Privacy Policy

1. Information We Collect

• Account data: Email address and hashed password, stored securely in Supabase Auth.
• User content: Diagrams, Discovery conversations, AI chat history, and project metadata you create within the Service.
• Usage data: Basic request logs (timestamps, endpoints, user ID) for rate limiting, security monitoring, and service improvement. We do not track browsing behavior across other sites.
• Session data: Authentication tokens stored in httpOnly cookies. We do not use tracking cookies or third-party analytics cookies.

2. How We Use Your Data

• To provide, operate, and maintain the Service.
• To authenticate your identity and protect your account.
• To render your diagrams through server-side rendering engines.
• To process AI requests (brainstorming, diagram generation, refinement) through your selected AI provider.
• To enforce rate limits and prevent abuse of the Service.
• To communicate with you about your account or significant changes to the Service.

3. Third-Party Services

To provide the Service, your content may be transmitted to the following third-party providers:

• Kroki.io — Diagram rendering. Your diagram source code is sent server-side for rendering into SVG, PNG, or PDF.
• OpenAI — AI-powered brainstorming, diagram generation, and refinement (when selected as provider).
• Anthropic (Claude) — AI-powered brainstorming, diagram generation, and refinement (when selected as provider).
• Google (Gemini) — AI-powered brainstorming, diagram generation, and refinement (when selected as provider).
• Supabase — Authentication, database storage, and hosting infrastructure.

All third-party communication happens server-side only. Your browser never communicates directly with these services. We do not share your data with third parties for advertising, marketing, or data brokering purposes.

4. Data Security

We implement industry-standard security measures to protect your data:

• All connections encrypted via HTTPS/TLS.
• Authentication tokens stored in httpOnly, secure, SameSite cookies.
• Row-level security (RLS) in the database — users can only access their own data.
• All API secrets and keys stored server-side only; never exposed to the browser.
• CSRF protection on all mutating API routes.
• Input validation via Zod schemas on every API endpoint.
• Per-user rate limiting on all API routes.

5. Data Retention & Deletion

• Your data is retained as long as your account is active.
• You may delete individual diagrams and discovery sessions at any time.
• Account deletion permanently removes all associated data from our systems.
• We reserve the right to delete data associated with inactive accounts after 12 months of inactivity, with prior email notification.
• AI providers may retain request data according to their own data retention policies. We recommend reviewing their privacy policies directly.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Export your data (diagrams can be downloaded as SVG, PNG, or PDF; project scaffolds can be exported as ZIP).
• Withdraw consent for data processing.

To exercise any of these rights, contact us at support@cybewave.io.

7. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected data from a child under 13, we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Contact

For questions about this Privacy Policy or your data, contact us at support@cybewave.io.