Privacy Policy

Last updated: 3 March 2026

This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with SupaPM, including our website, browser extensions, applications, and related services (collectively, the "Service"). It also explains the choices and rights you may have in relation to your personal data.

This Privacy Policy is intended primarily for business and professional users of the Service. By using the Service, you acknowledge that you have read this Privacy Policy and understand how we process personal data.

1. Who we are and how to contact us

SupaPM is a software product that helps product teams manage projects, insights, and related work using AI-assisted workflows. References to "we", "us", or "our" in this Privacy Policy refer to the operator of SupaPM.

If you have any questions about this Privacy Policy or about how we handle personal data, please contact us at hello@supapm.com.

2. Scope and roles

This Privacy Policy applies where we act as a "controller" of personal data, for example in relation to:

  • Visitors to our website and marketing pages.
  • Individuals who sign up for or interact with the Service (such as workspace administrators or users).
  • People who communicate with us, for example via email or support channels.

When you use the Service as part of an organisation (for example, your employer or company), that organisation typically acts as the controller of the personal data you submit to the Service (such as information about your projects, customers, or team members), and we act as a "processor" on their behalf. In those cases, our processing of such data is governed by our agreement with that organisation, and you should refer to your organisation's own privacy notices for more information.

3. Personal data we collect

Depending on how you interact with us and the Service, we may collect the following categories of personal data:

  • Account and contact information. This includes your name, email address, organisation name, role or job title, and any other details you provide when you create an account, request access, or communicate with us.
  • Authentication and security information. This includes information used for login and account security, such as one-time passcodes, tokens, basic device information, and logs related to authentication and access.
  • Workspace and content data. This includes information you or your organisation enter into the Service, such as project descriptions, insights, notes, tasks, feedback, and any files or other content that you choose to upload or connect to the Service.
  • Browser extension and context data. If you install and use our browser extension, we may process information about the pages you interact with in order to provide context within the sidepanel, such as URLs, page titles, and selected text or content snippets you choose to send to the Service. We do not use this information for advertising.
  • Usage and technical data. We collect information about how you access and use the Service, including your IP address, browser type and settings, device identifiers, operating system, the pages or features you use, the time and date of your visits, and diagnostic and performance information. We may collect this information through cookies and similar technologies (see section 6 below).
  • Communications and support data. This includes information you provide when you contact us for support, feedback, or other purposes, as well as records of our communications with you.
  • Third-party integrations. If you choose to connect third-party tools (for example, email, issue trackers, or collaboration platforms), we may receive information from those tools as authorised by you or your organisation. The data we receive depends on the integration and the permissions you grant.

We do not intentionally seek to collect special categories of personal data (such as health information or data about criminal convictions). If you choose to include such data in the Service, you are responsible for ensuring that you have a lawful basis to do so and that doing so is consistent with your own policies and obligations.

4. How we use personal data and legal bases

We use personal data for the following purposes and, where applicable, on the following legal bases:

  • To provide and maintain the Service. This includes creating and managing accounts, authenticating users, enabling core functionality, operating the browser extension, processing Customer Data, and providing technical support. We process data on this basis to perform our contract with you or, where applicable, to pursue our legitimate interest in operating and improving the Service.
  • To improve and develop the Service. We analyse usage and technical data to understand how the Service is used, troubleshoot issues, and develop new features and enhancements. We rely on our legitimate interests in improving and securing our products and services for this processing.
  • To communicate with you. We use your contact details to send you service-related communications (such as security alerts, changes to the Service, or support responses) and, where permitted, to send you information about new features or offerings. We process this data to perform our contract with you and/or on the basis of our legitimate interests in keeping you informed. Where required by law, we will obtain your consent for marketing communications.
  • To ensure security and prevent abuse. We use personal data to monitor for, detect, and prevent fraudulent, harmful, or unauthorised activity, and to protect the security and integrity of the Service. This processing is based on our legitimate interests in maintaining the security of our systems and users, and to comply with legal obligations.
  • To comply with legal obligations. We may process and retain personal data as required by law, for example in relation to tax, accounting, and regulatory requirements, or to respond to lawful requests from public authorities.
  • With your consent. Where we rely on consent (for example, for certain cookies or optional marketing communications), we will obtain it separately and you may withdraw your consent at any time.

5. AI and third-party service providers

The Service may use or integrate with third-party services, including AI model providers such as OpenAI, Anthropic, or Google, as well as hosting, analytics, and infrastructure providers. When we send prompts, content, or other data to such providers, they process that data in order to generate outputs or provide their services to us.

We take steps to contractually limit how such providers may use Customer Data and personal data and to require appropriate security safeguards. However, their processing is also governed by their own terms and privacy policies, which we encourage you to review. We do not sell personal data to third parties.

6. Cookies and similar technologies

We use cookies and similar technologies (such as local storage and pixels) to operate and improve the Service, remember your preferences, maintain your session, and understand usage patterns. Some cookies are strictly necessary for the Service to function, while others are used for analytics or to support optional features.

Depending on your location, you may be presented with a cookie banner or controls that allow you to manage your preferences. You can also configure your browser to reject or delete cookies, though this may affect the functionality of the Service.

7. How we share personal data

We may share personal data in the following circumstances:

  • Service providers. We share personal data with trusted third-party vendors and service providers who perform services on our behalf, such as hosting, infrastructure, analytics, email delivery, customer support tools, and AI model providers. These providers are authorised to use personal data only as necessary to provide their services to us and are subject to appropriate contractual safeguards.
  • Within our group. If we operate through affiliated entities, we may share personal data within our corporate group for purposes consistent with this Privacy Policy.
  • Legal and safety reasons. We may disclose personal data if we reasonably believe it is necessary to comply with applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of us, our users, or others.
  • Business transfers. In connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business, personal data may be transferred as part of the transaction, subject to appropriate safeguards and applicable law.
  • With your direction or consent. We may share personal data with third parties when you request or authorise us to do so, for example when you enable an integration or share content externally.

8. International data transfers

We may transfer personal data to countries other than the country in which it was originally collected. These countries may have data protection laws that are different from those of your country and, in some cases, may not be deemed to provide an equivalent level of protection.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, we will implement appropriate safeguards, such as entering into standard contractual clauses approved by the relevant authorities, or rely on another valid transfer mechanism under applicable data protection laws.

9. Data retention

We retain personal data for as long as reasonably necessary to fulfil the purposes described in this Privacy Policy, including to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

The specific retention periods may vary depending on the type of data and the context in which it was collected. When we no longer need to use personal data and there is no legal requirement to retain it, we will delete or anonymise it.

10. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, or alteration. These measures include access controls, encryption in transit where appropriate, and regular monitoring of our systems.

However, no system can be completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any actual or suspected unauthorised access to your account.

11. Your rights and choices

Depending on your location and applicable law, you may have certain rights in relation to your personal data, including the rights to:

  • Request access to the personal data we hold about you.
  • Request correction of inaccurate or incomplete personal data.
  • Request deletion of your personal data in certain circumstances.
  • Request restriction of or object to the processing of your personal data, including where we are relying on legitimate interests.
  • Request the transfer of your personal data to you or to a third party, where technically feasible (data portability).
  • Withdraw consent where we rely on your consent to process your personal data.

To exercise these rights, please contact us at hello@supapm.com. We may need to verify your identity before responding to your request. You also have the right to lodge a complaint with your local data protection authority. However, we encourage you to contact us first so that we can address your concerns.

12. Children

The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will take steps to delete that information. If you believe that we may have collected such data, please contact us at hello@supapm.com.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and may provide additional notice as appropriate (for example, by displaying a notice in the Service or by sending you an email).

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acknowledgement of the changes. If you do not agree to the updated Privacy Policy, you should stop using the Service.

14. How this Policy relates to our Terms

This Privacy Policy should be read together with our Terms of Use, which describe your responsibilities and our commitments when you use the Service.