Privacy Policy

This Privacy Policy explains how Garage Collective ("Company", "we", "us") collects, uses, and protects your personal information when you use CopyLoop at copyloop.garageaistack.com ("Service").

1. Information We Collect

Account Information

Name, email address, hashed password (or Google OAuth data if you sign in via Google).

Brand Data

Brand name, website URL, industry, target audience, tone of voice, DO/DON'T rules, competitors, positioning statements, and uploaded documents. This data is used to personalize AI-generated content.

Generated Content

AI-generated copy, chat conversation history, saved content in your Library, and scheduled posts.

Usage Data

Generation counts, feature usage patterns, timestamps, tool selections, and session data for analytics and quota tracking.

Website Scraping

When you provide a website URL during brand onboarding, we scrape publicly accessible pages to extract brand context. We do NOT access login-protected content, private pages, or internal systems.

Payment Information

Payments are processed by Stripe. We do NOT store your full card number, CVV, or bank details. Stripe provides us with a truncated card number and billing email for record-keeping.

2. How We Use Your Data

• Provide and improve the Service (AI content generation)
• Personalize content using your brand context
• Process payments and manage subscriptions
• Send transactional emails (verification, password reset, billing)
• Monitor usage for plan limits and abuse prevention
• Rate limiting and security enforcement

3. Third-Party Services

We share data with the following third-party services solely for providing the Service:

4. Data Retention

• Chat history: Retained for 90 days, then automatically purged
• Account data: Retained while your account is active
• After deletion: All data permanently deleted within 30 days of account deletion request
• Invoices: Retained for 7 years as required by tax laws

5. Your Rights (GDPR / DPDP Act)

Under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP) 2023, you have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate data
• Erasure — Request deletion of your data ("right to be forgotten")
• Portability — Export your data in a machine-readable format
• Objection — Object to processing of your data
• Withdraw consent — Withdraw consent at any time by deleting your account

To exercise these rights, email privacy@copyloop.garageaistack.com. We will respond within 30 days.

6. Cross-Border Data Transfers

Your data may be transferred to and processed in the United States by our AI providers (OpenAI, Anthropic) and payment processor (Stripe). By using CopyLoop, you consent to this transfer. We ensure adequate safeguards through Standard Contractual Clauses and the providers' own compliance certifications.

7. Cookies

We use only essential cookies for authentication (session management via Supabase Auth). We do NOT use tracking, advertising, or third-party analytics cookies. See our Cookie Policy for details.

8. Security

• All data transmitted via TLS/HTTPS encryption
• Passwords hashed with bcrypt (via Supabase Auth)
• Row Level Security (RLS) enforced on all database tables
• Rate limiting on all API endpoints
• Content Security Policy (CSP) headers on all pages

9. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you via email and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR and the DPDP Act.

10. Grievance Officer

In accordance with the Information Technology Act, 2000 and DPDP Act, 2023, the Grievance Officer for CopyLoop is:

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email at least 30 days in advance.

12. Contact

For privacy-related inquiries, contact privacy@copyloop.garageaistack.com