Privacy Policy

Last updated: June 2026
Pending attorney review. This is a working draft.

1. Data We Collect

We collect the following data:

  • Account data: name, email address, authentication tokens
  • Offer data: business descriptions, product details, URLs, and raw text you submit
  • Generated content: all AI-generated copy and your edits to it
  • Usage data: tool usage frequency, timestamps, subscription status
  • Billing data: Stripe customer ID, subscription status, payment history (card details are handled by Stripe, not stored by us)
  • Email data: email event metadata (delivered, bounced, opened) for transactional emails we send
  • Technical data: IP address, browser type, request logs for security and rate limiting

2. How We Use Your Data

  • To provide the Service: generate copy, store your history, manage your subscription
  • To send transactional emails: welcome, payment confirmations, payment failure alerts, cancellation confirmations
  • To monitor and improve the Service: aggregate usage analytics, error tracking via Sentry
  • To prevent abuse: rate limiting, fraud detection, security monitoring
  • To comply with legal obligations

We do not sell your data to third parties. We do not use your content to train AI models.

3. Third-Party Services

We use the following third-party services that process your data:

  • Supabase (database and authentication): stores account data, offers, generations, and email events. Hosted in the US.
  • Stripe (payment processing): handles billing data and card details. PCI-DSS compliant. We never see or store your card number.
  • Resend (transactional email): delivers our emails. Receives your email address for sending.
  • AI Provider (content generation): receives your offer descriptions and generation parameters to produce copy. Does not store your data after generation.
  • Vercel (optional, user-initiated): if you deploy a landing page through our Page Designer, Vercel receives the HTML content of that page.
  • Sentry (error tracking): receives error reports and stack traces. No user content is included in error reports.
  • Upstash Redis (rate limiting): stores IP addresses and request counts for abuse prevention.

4. Data Retention

  • Active subscriptions: all data is retained while your subscription is active
  • After cancellation: data is retained for 90 days, then permanently deleted
  • After account deletion request: data is soft-deleted immediately and permanently removed within 30 days
  • Email events: retained for 12 months for bounce tracking and compliance
  • Audit logs: retained for 24 months for security and compliance
  • Request logs: retained for 30 days for rate limiting and security

You may request earlier deletion at any time from Settings or by contacting us.

5. Your Rights (GDPR / CCPA)

You have the following rights regarding your data:

  • Right of access: download all your data from Settings > My Data
  • Right to erasure: delete your account from Settings > My Data. Data is permanently removed within 30 days.
  • Right to rectification: update your profile from Settings > Account
  • Right to object: unsubscribe from transactional emails via the link in any email. Note: critical service emails (payment confirmations) cannot be unsubscribed.
  • Right to data portability: download your data in JSON format from Settings > My Data
  • Right to withdraw consent: delete your account at any time

To exercise any of these rights, use the in-app controls or contact support@killercopy.app.

6. Security

We use industry-standard security measures: encrypted data in transit (TLS), row-level security in our database, service-role key isolation, CSP headers, rate limiting, and webhook signature verification. Despite these measures, no system is 100% secure. We will notify affected users within 72 hours of a confirmed data breach.

7. Cookies

We use only essential cookies for authentication and session management. We do not use tracking cookies, advertising pixels, or third-party analytics cookies. Supabase sets authentication cookies (sb-access-token, sb-refresh-token) which are strictly necessary for the Service to function.

8. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe we have, contact us immediately and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes require 30 days notice via email.

10. Contact

For privacy questions or data requests, contact support@killercopy.app.