Privacy Policy

Goalfinder ("we", "us") respects your privacy. This policy explains what personal data we collect when you use the Service, why we collect it, who we share it with, and what rights you have over it.

By using the Service you agree to the practices described in this policy.

Account data

When you create an account, we collect your email address. If you complete your profile, we may also collect: username, bio, location, birth year, and gender. These fields are optional except where required for specific features.

Content you create

We store any content you create on the platform: goals, prototypes, prototype updates, comments, reports (including the ideas and context you enter for analysis), and saved items.

Payment data

Payments are processed by Stripe. We do not store your card details. We store your Stripe customer ID, subscription status, and credit balance in order to manage access to paid features.

Usage data

We collect basic usage data including pages visited, actions taken (e.g. idea generation count, credits used), and session information. This is used to operate and improve the Service.

Analytics

We use Vercel Analytics, a privacy-friendly analytics tool that does not use cookies and does not track you across sites. It collects aggregate page view and performance data.

Cookies

We use cookies strictly for authentication. Supabase sets a session cookie when you sign in so you remain logged in. We do not use tracking or advertising cookies.

We use the data we collect to:

• create and manage your account;
• display your profile and content to other users where you have published it;
• process payments and manage subscription and credit access;
• send transactional emails (magic link sign-in, password reset, billing receipts via Stripe);
• operate the AI features — the text of ideas and contexts you submit is sent to our AI inference provider for processing;
• detect abuse and enforce our Terms of Service;
• understand how the Service is used so we can improve it.

We do not sell your personal data. We do not use your data for advertising targeting outside of the Service.

When you use AI features (idea generation, deep analysis, refine), the text you enter — including ideas, context descriptions, and refinement notes — is transmitted to OpenRouter, our AI inference provider, for processing. OpenRouter may use third-party model providers to generate responses. Please avoid including sensitive personal information in idea or context fields.

We share data only with the service providers necessary to operate Goalfinder:

• Supabase — database hosting and authentication. Your account data, content, and profile information are stored on Supabase infrastructure.
• Stripe — payment processing. Stripe handles all card transactions and stores your payment details under their own privacy policy.
• Vercel — hosting and analytics. Your requests are served through Vercel's infrastructure; Vercel Analytics processes anonymised usage data.
• OpenRouter — AI inference. Idea and context text you submit to AI features is processed through OpenRouter.

We do not share your data with advertisers. Advertisers on Goalfinder only see aggregate performance metrics for their ads (impressions, clicks) — never user identities.

We may disclose data if required by law or to protect the rights and safety of users or the public.

Content you choose to publish — goals, prototypes, comments, and public reports — is visible to all users and may be indexed by search engines. If you delete published content, it is removed from the Service, but we cannot guarantee that cached copies held by third parties (such as search engines) are immediately removed.

Profile information you add (username, bio, location) is public by default if you have published content.

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal profile data within 30 days. Published content may persist in anonymised or deleted form according to your deletion preferences. Credit and payment records are retained for as long as required by applicable tax and financial regulations.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — request deletion of your account and associated data.
• Portability — request your data in a machine-readable format.
• Objection — object to processing where we rely on legitimate interests.
• Withdrawal of consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us via the feedback button in the app. We will respond within 30 days.

If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

We use industry-standard security practices: HTTPS for all data in transit, Supabase row-level security policies to restrict data access, and Stripe's PCI-compliant infrastructure for payment handling. No system is completely secure; we cannot guarantee absolute security of your data.

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.

We may update this policy from time to time. Material changes will be communicated via the Service or by email. Continued use after changes take effect constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights, use the feedback button in the app or contact us at the email address on our profile.