Privacy Policy

38os, operated by 38os ("we," "our," or "us"), based in Dhaka, Bangladesh, is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the 38os platform, including our website, application, and related services (collectively, the "Service"). Where we process personal data of individuals in the European Economic Area (EEA), we do so in compliance with the General Data Protection Regulation (GDPR). For users in the United States, we comply with applicable state privacy laws including the California Consumer Privacy Act (CCPA).

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information that identifies you as an individual, including your full name, email address, company name, job title, and any other details you provide during registration or while updating your profile. If you sign up using a third-party authentication provider (such as Google), we receive your name and email address from that provider.

1.2 Business Information

To deliver our marketing audit and strategy services, we collect business-related data you provide through our intake forms. This includes your company's website URL, industry, target audience, current marketing channels, budget ranges, business goals, and other details relevant to generating your marketing assessment. We may also fetch publicly available content from your website URL to enhance audit accuracy.

1.3 Usage Data

We automatically collect certain information when you access and use the Service. This includes your IP address, browser type and version, operating system, referring URLs, pages viewed within the Service, time spent on pages, features used, click patterns, and the dates and times of your visits. This data helps us understand how our Service is used and how we can improve it.

1.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are small data files placed on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some portions of our Service may not function properly. For more details, see Section 5 below.

1.5 Third-Party Authentication Data

If you choose to register or log in using a third-party service such as Google OAuth, we receive your profile information (name, email, and profile image) from that provider. We do not receive or store your third-party account password.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, generate marketing audits, produce diagnostic reports, deliver AI-powered recommendations, and operate all features of the platform.
• Improving the Product: To analyze usage patterns, diagnose technical issues, test new features, and improve the performance, reliability, and user experience of the Service.
• Communication: To send you account-related notifications, security alerts, product updates, and, with your consent, marketing communications about new features or services. You can opt out of non-essential communications at any time.
• AI Processing: To process your business data through our AI advisor (powered by Anthropic Claude) to generate audit scores, strategic recommendations, diagnostic narratives, and growth projections. Your data is sent to the AI model in real time for processing. Anthropic does not use API inputs to train its models and does not retain your data beyond the scope of processing the API request, except as briefly required for abuse and safety monitoring.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.

3. Data Storage & Security

Your data is stored on Supabase cloud infrastructure, which runs on Amazon Web Services (AWS). We implement industry-standard security measures to protect your personal information:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
• Workspace Isolation: Each workspace's data is logically isolated using Supabase Row Level Security (RLS) policies, ensuring that users can only access data belonging to their own workspace.
• Access Controls: Internal access to user data is restricted to authorized personnel on a need-to-know basis and is protected by multi-factor authentication.
• Automated Backups: Regular automated backups are maintained to prevent data loss and ensure recoverability.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

4. Third-Party Services

We rely on trusted third-party services to operate our platform. Each provider has its own privacy policy governing the use of your information:

• Supabase — Provides our database, authentication, and real-time infrastructure. Your account data, business information, and audit results are stored in Supabase-managed PostgreSQL databases.
• Vercel — Hosts our web application and serves all HTTP traffic. Vercel processes standard request data such as IP addresses and HTTP headers as part of delivering the Service.
• PostHog — Provides product analytics to help us understand how the Service is used. PostHog collects anonymized usage and behavioral data such as pages visited, features used, and interaction patterns. No personally identifiable information is shared with PostHog beyond what is necessary for analytics.
• Stripe — When we introduce paid subscription plans, payment processing will be handled through Stripe. Stripe is PCI DSS Level 1 certified. We will never store your credit card numbers or full payment details on our servers.
• Anthropic (Claude AI) — Powers our AI advisor and audit generation features. Your business data is sent to the Anthropic API for real-time processing. Importantly, Anthropic does not use API inputs to train its models. Data is processed in real time and is not retained by Anthropic beyond the scope of the API request.
• Resend — Handles transactional email delivery, including account verification, password resets, and notification emails. Resend receives your email address and email content necessary for delivery.

5. Cookies & Tracking

We use the following categories of cookies:

• Essential Cookies: Required for the Service to function. These cookies enable core features such as authentication, session management, and security. They cannot be disabled without affecting the functionality of the Service.
• Analytics Cookies: Help us understand how visitors interact with the Service by collecting aggregated, anonymous usage data. This information helps us improve navigation, content, and overall user experience.
• Preference Cookies: Remember your settings and preferences (such as theme selection, language, and display options) so you don't have to reconfigure them each time you visit.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may impair the Service's functionality.

6. Legal Basis for Processing

If you are located in the EEA, we process your personal data under the following legal bases as defined by the GDPR:

• Contractual Necessity: To provide the Service you have signed up for, including account management, audit generation, and AI-powered features.
• Legitimate Interest: To improve the Service, diagnose technical issues, and ensure security, where our interests do not override your fundamental rights.
• Consent: For non-essential analytics cookies and marketing communications, which you may withdraw at any time.
• Legal Obligation: Where we are required to process data to comply with applicable laws or regulations.

7. Your Rights

Depending on your location and applicable laws (including the GDPR for EEA residents and the CCPA for California residents), you may have the following rights regarding your personal information:

• Right to Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal data.
• Right to Deletion: You may request that we delete your personal data, subject to certain legal obligations that may require us to retain certain information.
• Right to Export: You may request a machine-readable export of your personal data and any content you have created within the Service.
• Right to Object: You may object to the processing of your personal data for certain purposes, including direct marketing.
• Right to Restrict Processing: You may request that we limit the processing of your personal data under certain circumstances.

To exercise any of these rights, please contact us at privacy@38os.com. We will respond to your request within 30 days.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

• Active Accounts: Your data is retained for the duration of your active account and subscription.
• Account Closure: Upon account deletion or closure, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as fraud prevention or financial record-keeping).
• Aggregated Data: We may retain anonymized, aggregated data indefinitely for analytical and statistical purposes. This data cannot be used to identify you.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at privacy@38os.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. Our infrastructure providers (Supabase/AWS) maintain servers in multiple regions globally. When we transfer data across borders, we ensure that appropriate safeguards are in place to protect your personal information in accordance with applicable data protection laws, including standard contractual clauses and other legally recognized transfer mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: privacy@38os.com
• Subject Line: Privacy Policy Inquiry

We aim to respond to all privacy-related inquiries within 30 days of receipt.