that are replies to Luna campaigns
→Email headers and body content for AI analysis

What we never access

→Emails unrelated to our campaigns
→Email attachments
→Your entire inbox history
→Emails in other folders

Scope · gmail.modify

Purpose: Mark processed emails as "read" to prevent duplicate processing.

We only remove the UNREAD label after processing. We do not delete emails, modify content, move emails, or add other labels.

Your control

You can revoke SupaTeam's Gmail access at any time through your Google Account Settings (Security → Third-party apps with account access). You can also pause Luna or delete your organization account.

Security measures

→Thread validation: Every email is validated against existing campaign threads to prevent unauthorized access
→Sender verification: Validates sender domains to prevent email spoofing
→Rate limiting: Maximum 3 responses per hour and 15 per day per prospect
→Encryption: OAuth tokens encrypted using AES-256
→Audit logging: All interactions logged with timestamps and validation results

§ 04

Service providers and data processing

To deliver, maintain, and improve our services, we engage carefully vetted third-party service providers who process data on our behalf. These providers are contractually bound to use your information only for the purposes we specify and in accordance with this Privacy Notice.

Infrastructure and operations

→Cloud infrastructure: Encrypted cloud database services for secure storage of account data with enterprise-grade controls and geographic redundancy
→AI processing: Large language model providers for powering AI agents' decision-making, content generation, and analytical capabilities
→Media services: Content delivery and media management for secure storage and optimized delivery of images, videos, and other assets
→Email delivery: Transactional email service providers for campaign emails, system notifications, and other communications
→Payment processing: PCI-DSS compliant payment processors for secure subscription billing. Payment credentials are stored exclusively by the payment processor

User-authorized platform integrations

Platform	Integration purpose	Data accessed
Meta (Instagram, Facebook, Threads)	Automated content publishing and performance analytics	Account profile, published content, engagement metrics, audience insights
X (formerly Twitter)	Automated content publishing and engagement tracking	Account profile, published posts, engagement metrics
LinkedIn	Professional content publishing and analytics	Profile information, published articles and posts, engagement data
TikTok	Video content publishing and performance tracking	Account profile, published videos, view counts, engagement metrics
Google Workspace (Gmail)	Email campaign response tracking and thread management	Email headers, message content for campaign-related threads only
Microsoft 365 (Outlook)	Email integration and campaign response tracking	Email headers, message content for campaign-related threads only
Slack	Team notifications and agent activity alerts	Workspace and channel identifiers for message delivery

No data sales

We do not sell, rent, lease, or otherwise trade your personal information to third parties for their marketing purposes. We do not participate in data broker networks or share your information for cross-context behavioral advertising without your explicit consent.

§ 05

Data security

We implement comprehensive security measures to protect your data across the stack — from transport to storage, access, and monitoring.

Encryption

→At rest: AES-256 encryption for sensitive credentials
→In transit: All communications over HTTPS / TLS
→Tokens: OAuth tokens encrypted in database

Authentication

→Multi-tenant: Row Level Security policies
→Sessions: JWT-based authentication
→Commands: WhatsApp authorization with audit trail

Monitoring

→Audit logs: All interactions logged with timestamps
→Rate limiting: Anti-abuse measures implemented
→Anomaly detection: Unusual patterns flagged

Access control

→Org isolation: Data segmented by tenant
→Role-based: Admin and member permissions
→Webhook security: HMAC-SHA256 verification

§ 06

Your rights and controls

Data access rights

→View your data: Access all agent activities via dashboard
→Export your data: Export organization data and reports
→Update your data: Edit settings and configurations
→Delete your data: Delete account and all associated data

Agent control

→Pause / resume: Control each agent individually
→Configure behavior: Set frequency, thresholds, schedules
→Manual triggers: Trigger agent runs via commands

Integration control

→Revoke Gmail: Disconnect via Google Account Settings
→Disconnect social media: Remove Instagram, Threads, Facebook
→Remove databases: Disconnect external customer databases

§ 07

Data retention

We retain your data for different periods depending on the type:

Data type	Retention period
User account data	While account is active; deleted upon termination request
Agent memory	Top 100 memories per agent; older entries automatically deleted
Social media posts	Indefinitely for analytics unless manually deleted
Email campaigns	Indefinitely unless manually deleted
Security audit logs	Indefinitely for compliance and security

§ 08

Privacy questions

If you have questions about this Privacy Notice or want to exercise your data rights, please reach out:

Privacy inquiries

privacy@supateam.ai

General support

support@supateam.ai

Address

Kampala, Uganda

This Privacy Notice was last updated on May 4, 2026. We may update this policy from time to time. Material changes will be communicated via email or dashboard notification.

Customer privacy notice