Privacy Policy

1. Introduction

sprintrr ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our project management platform and services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We may collect the following personal information:

• Name and email address (when you create an account)
• Payment information (processed securely through Polar.sh — card data never touches our systems)
• Profile information you choose to provide (display name, avatar)
• Communication preferences
• If you enable Bring-Your-Own-Key (BYOK): the AI provider API key you supply, stored encrypted at rest with AES-256-GCM
• If you enable two-factor authentication: the TOTP factor enrolled with your authenticator app and one-time backup codes (hashed)

2.2 Project Data

When you use our Service, we store:

• Projects, tasks, and milestones you create
• Time tracking data
• Templates and exports you generate
• AI-generated content based on your prompts

2.3 Usage Information

We automatically collect certain information about your device and usage:

• Browser type and version
• Operating system
• IP address (anonymized)
• Pages visited and features used
• Time spent on pages
• Referring website addresses

2.4 Cookies and Tracking

We use essential cookies to maintain your session and preferences. These are strictly necessary for the Service to function properly. We do not use advertising or third-party tracking cookies.

3. How We Use Your Information

We use the collected information for:

• Providing and maintaining our Service
• Processing your transactions and managing subscriptions
• Sending important updates about your account or the Service
• Responding to your comments, questions, and support requests
• Improving our Service and developing new features
• Detecting and preventing technical issues or abuse
• Complying with legal obligations

4. Data Storage and Security

4.1 Where We Store Data

Your data is stored securely using Supabase infrastructure, which employs industry-standard security measures. Data is encrypted both in transit (using TLS) and at rest.

4.2 Data Retention

We retain your personal information and project data for as long as your account is active. You can request deletion of your account and associated data at any time. Some information may be retained for legal or legitimate business purposes.

4.3 Security Measures

• Row-Level Security (RLS) on every table containing customer data, ensuring strict isolation between accounts
• Authentication through Supabase Auth with account lockout after 5 failed attempts in 15 minutes
• Optional two-factor authentication (TOTP) for all users; required for administrative accounts
• Passwords checked against the HaveIBeenPwned breach corpus at sign-up and password change (via k-anonymity — only a 5-character SHA-1 prefix of your password is sent to HaveIBeenPwned, never the password itself)
• Comprehensive audit logging of every mutation of customer data, immutable for application roles
• Encrypted connections (TLS 1.2+ with HSTS preload) for all data transfers
• AES-256 encryption at rest (vendor-managed) for all data; AES-256-GCM application-layer encryption for customer-supplied AI provider keys (BYOK)
• Secure payment processing through Polar.sh (PCI compliant)
• CI-integrated dependency vulnerability scanning, static analysis (CodeQL), and a published vulnerability disclosure program

For more on our security program, see our Trust page.

5. Third-Party Services (Sub-processors)

We use a small set of carefully chosen sub-processors to deliver the Service. The full, up-to-date list with the type of data each one receives and their data location is published at sprintrr.ai/subprocessors. We notify customers at least 30 days before adding a new sub-processor that processes customer data, where feasible.

5.1 Core sub-processors

• Supabase: Database, authentication, file storage
• Vercel: Application hosting and edge network
• Anthropic: Claude AI inference for default AI features
• Polar.sh: Subscription billing (PCI handled by Polar/Stripe; we never store card data)
• Resend: Transactional email (verification, password reset, notifications)
• Cloudflare Turnstile: Bot protection on authentication flows
• Upstash: Rate-limiting state store
• GitHub: Source code hosting (no customer data)
• Google OAuth: If you choose “Continue with Google”, your Google account email + name + profile picture are shared

5.2 Optional / opt-in sub-processors

• OpenAI & Google Gemini (BYOK only): If you configure your own OpenAI or Gemini API key, your prompts are sent to that provider under your own account — not under ours.
• Sentry & Axiom (when enabled): Error and log aggregation. Cookies, authorisation headers, and known PII are scrubbed before send.

5.3 HaveIBeenPwned password breach check

When you set or change your password, we check it against the public HaveIBeenPwned breach corpus using k-anonymity. We send only the first 5 characters of your password's SHA-1 hash to HaveIBeenPwned’s API; your actual password (or its full hash) never leaves our servers. We do this to prevent you from using a password that has appeared in a known data breach.

Each sub-processor is bound by a Data Processing Agreement (DPA) and applies security and privacy controls at least as strong as our own. They have access to your data only to perform the specific service we contract them for.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share your information only in the following situations:

• With your explicit consent
• To comply with legal obligations or court orders
• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets (with notice)

7. Your Rights and Choices

7.1 Access and Control

You have the right to:

• Access your personal information — download a JSON archive of everything we hold (see §7.2)
• Correct inaccurate or incomplete information — self-service via Settings
• Request deletion of your account and data — self-service via Settings (see §7.3)
• Export your project data in JSON, CSV, or template format
• Opt-out of non-essential communications
• Lodge a complaint with your local data protection authority

Most rights are self-service. For anything that isn’t, email support@sprintrr.ai — we respond within 30 days per GDPR Article 12.

7.2 Data Portability (download your data)

Settings → Data & Privacy → Download my data produces a JSON archive covering your profile, settings, billing metadata, projects, tasks, milestones, comments, folders, notifications, activity feed, team memberships, BYOK metadata (provider + hint — not the encrypted key bytes), MCP key metadata (not the hash), MFA backup-code metadata, audit log entries about your account, and login attempts on your email.

Sensitive material we store only in encrypted form (your BYOK key, MFA backup-code hashes, MCP key hashes) is intentionally omitted from the export — the plaintext is not recoverable from our side.

7.3 Account Deletion (30-day grace + permanent purge)

Settings → Data & Privacy → Delete my account begins the deletion process. We follow a 30-day grace period during which:

• You are signed out of every device immediately.
• Your account is hidden from the Service.
• You may cancel the deletion by signing back in at any time within the 30 days — everything is restored exactly as it was.

After 30 days, a nightly automated job permanently and irreversibly deletes your account and all customer data we hold for you across every system we control. We retain only a minimal account-deletion record (user ID, email, timestamp, optional reason — no personal content) for 7 years for legal proof and fraud prevention. Backups age out per the Supabase backup retention window (typically 7–28 days).

External-system data: Polar (billing) retains a customer record per financial recordkeeping rules (typically 7 years); Resend (email) logs age out per its defaults. If you used BYOK with OpenAI / Google, your prompts and credentials at those providers are governed by your direct relationship with them.

We may be required to delay deletion in narrow circumstances (legal hold, regulatory investigation). If so, we will tell you.

8. GDPR Compliance (For EU + UK Users)

If you are a resident of the European Union, United Kingdom, or Switzerland, you have additional rights under the GDPR (and UK GDPR):

• Right to be informed: This privacy policy serves this purpose
• Right of access: Self-service via Settings → Data & Privacy → Download my data (§7.2)
• Right to rectification: Self-service via Settings; for anything not self-service, contact us
• Right to erasure: Self-service via Settings → Delete my account, with a 30-day grace period (§7.3)
• Right to restrict processing: Contact us at support@sprintrr.ai
• Right to data portability: The download in §7.2 is in machine-readable JSON
• Right to object: Contact us at support@sprintrr.ai
• Rights related to automated decision making: We do not engage in automated decision-making producing legal or similarly significant effects on you (GDPR Art. 22 does not apply)
• Right to complain to a data protection authority: You retain this right regardless of contacting us first

Legal basis: processing is principally under (i) performance of the contract for the Service, (ii) your consent for opt-in features (BYOK, optional analytics), and (iii) our legitimate interests in operating and securing the Service (logging, fraud prevention).

Cross-border transfers: some of our sub-processors are located in the United States. Standard Contractual Clauses (SCCs) or equivalent safeguards are in place with each. See the Sub-processors page.

Response SLA: 30 days per GDPR Article 12 (extensible by 60 days for complex requests, with notice).

Data Protection Impact Assessment (DPIA): we have conducted a DPIA covering our AI generation and BYOK processing. A summary is available under NDA on request.

Customer DPA: business customers can request our standard Data Processing Agreement from support@sprintrr.ai.

9. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information is collected
• The right to know if your personal information is sold or disclosed
• The right to opt-out of the sale of personal information (we do not sell your data)
• The right to request deletion of your personal information
• The right to non-discrimination for exercising your privacy rights

10. Children's Privacy

Our Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction. In particular, several of our sub-processors are located in the United States. For EU/UK/Swiss customers, these transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards in our agreements with each sub-processor. The current list of sub-processors and their regions is at sprintrr.ai/subprocessors.

11a. Security Incident Notification

If we become aware of a personal data breach affecting your data, we will notify you within 72 hours of confirmation (aligned with GDPR Article 33–34). The notification will include the nature of the breach, the categories and approximate number of records affected, the measures we have taken or propose to take, and the contact for further information.

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

14. Data Protection Contact

At our current scale we have not appointed a formal Data Protection Officer (DPO) under GDPR Article 37, as we do not meet the mandatory-appointment thresholds. All privacy-related inquiries are handled by our Security lead at support@sprintrr.ai. We will appoint a DPO if and when GDPR thresholds (or customer contractual requirements) make it appropriate.