Privacy Policy

Last updated: March 2026

What we collect

When you connect your Stripe account, we retrieve subscription and payment data via Stripe's OAuth API with read-only access. We collect your email address for authentication and to send you revenue reports you explicitly request. We do not collect payment card data or store your Stripe secret keys.

How we use your data

  • To scan your Stripe account for revenue leaks and generate reports
  • To calculate MRR, churn, and recovery metrics shown in your dashboard
  • To power the AI copilot with context from your revenue data
  • To send you revenue digest emails (you can opt out at any time)

We do not sell your data. We do not share your data with third parties except as required to operate the service (Supabase for database, Vercel for hosting, Anthropic for AI processing).

Data security

Stripe access tokens are encrypted at rest using AES-256-GCM before being stored in our database. All data is transmitted over HTTPS. We use Supabase Row Level Security to ensure your data is only accessible to you.

Data retention

We retain your data for as long as your account is active. Free plan data is retained for 30 days of history. You can disconnect your Stripe account and delete all associated data at any time from your dashboard settings.

Your rights

You can request a copy of your data, ask us to delete your account, or disconnect Stripe at any time. To exercise these rights, email us at privacy@corvidet.com.

How to delete your account and all associated data

You can permanently delete your Corvidet account directly from the dashboard at any time. Under GDPR Article 17 (right to erasure), this is a self-service action — no support ticket required.

  1. Sign in to your account.
  2. Go to dashboard settings and scroll to the Danger zone section.
  3. Click Delete my account, type your email exactly to confirm, and submit.

When you delete your account, we immediately:

  • Revoke our Stripe Connect authorization (you can verify this in your Stripe dashboard under Connected apps).
  • Cancel any active Corvidet billing subscription.
  • Delete your Supabase auth record, which cascades through every table containing your data: revenue metrics, leak detections, recovery events, monthly reports, usage events, and connection records.
  • Send you a confirmation email at the address on file.

We retain a single tamper-evident audit row containing a SHA-256 hash of your email (never the plaintext) and the deletion timestamp. This is required to demonstrate compliance during legal audits and contains no personally identifiable information.

If something goes wrong, contact privacy@corvidet.com and we will manually verify and complete the deletion within 30 days.

Cookies

We use session cookies managed by Supabase Auth for authentication only. We do not use advertising or tracking cookies.

Changes

We may update this policy from time to time. If we make material changes, we will notify you by email.

Contact

Questions about this policy? Email privacy@corvidet.com.