Legal
Privacy Policy
Effective date: April 1, 2026 · Last updated: April 6, 2026
1. Introduction
Ask Sensei ("Sensei," "the Service," "we," "us," or "our") is operated by Schmade LLC, a Delaware limited-liability company. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at asksensei.dev or use any of our products and services. Please read this policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, and password hash when you create an account.
- Product and business data: URLs, product descriptions, competitor URLs, and other business context you submit for analysis.
- Generated content: Strategy reports, audit results, validation analyses, roadmaps, and chat conversations created through the Service.
- Payment information: Billing details processed through Stripe. We never store full credit card numbers on our servers.
- Communications: Messages you send to us through support channels or the contact form.
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, timestamps, and interaction patterns within the Service.
- Device information: Browser type, operating system, screen resolution, and language preference.
- Log data: IP address, access times, referring URLs, and server response codes.
- Cookies: Essential authentication cookies and session identifiers (see Section 8).
2.3 Information from Third Parties
- OAuth providers: If you sign in with Google, we receive your name, email, and profile picture as authorized by you.
- Publicly available data: When you submit a URL for auditing, we crawl publicly available content on that URL to perform our analysis.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery: To provide site audits, strategy reports, competitor tracking, validation analyses, and personalized recommendations.
- Account management: To create, maintain, and secure your account.
- Service improvement: To analyze usage patterns, diagnose technical issues, and improve features.
- Communication: To send transactional emails (account confirmations, audit results, security alerts) and, with your consent, product updates.
- Security: To detect, prevent, and respond to fraud, abuse, and security incidents.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
We do not use your data to build advertising profiles. We do not sell your personal information to third parties.
4. Legal Basis for Processing (EEA/UK)
If you are located in the European Economic Area or the United Kingdom, our legal bases for processing your personal data are:
- Contract performance: Processing necessary to provide the Service you signed up for (Article 6(1)(b) GDPR).
- Legitimate interests: Service improvement, security, and fraud prevention, where our interests do not override your fundamental rights (Article 6(1)(f) GDPR).
- Consent: Marketing communications, where applicable (Article 6(1)(a) GDPR). You may withdraw consent at any time.
- Legal obligation: Processing required to comply with applicable law (Article 6(1)(c) GDPR).
5. Data Sharing and Disclosure
We share your information only in the following circumstances:
5.1 Service Providers (Sub-processors)
We engage trusted third-party companies to perform services on our behalf, each bound by data processing agreements:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database, authentication | Account data, generated reports |
| Vercel | Hosting, edge functions, analytics | Request logs, usage metrics |
| OpenAI | AI-powered analysis | Product descriptions, URLs (not used for model training) |
| Resend | Transactional email | Email address, notification content |
| Stripe | Payment processing | Billing information (PCI DSS Level 1) |
5.2 Legal Requirements
We may disclose your information if required to do so by law, in response to a valid subpoena, court order, or government request, or to protect the rights, property, or safety of Schmade LLC, our users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership.
6. Data Storage and Security
- Encryption in transit: All data is transmitted over TLS 1.3.
- Encryption at rest: All stored data is encrypted using AES-256.
- Infrastructure: Hosted on Vercel (SOC 2 Type II) with Supabase PostgreSQL (SOC 2 Type II) as our primary database.
- Access controls: Role-based access with the principle of least privilege. Database-level row-level security (RLS) ensures strict tenant isolation.
- Password security: User passwords are hashed using bcrypt with a cost factor of 10 and are never stored in plaintext.
- Monitoring: Automated alerting for anomalous access patterns and potential security incidents.
Note: Schmade LLC follows SOC 2 security practices and uses SOC 2 Type II certified infrastructure providers. Schmade LLC is not independently SOC 2 certified at this time.
7. Data Retention
- Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
- Account deletion: Upon account deletion, all personally identifiable information and generated reports are permanently removed within 30 days.
- Backups: Encrypted backups containing your data are purged within 90 days of account deletion.
- Legal retention: Certain records (e.g., financial transaction records for tax compliance) may be retained for up to 7 years as required by law.
- Anonymized data: We may retain anonymized, aggregated data indefinitely for analytics and service improvement. This data cannot be used to identify you.
8. Cookies and Tracking
We use a minimal set of cookies, limited to what is necessary for the Service to function:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Essential | Authentication session | Session / 7 days |
| theme | Functional | Dark/light mode preference | 1 year |
We use Vercel Web Analytics, which is privacy-focused, does not use cookies, and does not collect personally identifiable information. We do not use advertising cookies, retargeting pixels, or third-party trackers.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
9.1 All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data ("right to be forgotten").
- Portability: Request your data in a structured, machine-readable format (JSON export).
- Opt-out: Unsubscribe from marketing communications at any time.
9.2 EEA/UK Residents (GDPR)
- Restriction: Request restriction of processing in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent at any time where processing is based on consent.
- Lodge a complaint: File a complaint with your local Data Protection Authority.
9.3 California Residents (CCPA/CPRA)
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
- Right to delete: Request deletion of personal information we have collected.
- Right to opt-out: We do not sell personal information. No opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise any of these rights, contact us at privacy@schmade.com. We will respond within 30 days (or sooner if required by law).
10. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. When we transfer data outside the EEA/UK, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and/or reliance on service providers' adequacy mechanisms (e.g., EU-U.S. Data Privacy Framework).
11. AI Data Processing
Sensei uses artificial intelligence to analyze your product, website, and market data. Important details about how AI processes your information:
- AI analysis is performed via the OpenAI API using their enterprise-grade data handling terms.
- Your data is not used to train OpenAI's models (API data usage policy, zero-retention where available).
- AI-generated insights are stored in your account and are only accessible to you.
- We do not share your business data with other users or use it to generate insights for competitors.
- You retain full ownership of all AI-generated reports and analyses.
12. Children's Privacy
Ask Sensei is a business tool designed for use by individuals who are at least 18 years of age. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by placing a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.
14. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:
Schmade LLC
Data Protection Inquiries
Email: privacy@schmade.com
We aim to respond to all inquiries within 14 business days.