Privacy Policy

This Privacy Policy explains how Superprez (“we”, “us”) collects, processes, transfers, retains, exports, deletes, restricts, anonymises or pseudonymises information about identifiable individuals (“personal data”).

Scope

Today Superprez is a commercially offered software service for authoring, deploying, sharing, collaborating on interactive presentations tied to workspaces, repos, uploads, and optional AI tooling integrations. Waiting-list-only processing may still coexist in specific legacy forms (for example spreadsheets or legacy scripts referenced in infra configuration) until fully retired — we process only what flows through systems You actually trigger.

Data we collect — accounts & product use

• Identifier & contact: email, display name fragments, initials, subdomain / workspace identifiers.
• Credentials & auth events: hashed tokens, OAuth profile basics from Google Sign-In where enabled, session cookies, timestamps, IP-derived abuse heuristics, device user-agent excerpts.
• Product content & metadata You supply: repos connected, zipped uploads, collaborator emails, share-link settings, thumbnails, manifests, previews, webhook secrets You configure, chat-style agent prompts retained per session history mechanics of our hosting stack until You delete decks.
• GitHub artefacts: repo names/commits when You connect accounts or run managed hosting repos — subject to GitHub's policies when code lives there.
• AI vendor traffic: prompts & responses You route through integrations only if persisted by those subsystems' configs (rotating logs, session transcripts for debugging reproducibility capped by product implementation).

Drop-code without a personal GitHub account

If You use Superprez without linking a personal GitHub account, drop-code uploads are versioned in private repositories on GitHub that Superprez provision and operate through its own automation credentials (for example a dedicated bot or organization PAT). You remain the data controller for Your deck contents; we use those repos only to build, update, and serve presentations You request, under the technical and contractual limits described here and in GitHub's relevant policies. Connecting Your own GitHub account later may move new work under Your namespace according to product flows available at that time.

Billing payment events (merchant of record)

Lemon Squeezy (or successors) collects payment instrumentation, taxable address hints, churn events, proration artefacts, payout dispute metadata. We synchronise entitlement fields (plans, quotas, webhook purchase IDs) referencing their IDs — not storing full PAN track data on Superprez application servers unless a future PSP embed explicitly says otherwise later (we'd update here).

Cookies / local persistence

Sessions use secure cookies. Some UI convenience fields may cache progress client-side (“remember me” style onboarding toggles read from local browser storage until cleared). Embedded deck iframes may set their own runtime cookies unrelated to ours when upstream authoring frameworks do — treat those deployments as extensions of Your site policy toward visitors.

Analytics

We may run aggregate site analytics (potentially privacy-oriented tools). If analytic pixels expand to track marketing funnel cross-site, We update this disclosure and banners if EU/UK/other consent mandates require overlay.

Processors & onward transfers

Infrastructure partners (examples: Postgres hosting zones you deploy into, SMTP via SendGrid, runtime provider Superengine, GitHub repositories, Stripe-class processor Lemon Squeezy, cloud object storage latent in builds, error tracking if enabled) operate under their SCCs/BCRs/transparency reports when cross-border transfers happen.

Lawful bases (EEA-style framing)

Contract performance delivers the Service You request. Legitimate interests: secure multi-tenant platform, detect abuse tying sessions, optimise capacity, aggregated stats. Legal obligation: respond lawful requests, tax archive when billing law demands. Consent governs newsletters if double opt-in emerges later.

Retention

Operational logs rotate; ephemeral preview caches eviction policies depend on infra. Database rows survive until You delete presentations or erase Your account triggers cascades coded in our Postgres schema migrations. Stripe/Lemon invoices may persist years per finance rules — request processor-side erasure scopes via their dashboards when applicable.

Rights requests

Subject to verifying identity proportional to sensitivity, where Your jurisdiction affords access, portability, rectification, erasure (“right to be forgotten”) with carve-outs for transactional records invoices must keep, restriction, objection, appeal automated decisions profiling not central today — email hello@superprez.io. Administrators may purge accounts per internal abuse workflows with audit logs conceptually narrower than perpetual marketing logs.

Banned / suspended identifiers

If we suspend severe abusers administratively after investigation, hashed email-ban rows may linger solely to honour the security outcome — minimised pseudonymous storage.

Children

Superprez is not knowingly marketed to humans under eighteen (18). If You believe minors supplied personal data, contact us to remove quickly.

Security

Defence-in-depth: TLS in transit between browsers and ingress, segregation of workspaces, hashed magic tokens rotating, optional per-repo webhook HMAC verification. Absolute security is impossible — report suspected incidents promptly.

Changes

We revise this Privacy Policy periodically; the Updated date atop tracks last meaningful edit.

Contact

Privacy questions or regulatory correspondence: hello@superprez.io.

See also Terms and Conditions, Legal index.