Privacy Policy

Welcome to StartupRoastAI ("we," "us," or "our"). We operate the website at startuproastai.com and all associated services (collectively, the "Service").

This Privacy Policy explains what personal information we collect, how we use it, and the rights you have regarding your data. We are committed to being transparent about our data practices and handling your information with care, respect, and in compliance with applicable privacy laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable regulations.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree with the terms of this Privacy Policy, please do not use the Service.

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, process your URL submissions, generate AI analysis reports, and display your results.
• Payment processing: To manage subscriptions, process credit purchases, and maintain billing records.
• Communication: To send you transactional emails (welcome email, roast completion notifications, subscription confirmations) and, where you have opted in, our weekly progress reports and onboarding sequence.
• Service improvement: To understand how users use our Service, identify bugs, fix errors, and improve existing features.
• Security: To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, including responding to lawful requests from public authorities.
• Leaderboard: If your roast is set to public, your URL and score may appear on our public leaderboard. You can change this in your settings at any time.

If you are in the European Economic Area (EEA), we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you requested, including account creation, roast generation, and payment processing.
• Legitimate interests: Processing for analytics, fraud prevention, security monitoring, and improving our Service, where these interests are not overridden by your data protection rights.
• Consent: Where you have explicitly consented, such as receiving marketing emails. You may withdraw this consent at any time.
• Legal obligation: Processing required to comply with applicable laws and regulations.

We do not sell, trade, or rent your personal information to third parties for their marketing purposes. We may share your data in the following limited circumstances:

• Service providers: We share data with trusted third-party service providers who help us operate the Service. These include Supabase (database and authentication), OpenAI (AI analysis), PayPal (payment processing), Resend (email delivery), Upstash (rate limiting), PostHog (product analytics), and Sentry (error monitoring). All service providers are contractually bound to protect your data and use it only for the services they provide to us.
• Legal requirements: We may disclose your information if required by law, court order, or other governmental authority, or to protect the rights, property, or safety of StartupRoastAI, our users, or others.
• Business transfers: If StartupRoastAI is acquired, merged with, or transfers some or all of its assets to another company, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.
• With your consent: We may share your information in other ways if you have given us explicit consent.

When you submit a URL for analysis, our Service visits that URL, captures a screenshot (for Pro users with screenshot analysis enabled), and sends relevant content to OpenAI's API for AI-powered analysis.

Please be aware that:

• URLs you submit are stored in our database associated with your account.
• OpenAI processes the content of your submitted pages according to OpenAI's Privacy Policy. We use OpenAI's API, and OpenAI does not use API inputs to train its models by default.
• Public roasts (where "Make public" is enabled) may appear on our leaderboard and are accessible via a public URL. You can disable this at any time in your roast settings.
• Screenshots are stored securely in our cloud storage and are only accessible to you and our service providers.

We use the following types of cookies and tracking technologies:

• Essential cookies: Required for the Service to function, including session authentication cookies managed by Supabase.
• Analytics cookies: PostHog uses cookies to track how users interact with our Service. This helps us understand feature usage and improve the product. You can opt out of PostHog tracking by enabling "Do Not Track" in your browser.
• Error tracking: Sentry may set cookies to help correlate error reports with user sessions.

Most browsers allow you to control cookies through their settings. However, disabling essential cookies may prevent you from using certain features of the Service.

We retain your data for as long as your account is active or as needed to provide you the Service:

• Account data: Retained for the duration of your account. If you delete your account, we delete your personal data within 30 days, except where retention is required by law.
• Roast reports: Retained as long as your account exists. You can delete individual roasts at any time from your dashboard.
• Payment records: Retained for 7 years as required by financial regulations.
• Log data: Retained for up to 90 days for security and debugging purposes.
• Email communications: Retained for up to 2 years to maintain communication history.

Depending on your location, you may have the following rights regarding your personal data:

• Access: You have the right to request a copy of the personal data we hold about you.
• Correction: You have the right to request that we correct inaccurate or incomplete data.
• Deletion: You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain exceptions.
• Portability: You have the right to receive your data in a structured, machine-readable format.
• Objection: You have the right to object to processing of your data based on legitimate interests.
• Restriction: You have the right to request that we restrict processing of your data in certain circumstances.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Opt out of email communications: You can unsubscribe from marketing and progress emails at any time via the unsubscribe link in any email or through your dashboard settings.

To exercise any of these rights, contact us at privacy@startuproastai.com. We will respond within 30 days. California residents may also have additional rights under the CCPA, including the right to know what categories of personal information we collect and the right to non-discrimination for exercising privacy rights.

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is transmitted using TLS/HTTPS encryption.
• Database access is restricted using Row Level Security (RLS) policies — users can only access their own data.
• API keys and sensitive credentials are stored as encrypted environment variables and never exposed in client-side code.
• Service role keys (which bypass RLS) are used only in server-side functions and never in the browser.
• Payment data is handled exclusively by PayPal — we never see or store raw card numbers.
• We conduct periodic security reviews of our codebase and infrastructure.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

Our Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@startuproastai.com and we will delete such information promptly.

StartupRoastAI is operated from and our primary infrastructure is located in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

For users in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where required.

Our Service may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices of those third parties. This Privacy Policy applies only to information collected by StartupRoastAI. We encourage you to review the privacy policies of any third-party services you access through links on our platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, sending you an email notification.

We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: