Privacy Policy

What we collect

GPCGuard collects account information (company name, email address) to provide and operate the service. For the GPC signal-handling workflow, we collect GPC decision telemetry — hashed request identifiers, signal type, decision outcome, edge PoP, and policy version — to generate decision records. We do not log plaintext PII or session tokens in decision telemetry.

How we use it

Account data is used to authenticate users and associate decision records with the correct workspace. Decision telemetry is used solely to provide site-scoped evidence, analytics, support, and security features needed to operate the service. We do not sell your data or your end users' data.

For the GPC signal-handling workflow, GPCGuard acts on behalf of the site operator as described in the applicable DPA or signed agreement, including where that agreement characterizes GPCGuard as a processor or service provider.

Infrastructure

GPCGuard is built on Supabase infrastructure. Data is stored and processed in accordance with Supabase's data processing agreements. Auth and business data are tenant-isolated at the database policy layer via Row Level Security (RLS).

Data retention

Compliance audit records are retained for a minimum of 24 months. Customer-facing decision record availability follows your plan or signed agreement, and custom retention terms may be set in a separate agreement. Account data is retained for the duration of your account and deleted subject to legal and operational retention requirements.

Contact

Privacy inquiries: support@gpcguard.app

This policy is subject to change. Material changes will be communicated to account holders.