Privacy Policy

Last updated: March 2026

38os, operated by 38os ("we," "our," or "us"), based in Dhaka, Bangladesh, is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the 38os platform, including our website, application, and related services (collectively, the "Service"). Where we process personal data of individuals in the European Economic Area (EEA), we do so in compliance with the General Data Protection Regulation (GDPR). For users in the United States, we comply with applicable state privacy laws including the California Consumer Privacy Act (CCPA).

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information that identifies you as an individual, including your full name, email address, company name, job title, and any other details you provide during registration or while updating your profile. If you sign up using a third-party authentication provider (such as Google), we receive your name and email address from that provider.

1.2 Business Information

To deliver our marketing analysis and strategy services, we collect business-related data you provide through our intake forms. This includes your company's website URL, industry, target audience, current marketing channels, budget ranges, business goals, and other details relevant to generating your marketing assessment. We may also fetch publicly available content from your website URL to enhance analysis accuracy.

1.3 Usage Data

We automatically collect certain information when you access and use the Service. This includes your IP address, browser type and version, operating system, referring URLs, pages viewed within the Service, time spent on pages, features used, click patterns, and the dates and times of your visits. This data helps us understand how our Service is used and how we can improve it.

1.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are small data files placed on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some portions of our Service may not function properly. For more details, see Section 5 below.

1.5 Third-Party Authentication Data

If you choose to register or log in using a third-party service such as Google OAuth, we receive your profile information (name, email, and profile image) from that provider. We do not receive or store your third-party account password.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To create and manage your account, generate marketing analyses, produce diagnostic reports, deliver AI-powered recommendations, and operate all features of the platform.
  • Improving the Product: To analyze usage patterns, diagnose technical issues, test new features, and improve the performance, reliability, and user experience of the Service.
  • Communication: To send you account-related notifications, security alerts, product updates, and, with your consent, marketing communications about new features or services. You can opt out of non-essential communications at any time.
  • AI Processing: To process your business data through our AI advisor (powered by Anthropic Claude) to generate analysis scores, strategic recommendations, diagnostic narratives, and growth projections. Your data is sent to the AI model in real time for processing. Anthropic does not use API inputs to train its models and does not retain your data beyond the scope of processing the API request, except as briefly required for abuse and safety monitoring.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.

3. Data Storage & Security

Your data is stored on Supabase cloud infrastructure, which runs on Amazon Web Services (AWS). We implement industry-standard security measures to protect your personal information:

  • Encryption at Rest: All stored data is encrypted using AES-256 encryption.
  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
  • Workspace Isolation: Each workspace's data is logically isolated using Supabase Row Level Security (RLS) policies, ensuring that users can only access data belonging to their own workspace.
  • Access Controls: Internal access to user data is restricted to authorized personnel on a need-to-know basis and is protected by multi-factor authentication.
  • Automated Backups: Regular automated backups are maintained to prevent data loss and ensure recoverability.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

4. Third-Party Services

We rely on trusted third-party services to operate our platform. Each provider has its own privacy policy governing the use of your information:

  • Supabase — Provides our database, authentication, and real-time infrastructure. Your account data, business information, and analysis results are stored in Supabase-managed PostgreSQL databases.
  • Vercel — Hosts our web application and serves all HTTP traffic. Vercel processes standard request data such as IP addresses and HTTP headers as part of delivering the Service.
  • PostHog — Provides product analytics to help us understand how the Service is used. PostHog collects aggregate usage and behavioural data such as pages visited, features used, and interaction patterns. By default, events are sent in volatile mode: an anonymous ID is stored in your browser's session storage (cleared when you close the tab) and we instruct PostHog not to create a persistent person profile. This lets us count traffic and measure feature usage without tracking you across sessions. If you accept the cookie banner, we upgrade to persistent tracking (localStorage ID, cross-session attribution) so we can measure returning-user behaviour. No personally identifiable information is shared with PostHog beyond what you voluntarily submit through the Service.
  • Stripe — When we introduce paid subscription plans, payment processing will be handled through Stripe. Stripe is PCI DSS Level 1 certified. We will never store your credit card numbers or full payment details on our servers.
  • Anthropic (Claude AI) — Powers our AI advisor and analysis generation features. Your business data is sent to the Anthropic API for real-time processing. Importantly, Anthropic does not use API inputs to train its models. Data is processed in real time and is not retained by Anthropic beyond the scope of the API request.
  • Resend — Handles transactional email delivery, including account verification, password resets, and notification emails. Resend receives your email address and email content necessary for delivery.

5. Cookies & Tracking

We use the following categories of cookies:

  • Essential Cookies: Required for the Service to function. These cookies enable core features such as authentication, session management, and security. They cannot be disabled without affecting the functionality of the Service.
  • Aggregate Analytics (session-scoped): We store a volatile random identifier in your browser's sessionStorage(cleared when you close the tab) so we can count page views, feature usage, and aggregate behaviour to improve the Service. This identifier is not a cookie, is never shared with third parties beyond our analytics provider (PostHog), and does not track you across sessions. We process this data under legitimate interest (GDPR art. 6(1)(f)); no personally identifiable information is attached.
  • Cross-Session Analytics Cookies (optional, consent-based): If you click “Accept” on the cookie banner, we upgrade the identifier to localStorage so we can measure returning-visitor behaviour, attribute conversions, and build funnels. You can withdraw consent at any time by clearing your browser storage or using your browser's cookie controls.
  • Preference Cookies: Remember your settings and preferences (such as theme selection, language, and display options) so you don't have to reconfigure them each time you visit.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may impair the Service's functionality.

6. Legal Basis for Processing

If you are located in the EEA, we process your personal data under the following legal bases as defined by the GDPR:

  • Contractual Necessity: To provide the Service you have signed up for, including account management, analysis generation, and AI-powered features.
  • Legitimate Interest: To improve the Service, diagnose technical issues, and ensure security, where our interests do not override your fundamental rights.
  • Consent: For non-essential analytics cookies and marketing communications, which you may withdraw at any time.
  • Legal Obligation: Where we are required to process data to comply with applicable laws or regulations.

7. Your Rights

Depending on your location and applicable laws (including the GDPR for EEA residents and the CCPA for California residents), you may have the following rights regarding your personal information:

  • Right to Access: You may request a copy of the personal data we hold about you.
  • Right to Correction: You may request that we correct any inaccurate or incomplete personal data.
  • Right to Deletion: You may request that we delete your personal data, subject to certain legal obligations that may require us to retain certain information.
  • Right to Data Portability (GDPR Article 20): You may download a machine-readable export of all personal data and workspace content associated with your account at any time — no request needed. Go to Settings › Danger Zone › Download My Data to export a complete JSON file covering your account, KPIs, strategy, campaigns, CRM, meetings, and all other content.
  • Right to Object: You may object to the processing of your personal data for certain purposes, including direct marketing.
  • Right to Restrict Processing: You may request that we limit the processing of your personal data under certain circumstances.

To exercise any of these rights, please contact us via our contact page. We will respond to your request within 30 days.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Active Accounts: Your data is retained for the duration of your active account and subscription.
  • Account Closure: Upon account deletion or closure, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as fraud prevention or financial record-keeping).
  • Aggregated Data: We may retain anonymized, aggregated data indefinitely for analytical and statistical purposes. This data cannot be used to identify you.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us via our contact page.

10. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. Our infrastructure providers (Supabase/AWS) maintain servers in multiple regions globally. When we transfer data across borders, we ensure that appropriate safeguards are in place to protect your personal information in accordance with applicable data protection laws, including standard contractual clauses and other legally recognized transfer mechanisms.

For B2B customers, our Data Processing Agreement is available at /dpa and includes Standard Contractual Clauses incorporated by reference.

11. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. This section describes the categories of personal information we collect, your rights, and how to exercise them.

Categories of Personal Information Collected

We collect the following categories of personal information, as defined by the CCPA:

  • Identifiers: Name, email address, IP address, and account credentials.
  • Commercial Information: Subscription plan details, payment history, and transaction records.
  • Internet or Other Electronic Network Activity: Usage data, browsing history within the platform, pages visited, features used, and interaction patterns.
  • Professional or Employment-Related Information: Company name, job title, role, and industry.
  • Inferences: Marketing health scores, AI-generated analysis insights, diagnostic assessments, and growth projections derived from the information listed above.

Your Rights Under the CCPA

As a California resident, you have the following rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions permitted by law.
  • Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you will receive any of these as a result of exercising your rights.

How to Exercise Your Rights

To submit a request to know, delete, or correct your personal information, you may:

  • Submit a request via our contact page with the subject line "CCPA Request."
  • Use the account deletion feature available in Settings > Danger Zone within your account dashboard.

We will acknowledge your request within 10 business days and respond within 45 calendar days of receiving a verifiable request. If we require additional time, we may extend the response period by an additional 45 days with prior written notice to you explaining the reason for the extension.

Verification

To protect your privacy and security, we will verify your identity before processing any CCPA request. Verification is performed by confirming your identity through the email address associated with your 38os account. We may request additional information if necessary to verify your identity.

Authorized Agents

You may designate an authorized agent to submit a CCPA request on your behalf. To do so, you must provide the authorized agent with written permission signed by you, and we may require you to verify your own identity directly with us before we process the agent's request.

Do Not Sell or Share My Personal Information

38os does not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

California "Shine the Light" Disclosure

Under California Civil Code Section 1798.83, California residents who have an established business relationship with us may request information about whether we have disclosed personal information to any third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes. If you have questions about this practice, please contact us via our contact page.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

  • Contact Form: Contact Us
  • Subject Line: Privacy Policy Inquiry

We aim to respond to all privacy-related inquiries within 30 days of receipt.