Privacy Policy

1. Information We Collect

1.1 Account Information

When you create a 38Hub account, we collect information provided through Google OAuth authentication, including your name, email address, and profile picture. We do not receive or store your Google password. Your account is identified by a unique user ID generated by our authentication provider, Supabase Auth. You may optionally provide additional profile information such as a display name, bio, or preferred language setting.

1.2 Usage Data

We automatically collect information about how you interact with the Service. This includes, but is not limited to, pages visited, features used, timestamps of actions, session duration, browser type and version, device information, operating system, IP address, referring URLs, and interaction patterns. We reserve the right to collect any additional usage data that we determine is necessary or useful for operating, maintaining, securing, or improving the Service.

1.3 Content Data

The Service stores content that you create, upload, or generate, including ideas, notes, articles, social media posts, scripts, images, and other creative works. This content is stored in our database to provide the Service to you. We also store metadata associated with your content, such as tags, categories, scores, formats, and creation dates. Any files you upload, including PDFs and images, are stored in our cloud infrastructure and associated with your account.

1.4 AI Processing Data

38Hub uses third-party AI providers, including but not limited to Anthropic (Claude), OpenAI (GPT-4o), and Google (Gemini), to power AI features within the Service. When you use AI-powered features, your content and related data are transmitted to these providers via their APIs as necessary to deliver the requested functionality. We share whatever data is reasonably necessary with AI providers to operate and improve AI-powered features of the Service.

1.5 Technical & Diagnostic Data

We may collect error logs, crash reports, performance metrics, and other technical data necessary for diagnosing issues, maintaining service quality, and ensuring the stability and security of the Service. This data may be collected automatically and may include information about your device, network, and usage context at the time of an error or performance event.

2. How We Use Your Information

2.1 Providing the Service

We use your information to operate, maintain, and provide the features and functionality of the Service. This includes authenticating your identity, storing and retrieving your content, executing AI operations, and syncing data across your devices.

2.2 Improvement, Analytics & Marketing

We use aggregated and anonymized data for any legitimate business purpose, including but not limited to: analyzing usage patterns, improving existing features and developing new ones, conducting internal research, generating benchmarks and reports, creating marketing materials, publishing industry insights, and informing product strategy. Aggregated and anonymized data that cannot reasonably be used to identify you may be used by us without restriction.

2.3 Communication

We may use your email address to send you essential service communications, including account verification, security alerts, billing notifications, and important product updates. We may also send you optional notifications about new features, tips, and product news, which you can opt out of at any time through your account settings. We will never sell your email address to unaffiliated third parties for their own marketing purposes.

2.4 Safety & Compliance

We may use your information as we believe necessary to: enforce our Terms of Service and Acceptable Use Policy; detect, prevent, or address fraud, security, or technical issues; comply with applicable laws, regulations, legal processes, or governmental requests; and protect the rights, property, or safety of 38Hub, our users, or the public.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we process your information under the following legal bases:

• Contract Performance (Art. 6(1)(b) GDPR) — Processing necessary to perform our contract with you, including providing the Service, managing your account, processing payments, and delivering AI-powered features you request.
• Legitimate Interest (Art. 6(1)(f) GDPR) — Processing necessary for our legitimate interests, including improving and optimizing the Service, conducting analytics on aggregated data, ensuring security and preventing fraud, enforcing our terms, and marketing our services. We balance these interests against your rights and freedoms and do not process data where your interests override ours.
• Legal Obligation (Art. 6(1)(c) GDPR) — Processing necessary to comply with legal obligations, such as tax reporting, responding to lawful government requests, and maintaining records required by law.
• Consent (Art. 6(1)(a) GDPR) — Where we rely on your consent (e.g., for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

4. Data Storage & Security

All user data is stored on Supabase, a secure, enterprise-grade cloud infrastructure built on top of PostgreSQL. Our database is hosted in secure, SOC 2-compliant data centers with automated backups, encryption at rest using AES-256, and encryption in transit using TLS 1.3. We implement Row Level Security (RLS) policies on all database tables, ensuring that queries are filtered at the database level so users can only access their own data.

Access to production databases is restricted to essential personnel only, and all access is logged and audited. We perform regular security reviews and follow industry best practices for web application security, including CSRF protection, input sanitization, and secure session management through Supabase Auth.

File uploads are stored in Supabase Storage with access controlled by signed URLs and storage policies that ensure only the file owner can access their uploads. While we implement commercially reasonable security measures, no method of electronic storage or transmission over the Internet is 100% secure, and we cannot guarantee absolute security of your data.

5. AI Provider Data Handling

When you use AI features such as idea scoring, content generation, or text extraction, your content is transmitted to third-party AI providers (including Anthropic, OpenAI, and Google) via their respective APIs. 38Hub acts as an intermediary, formatting your requests and parsing responses. We share whatever data is necessary with these providers to deliver the AI-powered features of the Service, which may include your content, prompts, metadata, and contextual information.

Your content sent to AI providers is subject to each provider's own data handling policies and terms of service. We encourage you to review each provider's privacy policy and API terms for the most current information on how they handle data. We are not responsible for the data practices of third-party AI providers.

AI-generated outputs (drafts, scores, suggestions) are saved as part of your content within your account, subject to the same security protections described in Section 4. You retain ownership and control over AI-generated content produced through the Service, subject to the license granted in our Terms of Service.

6. Third-Party Services

38Hub integrates with the following categories of third-party services to provide its functionality. Each service has its own privacy policy governing how it handles data:

• Supabase — Provides our database infrastructure, authentication (including Google OAuth), file storage, and real-time features. Supabase is SOC 2 Type II compliant.
• AI Providers (Anthropic, OpenAI, Google) — Provide artificial intelligence capabilities for content generation, idea scoring, text analysis, and other AI-powered features. Data is shared with these providers as necessary to deliver the Service.
• Google — Used for OAuth authentication. We receive your basic profile information (name, email, profile picture) when you sign in with Google.
• Stripe — Processes payments and manages subscriptions. Payment card details are handled directly by Stripe and are never stored on our servers.
• Hosting & Infrastructure Providers — We use cloud hosting and CDN providers to deliver the Service. These providers may process data on our behalf in accordance with our instructions.

We may add, remove, or change third-party service providers at any time without notice. We select providers that maintain appropriate security and privacy standards but are not responsible for their data practices.

7. International Data Transfers

38Hub operates globally, and your data may be transferred to, stored in, and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. By using the Service, you consent to the transfer of your information to countries outside your country of residence, including to Australia and the United States, where our infrastructure providers and AI providers may be located.

For users in the EEA and UK: where we transfer personal data outside the EEA/UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms as required under applicable data protection law. You may request a copy of the safeguards we use by contacting us via the contact form.

8. Your Rights (Including GDPR Rights)

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, please submit a request through our contact form or through your account settings where applicable. We will respond to requests within the timeframes required by applicable law (generally 30 days).

• Right of Access (Art. 15 GDPR) — You may request a copy of all personal data we hold about you, including your account information, content data, and usage records. We will provide this information in a commonly used electronic format.
• Right to Rectification (Art. 16 GDPR) — You may update or correct your personal information at any time through your account settings. If you discover inaccuracies that cannot be corrected through the Service, you may request that we correct them.
• Right to Erasure (Art. 17 GDPR) — You may request the deletion of your account and associated personal data. Upon receiving a valid deletion request, we will delete your identifiable personal data within 30 days, subject to the data retention provisions in Section 9. Please note that we may retain anonymized and aggregated data that cannot reasonably be used to identify you, as described in Section 9.
• Right to Data Portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON, CSV), and to transmit that data to another service provider.
• Right to Restriction of Processing (Art. 18 GDPR) — You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful.
• Right to Object (Art. 21 GDPR) — You may object to the processing of your personal data where we rely on legitimate interest as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent — Where we process data based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement if you believe our processing of your personal data violates applicable data protection law.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. This section supplements the rest of this Privacy Policy and applies solely to California residents.

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers — Name, email address, unique user ID, IP address, account name.
• Internet or Network Activity — Browsing history within the Service, interactions with features, session data, device and browser information.
• Commercial Information — Subscription plan, billing history, transaction records processed through Stripe.
• Professional or Employment Information — Only if voluntarily provided in your profile or Content DNA settings.
• Inferences — AI-generated content scores, category classifications, and content recommendations derived from your usage.

9.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not and will not sell personal information of California residents to third parties for monetary or other valuable consideration. We also do not "share" personal information as defined under the CPRA for cross-context behavioral advertising purposes.

9.3 Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know — You may request that we disclose what personal information we have collected, the categories of sources, the business purposes for collection, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you.
• Right to Delete — You may request that we delete your personal information, subject to certain exceptions (e.g., legal compliance, completing transactions, fraud detection). You can delete your account directly through Settings > Usage & Data in the app.
• Right to Correct — You may request correction of inaccurate personal information. You can update most information directly through your account settings.
• Right to Opt-Out of Sale/Sharing — While we do not sell or share your personal information, you may still exercise this right by contacting us. We will honor all opt-out requests.
• Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you access to the Service, charge different prices, provide a different quality of service, or retaliate in any way.

9.4 How to Exercise Your Rights

To exercise any of the rights described above, you may submit a verifiable consumer request through our contact form. We will verify your identity by confirming ownership of the email address associated with your account. You may also designate an authorized agent to make a request on your behalf, provided the agent has your written permission and can verify their own identity. We will respond to verifiable requests within 45 days, with the option to extend by an additional 45 days if reasonably necessary, with notice.

9.5 Retention and Disclosure

We retain personal information for the periods described in Section 10 (Data Retention). In the preceding 12 months, we have disclosed personal information to the following categories of service providers for business purposes: cloud infrastructure providers (Supabase), payment processors (Stripe), AI service providers (Anthropic, OpenAI, Google), and hosting providers (Vercel). We do not disclose personal information to third parties for their own commercial purposes.

10. Data Retention

We retain your personal data for as long as your account remains active and as reasonably needed to provide the Service. We may also retain data for as long as necessary to fulfil legitimate business purposes, including compliance with legal obligations, enforcement of our agreements, resolution of disputes, fraud prevention, and audit requirements.

The following retention periods apply:

• Active account data — Retained for the lifetime of your account.
• Post-deletion personal data — Identifiable personal data is deleted within 30 days of account deletion. During this period, data is marked for deletion and inaccessible through the Service.
• Backup retention — Data may persist in encrypted backups for up to 90 days following deletion, after which it is purged.
• Anonymized and aggregated data — We retain anonymized, aggregated data indefinitely. This data cannot reasonably be used to identify you and may be used for analytics, product improvement, benchmarking, marketing, and any other legitimate business purpose without restriction.
• Legal and compliance records — Billing records, audit logs, and other data required by law may be retained for up to 7 years after account deletion or as required by applicable law.
• Fraud and abuse data — Data related to account violations, fraud, or abuse may be retained as long as necessary to protect the Service and its users.

11. Cookies

38Hub uses essential cookies that are strictly necessary for the operation of the Service. We use authentication cookies set by Supabase Auth to manage your login session securely. These cookies contain a session token and are encrypted, HTTP-only, and have a limited lifetime. We also use localStorage to store your theme preference and other non-sensitive UI settings.

We may introduce additional cookies as the Service evolves, including analytics cookies to help us understand usage patterns. For detailed and up-to-date information about the cookies we use, please see our Cookie Policy.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under this age. If we become aware that we have collected personal data from a child below the applicable minimum age, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us through our contact form so that we can take appropriate action.

13. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time, at our sole discretion, for any reason. When we make changes, we will update the "Last Updated" date at the top of this page. For material changes, we may also provide notice through the Service interface or via email to the address associated with your account. However, it is your responsibility to review this Policy periodically.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree to the modified Policy, you must stop using the Service and may request deletion of your account.