Supaframe (“Supaframe”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and your rights regarding that information when you visit supaframe.io, use app.supaframe.io, embed Supaframe components, or otherwise interact with our services (collectively, the “Service”).

If you are a Submitter (someone who submits data through an embedded Supaframe widget on another website), see Section 4 for how your data is handled.

1) Definitions — Who this policy applies to

Visitor: Someone browsing supaframe.io or using the public parts of the Service.

Customer / User: A registered account holder who creates workspaces, embeds widgets, manages data, integrates tools, and configures settings in Supaframe.

Submitter: An individual who submits information (like a form, booking, poll response, email signup, testimonial) via a Supaframe widget that has been embedded on any website or accessed via a public link. Submitters may not have an account with Supaframe themselves.

Controller vs Processor:

• When Supaframe collects account data, we are typically the controller of that data.

• When Supaframe processes data collected through widgets on behalf of a Customer/User, Supaframe acts as a processor for that widget data.

2) Information we collect

A) Account and workspace information (Customers/Users)

• Name, email, password hash, account preferences

• Workspace names, settings, role assignments (Owner, Admin, Editor, Viewer)

• Connected integrations (OAuth tokens/refresh tokens stored securely)

B) Customer Data (widget submissions)

Depending on widget usage, this may include:

• Contact details (name, email, phone)

• Form inputs, messages, poll answers, feedback, testimonials

• Booking details (time, session, service selected)

• Automated metadata (timestamps, component ID, workspace ID)

Note: Supaframe does not process this data for use beyond what the Customer/User configures — we provide tools for them to collect and manage it.

C) Payments information

If payment features are enabled:

• Payment metadata (amount, currency, session IDs, payment status)

• Supaframe does not store full card details or sensitive cardholder data; card processing is handled by Stripe.

D) Analytics & operational data

• Device, IP (anonymized or truncated as required by law)

• Browser and platform attributes

• Log files, usage patterns, errors

E) Cookies and similar tech

We use cookies and local storage for:

• Authentication

• Session persistence

• Performance monitoring

• Basic analytics

Users may block cookies, but some features may not function without them.

3) How we use your information

We use collected data to:

• Provide and improve the Service

• Authenticate and authorize users

• Manage workspaces, team access, and roles

• Deliver widget data to dashboards

• Support payment processing (via Stripe)

• Enable integrations (Airtable, Notion, Zapier) and webhooks

• Detect and prevent abuse, fraud, and to ensure security

• Communicate service notices and updates (e.g., changes in policy)

We do not sell personal data to third parties or share it for advertising purposes.

4) Submitters (people submitting through a widget)

If you submit information using a Supaframe widget on another site:

• Your submission is delivered to the Customer/User who controls that widget.

• Supaframe helps route and store the submission, but we are generally a processor on behalf of the Customer/User.

• Your rights (access, correction, deletion) should first be addressed with the site or person whose widget you interacted with.

• We may assist in enforcing your rights consistent with applicable law.

Widget owners are responsible for:

• providing accurate disclosures to Submitters

• obtaining any necessary consents

• complying with privacy laws relevant to their use case

5) Legal bases (GDPR and similar laws)

Where required (e.g., EU), we rely on:

• Contractual necessity – to provide services

• Consent – where user affirmatively opts in (e.g., widget submission)

• Legitimate interests – security, abuse prevention, analytics

• Legal obligations – compliance with laws

6) Integrations and webhooks

If you enable third-party connections:

• OAuth credentials and tokens are stored securely to maintain the connection

• Data is only sent to connected services at your direction

• You are responsible for ensuring downstream compliance when sending data to those services

Supported examples:

• Airtable

• Notion

• Zapier

• Webhook endpoints you configure

7) Payments and Stripe

Payments are optional and only processed when enabled by a user.

Stripe role:

• Stripe is the payment processor

• Supaframe may receive related metadata to confirm or update the context of a booking or submission

• Supaframe does not store full card numbers or sensitive payment data

• Stripe’s own terms and privacy apply to payment processing

Users enabling payments should also ensure their own legal compliance.

8) Data sharing

A) Service providers and subprocessors

We work with trusted partners to operate the Service:

List of Subprocessors

• Supabase – database storage, authentication, app backend

• Stripe – payment processing

• Google – login and optional calendar integration

• Airtable – third-party integration destination

• Notion – third-party integration destination

• Zapier – third-party integration destination

• Hosting and CDN – infrastructure providers

• Monitoring and analytics – performance and error logging services

These parties process data only as necessary to deliver the Service.

B) Team access

If you invite team members to a workspace:

• Access to data is based on roles you assign

• Viewers typically only see data, Editors may modify

C) Legal disclosures

We may disclose information to comply with law or enforce our policies.

9) Data retention

We retain personal data:

• as long as needed to provide the Service

• for legal compliance

• to enforce agreements

Widget submission data is retained as long as the workspace/user maintains it, unless deleted.

Account deletion results in removal of account-level data, subject to legal requirements.

Stripe payment metadata retention is governed by Stripe.

10) International data transfers

Supaframe may transfer data to servers outside your jurisdiction (e.g., U.S. based infrastructure). Where required, we implement safeguards like standard contractual clauses.

11) Security

We use technical and administrative safeguards to protect your data including encryption, secure credentials, and access controls.

No system is 100% secure, but we strive to mitigate risks.

12) Your rights

Depending on your location:

• Access your personal data

• Correct inaccurate information

• Delete or restrict use

• Withdraw consent if based on consent

Submitters should contact the widget owner first; users should contact Supaframe directly.

13) Children

We do not knowingly collect personal data from children under applicable ages; if discovered, we will remove it.

14) Changes to this policy

We may update this policy; changes will appear on this page with a new effective date. If required by law, we will notify affected users.

15) Contact

If you have questions, requests, or privacy concerns, please contact us:

Supaframe Team

Website: https://supaframe.io
Contact Page: https://supaframe.io/contact