Privacy Policy

DiscloseKit is privacy-first by design. This page explains what we process and why. It is a plain-language summary, not legal advice.

Where your data lives

All application data (accounts, products, AI-system inventories, statements and evidence logs) is stored in the EU — specifically in a Supabase project hosted in Frankfurt (eu-central-1).

What we process

  • Account data: your email address and authentication identity, via Supabase Auth (Google, GitHub, Apple, or magic link).
  • Workspace content: the products, AI systems, widget configuration and statements you create.
  • Billing: handled by Stripe. We store your Stripe customer and subscription identifiers; card details never touch our servers.
  • Checker submissions: stored anonymously (your answers and the result). An email address is stored only if you explicitly request the report, and only after you confirm it via a double opt-in email.
  • Newsletter: optional and separate. You are added to our list only after confirming through double opt-in. Managed with Brevo. You can unsubscribe at any time.

The disclosure widget

The embeddable widget is cookie-free. It sends an anonymous impression beacon so we can maintain a daily disclosure count for your evidence log. We do not store IP addresses or set any tracking cookie, on your site or ours.

Email

Transactional email (report confirmations, team invitations) and newsletter delivery are handled by Brevo. Newsletter subscription uses double opt-in in line with the GDPR.

Your rights

You can access, correct or delete your data at any time. Delete a product to remove its inventory, statements and configuration; contact us to delete your account entirely. For any request, email hello@disclosekit.eu.

Sub-processors

  • Supabase (database, auth, storage — EU/Frankfurt)
  • Stripe (payments)
  • Brevo (email)
  • Vercel (hosting)

This is compliance tooling, not legal advice.