Privacy Policy

Account data. Email, display name, password hash (never the password itself). Optional: profile picture if you upload one.

Intake answers. The 12 questions you answer about your business. These power every generation we run for you.

Generated outputs. The brand identity, business plan, and other layers Asasi produces. Stored against your account so you can come back, regenerate, and download.

Usage telemetry. Anonymised events (page views, generation requests, feature usage) for product analytics and abuse detection. We use PostHog for this.

Billing data. Handled by Stripe. We never touch your card number; Stripe gives us a token and the subscription state.

Error reports. When something crashes, we capture the technical details (browser, request id, error stack) via Sentry. PII is scrubbed before send.

• We don’t collect biometric data, location data beyond city-level inferred from IP, or any sensitive category data (health, ethnicity, etc.).
• We don’t use third-party ad trackers (no Google Ads, no Facebook Pixel).
• We don’t fingerprint your device.

To run Asasi for you:

• Authenticate your account.
• Generate, regenerate, and serve your outputs.
• Bill you correctly.
• Send transactional email (receipts, password resets, generation-complete notifications).
• Improve the product (anonymised funnel analytics).

We also use your intake answers and outputs to build anonymised industry benchmarks — e.g. “your projected MRR is in the 60th percentile of pre-launch SaaS in your region.” This is aggregated and never traceable to your account.

Application data is stored in Supabase (Postgres + Storage, hosted on AWS). LLM requests are processed by Anthropic. Static assets are served by Vercel. Payment data is handled by Stripe. Errors go to Sentry. Product analytics go to PostHog.

All sub-processors are listed in our Data Processing Addendum (DPA) and each has signed a GDPR-compliant DPA with us.

Asasi sends your intake answers and outputs to Anthropic to run generations. Per Anthropic’s commercial terms, your data is not used to train Anthropic’s models.

We never train our own models on customer data. We don’t fine-tune. We don’t share your intake or outputs with any third-party AI provider beyond Anthropic.

You can, at any time:

• Accessall data we hold on you — export from account settings.
• Correctany inaccurate data — edit your profile, your intake, your generated outputs.
• Deleteyour account and all associated data — one click from account settings.
• Portability— download everything as JSON.
• Objectto processing — close your account or email us.

For California residents: we don’t sell your personal information. Period.

Active accounts: we keep data as long as your account exists. Closed accounts: data is deleted within 30 days. Backups retain data for an additional 90 days before rotation, after which it’s permanently gone.

Anonymised, aggregated benchmarks (industry data) may be retained indefinitely — they contain no traceable link to your account.

See our separate Cookie Policy for the full breakdown. The short version: essential cookies only by default, with a clear consent banner on first visit.

Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted by Supabase’s default storage encryption. Passwords are hashed with bcrypt. We support 2FA via TOTP on paid plans.

We’re working toward SOC 2 Type I certification, targeted for completion within the next 12 months.

For privacy questions, data access requests, or breach reports, email privacy@asasi.io. We respond within 5 business days and resolve formal data-subject requests within the 30-day GDPR window.