Privacy Policy

1. Introduction

PIE ("we", "our", "us") operates the PIE web application and the PIE browser extension for Google Chrome (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how we protect it, and your rights regarding your data.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

This policy applies to all users worldwide, including users in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and the state of California, United States.

2. Data We Collect

2.1 Information You Provide

• Account information: Email address and password (managed by Supabase Auth). Your password is hashed and never stored in plain text.
• Profile information: Full name (if provided).
• Business profile: Business name, description, website URL, target audience, pain points your business solves, positioning statement, brand voice, and keywords (up to 20 keywords, 50 characters each).
• Lead notes: Notes you write about leads in your pipeline.
• Contact form submissions: Name, email address, and message content submitted through our contact page.
• Early access requests: Information submitted when requesting early access to the platform.

2.2 Data Generated by the Service

• Discovery data: Publicly available social media posts identified as relevant to your business, including post URLs, titles, body text (truncated to 2,000 characters), author usernames, community/subreddit names, and the platform of origin.
• AI analysis results: Relevance scores (0–100), AI-generated reasoning for relevance, matched keywords, sentiment analysis, and auto-suggested lead stages.
• AI-generated draft responses: Draft replies and follow-up messages generated by artificial intelligence based on your business profile and the context of discovered posts.
• Lead pipeline data: Lead stage (contacted, replied back, interested, converted), timestamps, reply content you submitted on platforms, and response content received from post authors.
• Outreach event logs: An immutable log of events associated with each lead, including replies sent, responses received, stage changes, and notes added, along with the source of each event (extension, API polling, or manual).
• Company lead data: For B2B discovery, company name, website, description, industry, employee range, location, ICP score, and AI reasoning.
• Analytics snapshots: Daily aggregated metrics including discovery counts, reply counts, response counts, conversion counts, platform breakdowns, and keyword breakdowns.

2.3 Data Collected by the Browser Extension

• Active tab URL: The URL of your currently active browser tab is checked against known discoveries in your PIE dashboard. This check determines whether the page you are viewing matches a post previously identified by PIE.
• Reply content: When you submit a reply on a supported platform (Reddit, Hacker News, or Bluesky) on a page that matches a known discovery, the extension captures the text of your reply and sends it to PIE to create a lead entry.
• Authentication token: A token stored locally in your browser storage to authenticate API requests between the extension and the PIE server.

The browser extension does not collect browsing history, keystrokes, personal data from pages that do not match known discoveries, or any data from websites outside of supported platforms.

2.4 Data We Do Not Collect

• We do not use cookies for tracking or advertising purposes
• We do not use third-party analytics services (no Google Analytics, no tracking pixels)
• We do not collect payment card information directly (future payment processing will be handled by a third-party payment processor)
• We do not access private messages, non-public profiles, or restricted content on any platform

3. How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service: To scan social platforms for relevant posts, generate AI-powered draft responses and relevance scores, manage your lead pipeline, and power your analytics dashboard.
• Authentication: To verify your identity and manage access to your account and the browser extension.
• Service improvement: To improve the functionality, reliability, and quality of the Service based on aggregated usage patterns. We do not use your data to train third-party AI models.
• Communication: To respond to your inquiries submitted through the contact page and to send transactional emails related to your account (such as password reset emails).
• Security: To detect and prevent fraud, abuse, and unauthorized access to the Service.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing (EU/EEA/UK Users)

If you are located in the European Union, European Economic Area, or the United Kingdom, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract: Processing necessary to provide the Service to you as described in our Terms of Service, including account management, scanning, AI analysis, lead tracking, and analytics.
• Legitimate interests: Processing necessary for our legitimate business interests, including improving the Service, ensuring security, and preventing abuse, provided these interests are not overridden by your rights and freedoms.
• Consent: Where we rely on your consent for specific processing activities, you have the right to withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable legal requirements.

5. AI Data Processing

PIE uses artificial intelligence services provided by OpenAI to deliver core features of the Service. The following data is sent to OpenAI's API for processing:

• For relevance analysis: Your business profile information (name, description, target audience, pain points, positioning, website summary, keywords) and the content of publicly available social media posts (community, title, body text limited to 2,000 characters).
• For draft response generation: The same business profile information and post content, used to generate contextually appropriate reply suggestions.
• For lead analysis: Response content from platform authors, used for sentiment classification and stage suggestions.
• For follow-up drafting: Lead stage, timeline context, and previous exchange history, used to generate follow-up reply suggestions.

We use OpenAI's API with data retention disabled, meaning OpenAI does not retain your data after processing and does not use your data to train its AI models. For more information, please refer to OpenAI's Privacy Policy.

We implement prompt injection mitigation measures to prevent malicious content in social media posts from affecting AI processing. User-provided data is isolated within structured prompts and sanitized before processing.

6. Third-Party Services

We use the following third-party services to operate the Service. Each processes data on our behalf and is subject to its own privacy policy:

• Supabase — Database hosting (PostgreSQL) and user authentication. Your account data, business profiles, discoveries, leads, and analytics are stored in Supabase with row-level security policies enabled.
• OpenAI — AI analysis of social media posts, draft response generation, sentiment analysis, and follow-up drafting. Data retention is disabled on our API account.
• Vercel — Application hosting and serverless function execution. Vercel processes web requests and runs scheduled tasks (cron jobs) on our behalf.
• Reddit API — When configured, used to fetch publicly available posts and detect replies to your comments. Requires Reddit OAuth credentials.
• Brave Search API — When configured, used as an alternative method to discover publicly indexed Reddit posts.

Additional platform APIs (GitHub, ProductHunt, StackExchange) may be used for B2B company discovery when configured. These services only access publicly available data.

7. Data Storage & Security

We take the security of your data seriously and implement the following measures:

• Database security: Your data is stored in a PostgreSQL database hosted by Supabase with row-level security (RLS) policies enabled, ensuring that users can only access their own data.
• Encryption in transit: All communication between your browser, the browser extension, and our servers is encrypted using HTTPS/TLS.
• Token security: Browser extension authentication tokens are hashed with SHA-256 before being stored in our database. The original token value is never stored on our servers.
• Password security: Passwords are hashed by Supabase Auth and never stored in plain text. We enforce a minimum password length of 8 characters.
• Security headers: We implement industry-standard security headers including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection.
• CSRF protection: All mutating API endpoints validate the Origin header to prevent cross-site request forgery attacks.
• Rate limiting: API endpoints are protected by rate limiting to prevent abuse and ensure service availability.
• Input validation: All user inputs are validated and sanitized before processing to prevent injection attacks.

While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your data.

8. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We only share data in the following circumstances:

• Service providers: With the third-party services listed in Section 6, solely as necessary to operate and provide the Service.
• Legal requirements: When required to comply with applicable law, regulation, legal process, or enforceable governmental request.
• Protection of rights: When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a legal request.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal data.
• Aggregated data: We may share anonymized, aggregated data that cannot reasonably be used to identify you.

9. Data Retention

• Active accounts: We retain your personal data for as long as your account is active and as needed to provide the Service to you.
• Account deletion: When you request deletion of your account, we will delete your personal data within 30 days. This includes your account information, business profile, discoveries, leads, outreach events, extension tokens, and draft responses.
• Anonymized analytics: Aggregated, anonymized analytics data (which cannot be used to identify you) may be retained indefinitely to help us understand usage trends and improve the Service.
• Legal obligations: We may retain certain data for longer periods if required by applicable law, such as for tax, legal, or regulatory compliance.

10. Your Rights

10.1 All Users

Regardless of your location, you have the right to:

• Request deletion of your account and all associated personal data
• Revoke your browser extension token at any time from your Settings page
• Access and update your business profile information through the dashboard
• Contact us with questions or concerns about your data

10.2 EU/EEA/UK Users (GDPR)

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following additional rights under the GDPR:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure: You have the right to request deletion of your personal data, subject to certain legal exceptions.
• Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object: You have the right to object to the processing of your personal data based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

10.3 California Users (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to opt-out: We do not sell your personal information. If this changes in the future, you will have the right to opt-out of such sales.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us. We will respond to your request within 30 days (or within the timeframe required by applicable law).

11. International Data Transfers

PIE is operated from the United States. If you access the Service from outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For users in the EU/EEA/UK, we ensure that international data transfers are conducted in compliance with the GDPR. Where personal data is transferred outside the EU/EEA/UK, we rely on appropriate safeguards, including the service providers' compliance with recognized data protection frameworks and standard contractual clauses where applicable.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe that we may have collected data from a minor, please contact us.

13. Cookies & Tracking Technologies

PIE does not use cookies for advertising, analytics, or tracking purposes. The Service uses only essential cookies and local storage required for authentication and the proper functioning of the application:

• Authentication cookies: Managed by Supabase Auth to maintain your login session. These are strictly necessary for the Service to function and cannot be disabled.
• Local storage (browser extension): The browser extension stores your authentication token in Chrome's local storage to authenticate API requests.

We do not use any third-party tracking technologies, advertising pixels, or analytics services that track your behavior across websites.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on this page with a revised effective date
• Where required by law, notify you of material changes via email or through the Service

Your continued use of the Service after any changes to this Privacy Policy constitutes acceptance of the updated policy. We encourage you to review this page periodically for the latest information on our privacy practices.

15. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us.

For EU/EEA/UK users, if you are not satisfied with our response to your inquiry, you have the right to lodge a complaint with your local data protection authority.