Privacy Policy

2.1 Account and authentication data (Supabase Auth)

• Email address
• Authentication data (handled by our auth provider, Supabase)
• Session information (used to keep you logged in)
• Client-side storage: Supabase sessions may be stored in your browser localStorage (e.g., under a key such as vibespar-auth), depending on implementation.

We do not receive or store your password in plain text.

2.2 Marketing preferences and consent (if you opt in)

• your marketing consent status (yes/no),
• timestamp of consent, and
• source of consent (e.g., signup checkbox).

You can withdraw consent at any time (see Section 9).

2.3 Founder profile / onboarding data (optional)

If you provide founder context, we may collect and store:

• Stage
• Idea/company description
• Company name
• Target customers
• Business model
• Geography
• Funding status
• Additional context fields
• Onboarding status/step

How we use it: this information may be inserted into prompts sent to our AI provider to personalize responses.

2.4 Chat content and conversation metadata

When you use the chat, we process and store:

• Messages you send and assistant responses
• Thread identifiers and timestamps
• Citations metadata (e.g., title, URL, timestamps, and 1–2 line snippet)
• Rewrite metadata used for retrieval (e.g., retrieval query, intent, facets, clarifying question, follow-up markers)

2.5 Anonymous usage data and tokens

You may use the Service without an account.

• Anonymous thread token: For anonymous threads, we generate a token. We store only a hash of that token server-side; the raw token may be shown once and stored on your device.
• Local storage: Anonymous thread tokens and metadata may be stored in your browser localStorage (obfuscated but not encrypted).

If you clear browser storage or lose the token, you may lose access to previous anonymous chats.

2.6 IP hashing and rate limiting

To protect the Service and manage abuse/costs, we enforce rate limits. For these limits we may:

• derive an IP address from your request at runtime, and
• store or compute a hashed IP (e.g., SHA-256) for counting usage.

We do not intentionally store raw IP addresses as part of our rate-limit tables; however, infrastructure providers (e.g., hosting/CDN/logging) may process IP addresses as part of standard web operations.

2.7 Feedback and resource recommendations

If you submit feedback or suggest resources, we may collect:

• Feedback message and optional rating
• Feedback type/category
• Optional references (thread ID/message ID)
• Metadata such as timestamp, hashed IP (for rate limits), and user agent (browser/device string)
• For resource requests: URL, title, resource type, notes, and review status

2.8 Microphone / voice input (client-side feature)

If voice input is enabled, the Service may use your browser’s speech recognition capabilities (e.g., SpeechRecognition / webkitSpeechRecognition) to convert speech to text.

• We request microphone access only when you use voice input.
• The interim/final transcript appears in your UI and is treated as chat input if you submit it.

2.9 Audit and security logs

We may generate operational logs (e.g., request failures, rate-limit events, thread creation, message sends). These may include:

• timestamps
• event type
• optional user IDs
• hashed IP
• user agent
• system diagnostics

These logs may be stored by our hosting/logging providers (e.g., platform logs).

4.1 Service communications (no marketing consent required)

We may email you when it is necessary to provide or maintain the Service, including:

• account verification and login/security alerts
• password resets and account recovery
• important service announcements (e.g., downtime, critical changes)
• operational messages related to your use of the Service (e.g., thread/account issues, credit status, abuse prevention notices)

You cannot opt out of essential service communications while keeping an active account, but you may close your account or request deletion (see Section 9).

4.2 Marketing communications (opt-in only)

If you opt in (for example, via a signup checkbox), we may send:

• product updates and new feature announcements
• tips, educational content, and onboarding guidance
• invitations to try new experiences or provide feedback

You can unsubscribe at any time using the link in marketing emails or by contacting deniz@joinmyla.com. Unsubscribing from marketing does not affect service emails.

6.1 AI provider (OpenAI)

We send certain inputs to an AI provider to:

• generate chat responses,
• rewrite queries for retrieval,
• generate embeddings for retrieval and similarity checks.

The data sent may include:

• your message(s),
• relevant retrieved context,
• founder profile context (if provided),
• system instructions required to produce outputs.

6.2 Supabase

Supabase provides authentication and database hosting/storage.

6.3 Embedded content providers (e.g., YouTube)

When you view embedded content (e.g., YouTube iframe), your browser connects directly to those services. Those services may collect data under their own privacy policies.

6.4 Hosting, logging, and infrastructure

We may use hosting and logging providers that process standard web request data to operate the Service.