I. Who we are
The data controller is Telvara Holdings Limited, registered at 27 Crofton Road, No. 6, 1st Floor, Liverpool, L13 5UJ, United Kingdom, company number 17175891. Telephone +44 7782 220559. SupportPilots is our trading name for the AI customer-support product. If you have a privacy question, write to privacy@supportpilots.com and expect a reply within 72 hours.
II. What we collect
Account data: email, optional full name, hashed password. Usage data: number of queries, credit balance, purchase history, and the provider and model used on each query. Query data: only a SHA-256 hash of the prompt for billing audit. The prompt text itself is streamed to the inference provider and not kept by us, and the model response is not mirrored to our database either. Technical data: IP address, browser user-agent, coarse geolocation (country level), and timestamps. Payment data: transaction ID and amount only; full card numbers never reach our servers because tokenisation happens at the payment processor.
III. Why we collect it (legal bases)
Performance of a contract (Art. 6(1)(b) GDPR): to provide the service you signed up for. Legitimate interests (Art. 6(1)(f)): fraud prevention, abuse monitoring, capacity planning, and aggregated product analytics via Google Analytics 4 to measure site traffic and improve the service. Legal obligation (Art. 6(1)(c)): tax, accounting, and anti-money-laundering record-keeping. Consent (Art. 6(1)(a)): only for optional marketing emails, which you can withdraw at any time with one click.
IV. Sub-processors
We use a small number of processors to run the service, each bound by a GDPR-compliant Data Processing Agreement. Supabase covers auth, database, and edge functions in the EU region. kie.ai is the primary LLM gateway and Anthropic is the contracted fallback. Brevo handles transactional email and Hostinger hosts the static site. Google LLC provides Google Analytics 4 and Google Tag Manager for aggregated, non-advertising traffic measurement; no user-level profiles are built and no data is shared with Google advertising products. We do not run advertising trackers or behavioural profiling. Material changes to this list are announced with 14 days' notice by email and by a banner in the dashboard, in line with Section XI.
V. International transfers
Most data stays in the EU: Supabase EU region for auth and database, Brevo EU region for transactional mail. Anthropic and kie.ai may route inference through US data centres. Transfers are covered by the EU Commission's Standard Contractual Clauses (Module 2) and supplementary technical measures: TLS 1.2+ in transit, encryption at rest, the hash-only prompt retention described in Section II, and contractual commitments from both inference providers not to train on your data.
VI. Retention
Prompt text and model responses: not retained by us at all (the per-query SHA-256 hash in Section II is kept for billing audit only). Purchase records: retained for the period required by local tax and anti-money-laundering law, typically several years for EU operators. Account data: held until you close the account, then hard-deleted after a 30-day grace window as described in the Terms of Service. Marketing consents: pruned two years after your last interaction.
VII. Your rights
You have the right to access your data, correct it, delete it, restrict processing, object to processing based on legitimate interests, and receive a machine-readable export (GDPR Arts. 15–22). EU/EEA residents can lodge a complaint with their national supervisory authority. California residents have rights under CCPA §1798.100 to know, delete, and opt-out of any sale. We do not sell personal data. To exercise any right, write to privacy@supportpilots.com. We will respond within 30 days.
VIII. Cookies
We use a first-party session cookie for login and an anonymous first-party preference cookie for currency selection. We also load Google Analytics 4 (property G-ZH4MN4ZH9X) and Google Tag Manager (container GTM-NRW3H9JP) for aggregated traffic measurement; these set Google first-party cookies `_ga` and `_ga_ZH4MN4ZH9X` with an expiry of up to two years. IP addresses passed to Google Analytics are truncated and no user-level profiling is performed. We do not run advertising, retargeting, or behavioural-profiling cookies, and we do not share analytics data with Google advertising products. The embed widget on customer sites is a shadow-DOM island and cannot read your customers' cookies. If we add marketing or advertising cookies in future, a consent banner will be introduced before any such cookie is set.
IX. Security
TLS 1.2+ everywhere. Database access scoped by Supabase Row-Level Security, so your rows are unreachable by other tenants even in the event of an application bug. Passwords are hashed with bcrypt. Admin actions are audit-logged with a signed trail. We run dependency scans on every deploy and carry a documented incident response procedure. If a breach affects you, we will notify you within 72 hours of becoming aware, in line with GDPR Art. 33.
X. Children
SupportPilots is a B2B product and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have received data from a child, write to privacy@supportpilots.com and we will delete it immediately.
XI. Changes
Material changes to this policy are announced 14 days in advance by email and by a banner in the Dashboard. The effective date is always the header of this page. Historical versions are available on request to legal@supportpilots.com.
XII. Contact the DPO
Data protection enquiries go to privacy@supportpilots.com. Telephone +44 7782 220559. Postal mail to Data Protection Officer, Telvara Holdings Limited, 27 Crofton Road, No. 6, 1st Floor, Liverpool, L13 5UJ, United Kingdom. Company number 17175891. If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority; UK residents can complain to the Information Commissioner's Office (ico.org.uk).