Privacy Policy

1. Data we collect

Account information. When you sign up, we collect your name, email address, and (if you use a social sign-in) the avatar URL and OAuth refresh token returned by your identity provider (for example, Google). We do not request access to your contacts, calendar, or other Google Workspace data.

Payment information. Billing is handled by Stripe. When you subscribe or buy credits, Stripe collects your payment-card details and billing address directly. Presume receives only the metadata Stripe returns to us — a customer ID, the last four digits of the card, card brand, invoice records, and subscription status. We never see or store full payment-card numbers, CVV codes, or bank-account credentials.

Product and simulation inputs. When you use the service, you create "products" (product descriptions, features, pricing), "personas" (synthetic user profiles), and "simulations" (prompts and configurations). All of this content is stored in our database and may be sent to third-party language-model providers for inference (see Section 3).

Simulation outputs. Generated content — sentiment distributions, churn scores, quotes, and other artifacts — is stored in your account and accessible only to you and teammates you invite.

Technical metadata. We collect basic metadata necessary to operate and secure the service: IP address, browser type and version, operating system, referring URL, timestamps, and pages visited. This is logged at the hosting layer (Vercel) and database layer (Supabase) and is retained for operational and security purposes.

Analytics. We use Vercel Analytics, which collects aggregated, anonymous pageview data. It does not use cookies and does not collect personally identifying information.

Communications. If you email us, we keep the message and our response so we can follow up. If you opt in to product updates, we store your preference until you opt out.

2. How we use your data

We use the data above to:

• Provide, operate, and maintain the service, including running your simulations and returning results;
• Authenticate you and keep your account secure;
• Process payments, manage subscriptions, and handle credit balances through Stripe;
• Send transactional communications (receipts, security alerts, service announcements, password resets);
• Diagnose, debug, and improve the product based on aggregate usage patterns and error logs;
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
• Comply with legal obligations, respond to lawful requests from public authorities, and enforce our agreements.

We do not train AI models on your customer content. We do not use your product descriptions, personas, prompts, or simulation outputs to train, fine-tune, or evaluate any model — our own or any third party's — without your explicit, opt-in consent on a per-feature basis. There is no opt-in surface today; if we ever build one, it will be off by default and fully revocable.

We do not sell your personal data. We do not share it with advertisers, data brokers, or marketing analytics resellers.

3. Third parties and sub-processors

We use the following providers to operate the service. When you run a simulation, your prompts and product context are sent to inference providers in the course of normal operation.

• Supabase. Authentication and primary database. Hosted in US-East. Stores account info, products, personas, simulations, and outputs. See supabase.com/privacy.
• Stripe. Payment processing for subscriptions and credit top-ups. Collects payment-card details directly. See stripe.com/privacy.
• Vercel. Application hosting, edge delivery, and analytics (US-East). Logs request metadata for operations and security. See vercel.com/legal/privacy-policy.
• OpenRouter. Routing layer for large-language-model inference. We send simulation prompts (which include your product context and persona definitions) through OpenRouter. See openrouter.ai/privacy.
• Anthropic, OpenAI, DeepSeek, and other model providers. Downstream inference providers reached via OpenRouter or direct API. Your prompts transit their infrastructure to generate simulation outputs. Per their published policies, they do not train on API inputs by default. See each provider's privacy policy.
• Google (OAuth only, optional). If you choose to sign in with Google, Google handles authentication and returns basic profile data (name, email, avatar, refresh token). See policies.google.com/privacy.

We may also disclose data when legally required (court order, subpoena, valid government request), to enforce our Terms, or to protect the rights, property, or safety of Presume, our users, or the public. If we receive an overbroad request, we will resist it where appropriate.

If we are ever involved in a merger, acquisition, financing, or sale of assets (including a future conversion from sole proprietorship to a corporate entity), your data may be transferred as part of that transaction. We will notify you of any such change and give you a reasonable opportunity to delete your account before the transfer takes effect.

4. Cookies and similar technologies

We use only essential cookies and equivalent browser-storage mechanisms required to operate the service: authentication session tokens, CSRF tokens, and minimal preference state. We do not use advertising cookies, tracking pixels, or cross-site tracking. Because we do not deploy non-essential cookies, we do not show a cookie consent banner.

Our analytics (Vercel Analytics) is cookieless and does not track you across sites.

5. Data storage, security, and international transfers

All data is stored in the United States (Supabase US-East and Vercel US-East). If you access Presume from outside the United States, including from the European Economic Area, the United Kingdom, or Switzerland, you understand that your data will be transferred to and processed in the United States, which may have different data-protection laws than your jurisdiction. Where required, we rely on the European Commission's Standard Contractual Clauses and equivalent mechanisms via our sub-processors.

Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Supabase enforces row-level security so your records are isolated from other customers at the database layer. Database backups are encrypted and retained for thirty (30) days. We follow reasonable industry practices for vulnerability management and access control. No system is perfectly secure; we cannot and do not guarantee absolute security.

If a security incident affects your personal data, we will notify you and any applicable regulator as required by law, without undue delay.

6. Data retention

We retain your data for as long as your account is active. If you delete your account, we delete your products, personas, simulations, outputs, and account record within ninety (90) days. Encrypted backups containing your data may persist for an additional thirty (30) days before being overwritten on rolling backup schedules.

Some data may be retained longer where required by law or legitimate business need: financial records and invoices (typically seven years for tax purposes), security and abuse logs (up to one year), and aggregated, de-identified usage metrics (indefinitely).

7. Your rights

You have rights over your personal data. Depending on where you live, these may include:

• Access — request a copy of the personal data we hold about you;
• Correction — ask us to fix data that is inaccurate or incomplete;
• Deletion — ask us to delete your data (subject to legal-retention exceptions);
• Portability — receive your data in a structured, machine-readable format;
• Restriction or objection — ask us to limit or stop certain processing;
• Withdraw consent — where processing is based on consent, withdraw it at any time;
• Opt out of analytics — email us and we will exclude your account from analytics where technically possible;
• Complain to a regulator — for EEA/UK residents, your local data-protection authority; for California residents, the California Privacy Protection Agency.

To exercise any of these rights, email privacy@getpresume.com. We will respond within thirty (30) days, or forty-five (45) days for complex requests, and we will not discriminate against you for exercising these rights.

8. California privacy disclosures (CCPA / CPRA)

If you are a California resident, you have the rights described in Section 7 plus the following CCPA/CPRA disclosures:

• Categories of personal information collected in the last 12 months: identifiers (name, email, IP address), commercial information (subscription and credit history via Stripe), internet activity (usage logs), geolocation (approximate, derived from IP), and user-generated content (products, personas, simulations, outputs).
• Sources: directly from you, from your device when you use the service, and from Stripe for payment-related data.
• Business purposes: providing the service, billing, security, debugging, and legal compliance — as detailed in Section 2.
• Sale or sharing of personal information: We do not sell or share personal information as those terms are defined under the CCPA/CPRA, including for cross-context behavioral advertising.
• Sensitive personal information: We do not collect categories defined as sensitive personal information under the CCPA/CPRA, and we do not use any data for purposes that would trigger the right to limit use of sensitive personal information.
• Right to opt out of sale or sharing: not applicable, because we do not sell or share personal information. There is no "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of.

You may designate an authorized agent to submit requests on your behalf; we will verify identity and authorization before acting.

9. EEA / UK / Swiss disclosures (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, Amaar Chughtai (operating Presume) acts as the data controller for personal data about your account, and as a processor for personal data you upload as Customer Content.

Our lawful bases for processing under the GDPR/UK GDPR are:

• Performance of a contract — to provide the service you signed up for;
• Legitimate interests — to secure and improve the service, prevent abuse, and communicate operationally with you (balanced against your rights);
• Legal obligation — to comply with tax, accounting, and other applicable laws;
• Consent — for any optional features that require it (we will ask before relying on consent).

Because Presume is a U.S.-based sole proprietorship and not established in the EEA or UK, we have not appointed a representative under Article 27 of the GDPR. You may contact us directly at privacy@getpresume.com.

International transfers from the EEA/UK to the United States rely on Standard Contractual Clauses and equivalent transfer mechanisms via our sub-processors (Supabase, Stripe, Vercel, OpenRouter, and downstream model providers).

For Customer Content, if you require a Data Processing Agreement, email privacy@getpresume.com and we will provide our standard DPA.

10. Children

Presume is a B2B service intended for use by adults. It is not directed to anyone under eighteen (18). We do not knowingly collect personal information from anyone under eighteen. If we learn that we have collected such data, we will delete it promptly. If you believe a minor has provided us with personal data, contact privacy@getpresume.com.

11. AI processing notice

Content you upload (products, personas, prompts) is transmitted to third-party language-model providers as part of normal simulation execution. Do not upload sensitive personal data, regulated data (such as personal health information or payment-card data), confidential information of third parties you are not authorized to share, or anything else you would not be comfortable having processed by an external AI service.

Simulation outputs are generated by AI and may be inaccurate, biased, or hallucinated. See the AI-specific disclaimers in our Terms of Service.

12. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and update the "Last updated" date at the top of this page at least thirty (30) days before the change takes effect, unless a shorter period is required by law. Continued use of the service after the effective date constitutes acceptance.

13. Contact

Privacy questions, data-subject requests, or concerns: privacy@getpresume.com.
Legal: legal@getpresume.com.
General: hi@getpresume.com.

Operated by Amaar Chughtai, sole proprietor, California, United States.