Privacy

Privacy Policy

What AICodePack collects when you use the launch readiness scanner, why we collect it, where it’s stored, and the rights you have over it. We try to collect only what we need to run the product.

Last updated · May 3, 2026

1. Who we are

AICodePack is a SaaS launch-readiness scanner for web apps. The data controller is the operator of aicodepack.com. For any privacy question, email support@aicodepack.com.

2. What we collect

Account data

  • Email address and a hashed password (handled by Supabase Auth).
  • Optional display name set on your profile.
  • Plan tier, billing interval, and Stripe customer / subscription IDs once you upgrade.

Usage data

  • URLs you submit for scanning, the scan’s results (HTTP status codes, page titles, response headers, detected issues), and any screenshots Playwright captures during a scan.
  • The count of scans you’ve run, page counts, and project metadata you create.
  • Server logs containing your IP address, user-agent, and request timestamps. Kept for security and abuse prevention only.

Payment data

We do not store card numbers. Stripe handles payment, and we only receive the subscription IDs, plan, status, and the last four digits of the card you used.

What we do not collect

  • We do not access or store your private source code, repos, or environment variables.
  • We do not run third-party advertising trackers.
  • We do not sell, rent, or share your data with data brokers.

3. How we use your data

  • To run scans you request and persist their results so you can revisit them.
  • To enforce plan limits (e.g. free-tier lifetime cap, monthly scan quotas).
  • To bill paid plans and send transactional email (receipts, password resets, scan completion, security notices).
  • To detect and respond to abuse, scraping, or scanner misuse.
  • To improve the product in aggregate. We do not single out individual accounts in product analytics.

4. Subprocessors and third parties

We share the minimum data needed with the following providers to operate the service:

  • Supabase — primary database, authentication, and file storage (screenshots).
  • Vercel — hosting and serverless function execution. May log request metadata.
  • Stripe — payment processing. Handles all card data directly under their PCI-DSS environment.
  • OpenAI — when an OpenAI API key is configured, scan issue text and short URL lists are sent to the OpenAI API to generate fix prompts and the launch overview. We do not send your account email, payment data, or page screenshots to OpenAI.
  • Resend / equivalent transactional email provider — delivers password resets and other service emails.

Each subprocessor has its own privacy and security commitments. We do not sell your data to anyone.

5. Storage, retention, and security

Account data and scan results are stored in Supabase (Postgres) with Row-Level Security so a user can only read their own rows. All traffic is served over TLS. Service-role credentials never reach the browser. Passwords are hashed by Supabase Auth — we never see them in plaintext.

Scan results are kept while the account is active so you can return to a previous report. If you delete a scan, project, or your account, the underlying rows are removed within 30 days. Server logs are typically retained for up to 90 days. Stripe retains its own billing records per its retention policy.

6. Cookies and local storage

We use a small number of strictly-necessary cookies to keep you signed in (Supabase Auth) and a few local-storage entries to remember UI preferences (e.g. monthly / yearly billing toggle). We do not use advertising or cross-site tracking cookies.

7. Your rights

You can:

  • Access or correct your profile data inside the app.
  • Export or delete your scan history, projects, and entire account.
  • Cancel your paid subscription anytime from the billing portal.

If you’re in the EU/UK you have rights under the GDPR (access, rectification, erasure, portability, restriction, objection). If you’re in California you have rights under the CCPA/CPRA (know, delete, correct, opt-out of sale — we do not sell). Email support@aicodepack.com with the subject “Privacy request” and we’ll respond within 30 days.

8. Children

AICodePack is not intended for children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we’ll delete the account.

9. International transfers

Our infrastructure providers operate globally. By using AICodePack you understand that data may be processed in the United States or other countries. We rely on each subprocessor’s standard contractual clauses or equivalent safeguards for cross-border transfers.

10. Changes to this policy

Material changes will be announced in the app and by email at least 14 days before taking effect. Continued use after the effective date means you accept the updated policy.

Questions? Email support@aicodepack.com.