Privacy Policy
Last updated: [INSERT DATE BEFORE LAUNCH]
Prunefy (“we,” “us,” or “our”) operates the Prunefy website and application (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By using Prunefy, you agree to the collection and use of information in accordance with this policy.
1. Information we collect
Information you provide directly
- Account information: Email address, name, and password when you create an account. If you sign up with Google OAuth, we receive your name, email, and profile picture from Google.
- Workspace information: Your business or team name, preferred currency, and timezone.
- Subscription data: Names, costs, billing cycles, renewal dates, categories, URLs, and notes for the SaaS subscriptions you add to Prunefy. This data is entered by you manually or via CSV import.
- Team member information: Email addresses of people you invite to your workspace.
- Payment information: When you upgrade to a paid plan, payment is processed by our third-party payment providers (LemonSqueezy or Paystack). We do not store your credit card number, bank account details, or other payment credentials. We receive only a customer ID, subscription status, and transaction confirmations from these providers.
- Support communications: Any messages you send us via email or live chat.
Information collected automatically
- Usage data: Pages visited, features used, buttons clicked, and time spent in the application. Collected via PostHog analytics.
- Device and browser information: Browser type, operating system, screen resolution, and device type.
- IP address and approximate location: Used to detect your country for regional pricing and to provide the Service. We do not track your precise geolocation.
- Cookies: See our Cookie Policy for details.
- Error data: When errors occur, our error tracking service (Sentry) collects technical information about the error, including the page URL, browser, and a stack trace. This does not include your subscription data.
Information we do NOT collect
- We do not connect to your bank accounts or financial institutions.
- We do not access your email to auto-detect subscriptions.
- We do not scan your credit card or bank statements.
- We do not collect or store payment card numbers.
2. How we use your information
We use your information to:
- Provide, maintain, and improve the Service
- Send you renewal reminder emails and weekly digest emails (you can opt out in settings)
- Process your subscription payments via our payment providers
- Detect your country for regional pricing adjustments
- Respond to your support requests
- Analyze usage patterns to improve the product (in aggregate, not individually)
- Send you important product updates (security issues, terms changes, service disruptions)
- Comply with legal obligations
We do not use your data to:
- Sell to third parties
- Display advertisements
- Build advertising profiles
- Train machine learning models
3. How we share your information
We do not sell, rent, or trade your personal information. We share your data only with the following third-party service providers who process it on our behalf:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication | Account data, subscription data | Cloud infrastructure (configurable region) |
| Vercel | Application hosting | IP address, request logs | Global edge network |
| Resend | Transactional email delivery | Email address, email content | United States |
| LemonSqueezy | Payment processing (international) | Email, name, billing country | United States |
| Paystack | Payment processing (Nigeria) | Email, name, billing details | Nigeria |
| PostHog | Product analytics | Usage events, IP address (anonymized), device info | European Union |
| Sentry | Error tracking | Error data, browser info, page URL | United States |
| Crisp | Live chat support | Name, email, chat messages | European Union |
Each provider processes your data under their own privacy policy and in accordance with our data processing agreements. We select providers that maintain appropriate security measures.
We may also disclose your information if required by law, court order, or governmental authority.
4. Data retention
- Active accounts: We retain your data for as long as your account is active.
- Deleted accounts: When you delete your account, we soft-delete your data immediately (it becomes inaccessible) and permanently purge it from our systems within 30 days. Backups containing your data may persist for up to 90 days before being overwritten.
- Payment records: Transaction records may be retained for up to 7 years as required by tax and financial reporting regulations.
- Analytics data: Usage analytics are retained in aggregate form and cannot be linked back to individual users after 12 months.
5. Your rights
Depending on your location, you may have the following rights:
For all users
- Access: You can view all your data within the Prunefy dashboard at any time.
- Export:You can export all your data (subscriptions, categories, spending history) as CSV or JSON from Settings → Export.
- Deletion:You can delete your account and all associated data from Settings → Delete Account.
- Correction: You can edit any of your data directly in the application.
- Opt-out of emails:You can disable renewal reminders and weekly digests in Settings → Notifications. You cannot opt out of critical security or legal notifications.
Additional rights for EU/EEA users (GDPR)
- Legal basis: We process your data based on: (a) your consent (account creation), (b) contractual necessity (providing the Service), and (c) legitimate interest (improving the Service, preventing fraud).
- Data portability: You can export your data in a structured, machine-readable format (JSON).
- Right to object: You can object to processing based on legitimate interest by contacting us.
- Right to restrict processing: You can request that we restrict processing of your data in certain circumstances.
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority.
Additional rights for California users (CCPA)
- You have the right to know what personal information we collect and how we use it.
- You have the right to request deletion of your personal information.
- You have the right to opt out of the sale of personal information. We do not sell personal information.
- We will not discriminate against you for exercising your CCPA rights.
Additional rights for Nigerian users (NDPA)
- You have the right to access, rectify, and delete your personal data.
- You have the right to object to the processing of your personal data.
- You have the right to data portability.
- Complaints may be directed to the Nigeria Data Protection Commission (NDPC).
6. Data security
We implement appropriate technical and organizational measures to protect your data:
- All data is encrypted in transit (TLS 1.2+) and at rest.
- Authentication tokens are stored as httpOnly, secure cookies.
- Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data.
- Third-party service access is limited to the minimum data necessary.
- We conduct regular security reviews of our infrastructure.
No method of transmission or storage is 100% secure. If we become aware of a security breach that affects your data, we will notify you via email within 72 hours as required by applicable law.
7. International data transfers
Your data may be processed in countries other than your own, including the United States and the European Union. When we transfer data outside your jurisdiction, we ensure appropriate safeguards are in place, including standard contractual clauses where required.
8. Children's privacy
Prunefy is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 14 days before the changes take effect. Continued use of the Service after changes become effective constitutes acceptance of the updated policy.
10. Contact us
If you have questions about this Privacy Policy or want to exercise your rights, contact us at:
Email: privacy@[DOMAIN]
Address: [YOUR BUSINESS ADDRESS]
For GDPR-related inquiries, our data protection contact can be reached at privacy@[DOMAIN].
For NDPA-related inquiries, complaints may also be directed to the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng.