Privacy Policy

1. Who this covers

• Workspace owners (you) and anyone you add as a workspace member.
• Third parties whose data flows into your workspace through your use — prospects, customers, contacts, people referenced in drafts. We process this data for you; you are the data controller. See §8.

2. What we collect

From you (the workspace owner)

• Account: email, workspace ID, API key (stored as a SHA-256 hash, never the raw key).
• Billing: Stripe customer ID and plan tier (when wired). We do not store card numbers; Stripe does.
• Connector credentials: OAuth refresh tokens and provider API keys, encrypted at rest in chieflab_connector_secrets.encrypted_token.

From your workspace activity

• Runs — every launch your agent triggers, including the repo context you pass in.
• Drafts — marketing copy ChiefLab generates.
• Brain — brand voice samples, repo facts, ICPs, proof points, competitor watch, approved drafts (the "compounding state" the product is built around).
• Actions — publish / send / approve / reject events with timestamps.
• Audit log — who accessed what within your workspace.
• Run viewer access — anyone holding a signed reviewUrl can see that run's content (HMAC, 7-day TTL, revocable from /app).

From your use

• IP address, user agent, request timestamps for rate limiting and abuse detection.
• Error logs for debugging.

3. Purposes

• Operate the service you signed up for.
• Bill you (when applicable).
• Detect and prevent abuse.
• Improve the service using aggregated, non-identifying signals only.
• Comply with law and respond to legally valid requests (and challenge improper ones).

4. Lawful basis (GDPR Article 6)

• Contract — most processing necessary to deliver the service.
• Legitimate interest — abuse detection, security, anonymized service improvement, fraud prevention.
• Consent — only where we explicitly ask (e.g., product-update emails to you).
• Legal obligation — tax records, accounting, response to lawful requests.

5. Who we share with

Subprocessors at /legal/subprocessors, each bound by data protection terms substantively equivalent to this policy and the DPA.

We do not sell personal data. Ever. We share only when (a) you direct us to via a connector approval, (b) a subprocessor needs to operate the service, or (c) law compels us — and we will challenge improper compulsion.

6. Where data lives

• Primary database: Supabase, US region by default. EU region available on Enterprise.
• API runtime: Vercel, US East primary + global edge.
• Object storage (generated images): Cloudflare R2, global.
• Logs: Vercel-native (30-day retention) + Supabase audit trail (90-day retention).

For transfers from EEA / UK / Switzerland to outside, Standard Contractual Clauses (EU Commission Decision 2021/914) apply, with technical safeguards (TLS in transit, encryption at rest, BYOK option) backstopping per Schrems II.

7. Retention

• Active workspace data — kept while your workspace exists.
• Runs, drafts, brain — indefinitely while active; deleted within 30 days of a workspace deletion request.
• Soft-delete grace window — 30 days after chieflab_delete_workspace during which you can restore via hi@chieflab.io.
• Backups — Supabase point-in-time recovery retains up to 7 days of historical state past a hard delete. We honestly disclose this gap rather than pretend it does not exist; we will not restore from backups except for disaster recovery affecting your workspace.
• Audit log — 90 days minimum, longer on Enterprise.
• Billing records — 7 years (tax / accounting legal obligation).

8. Third-party data in your workspace

This is the part most AI-marketing privacy policies handwave. We don't:

When you use ChiefLab to record a prospect (chieflab_record_prospect), log a customer engagement (chieflab_record_engagement), or draft outreach referencing a person who has not signed up for ChiefLab, that person's personal data lives in your workspace and is processed by us, for you.

In GDPR terms: you are the controller. We are the processor. The Data Processing Agreement is the contract that governs that relationship. Sign it with your enterprise buyers; it's the document their privacy counsel will ask for.

Those third parties retain their data rights (access, deletion, objection, restriction). The compliance primitives ChiefLab ships to help you fulfill those requests (all live in apps/mcp/src/tools.js and callable from any MCP client):

• chieflab_delete_workspace({ confirm: "DELETE-MY-WORKSPACE" }) — Shipped. Hard-purges all workspace data across 38+ tables, revokes the API key, returns a deletion receipt. Irreversible.
• chieflab_export_subject({ handle }) — Shipped. Returns all data we hold about a specific person — primary exact-match scan against prospects + engagement events, secondary text-contains scan across draft bodies (flagged for manual review).
• chieflab_purge_subject({ handle, confirm: "PURGE-SUBJECT" }) — Shipped. Two-phase: first call returns a preview of rows that would be deleted; second call with the confirm token surgically deletes across prospect rows + engagement events. Text mentions in draft bodies require manual review (called out explicitly in the response).
• chieflab_audit_log_read() — Shipped. Workspace-scoped access log read with since/until/limit, default 30-day window. Includes meta-audit (the read itself logs an event).
• chieflab_export_workspace() — Shipped. Full DSAR-grade JSON dump across every workspace-scoped table. Connector tokens and key hashes redacted (secrets stay secret even to the owner). 10,000 rows/table cap; the response flags any table at the cap so you can escalate to manual export for the remainder.

You are responsible for ensuring your use of ChiefLab to process third-party data complies with the law that governs that data: GDPR (lawful basis under Art. 6, notice under Art. 13–14), PDPA (Singapore), CCPA (California, including disclosure rights), CAN-SPAM (US email), CASL (Canada), and the ToS of any platform from which you've sourced contact data. Harvested-list outbound and impersonation are forbidden under our AUP regardless of jurisdiction.

9. Your rights (GDPR / PDPA / CCPA where applicable)

• Access — chieflab_export_workspace() returns a full structured JSON dump. Manual escalation (for tables that hit the export cap) via privacy@chieflab.io within 30 days.
• Correction — edit via /app or email hi@chieflab.io.
• Deletion — chieflab_delete_workspace({ confirm: "DELETE-MY-WORKSPACE" }) hard-purges across 38+ tables on confirmation. Surgical deletion of a specific third-party subject: chieflab_purge_subject({ handle, confirm: "PURGE-SUBJECT" }).
• Portability — same as Access; the export is structured JSON, importable elsewhere.
• Object / restrict / withdraw consent — email privacy@chieflab.io.
• Complain — Singapore PDPC (pdpc.gov.sg) or your local supervisory authority for EU residents.
• California residents (CCPA/CPRA) — right to know, delete, correct, opt out of sale (we don't sell), and limit use of sensitive personal information. Same mechanisms above.

10. Security

Documented in detail at /trust and /security. Highlights:

• Encryption in transit (TLS 1.2+, HSTS).
• Encryption at rest (Supabase managed; connector secrets per-row encrypted).
• HMAC-signed reviewUrls with 7-day TTL, revocable.
• Approval gates required for every external action.
• Tenant isolation enforced via Supabase Row Level Security.
• Reproducible audit scripts (HMAC verifier, approval-gate bypass test) public in the repo.

11. Children

ChiefLab is not intended for users under 16. If we learn an account belongs to someone under 16, we will delete it. If you believe a child has been recorded as a third-party subject in a workspace, contact privacy@chieflab.io and we will purge.

12. Changes

We will give 30 days notice of material changes via email to workspace owners and a banner in /app. Non-material changes (typos, links) may take effect on posting; this page tracks the last-updated date.

13. Contact

• Privacy / data subject requests: privacy@chieflab.io
• Security: security@chieflab.io
• General: hi@chieflab.io