# Privacy Policy for Supanator

**Effective Date: November 18, 2025 (2025-11-18)**

## 1. Introduction

This Privacy Policy describes how Supanator ("we," "our," or "the app") collects, uses, and protects your information when you use our iOS application. By using Supanator, you agree to the collection and use of information in accordance with this policy.

## 2. Information We Collect

### 2.1 Information You Provide
- **Supabase Authentication**: You can authenticate using either:
  - **OAuth 2.0**: Securely log in with your Supabase account credentials. We use OAuth tokens to access your Supabase projects on your behalf
  - **Personal Access Tokens**: Manually provide experimental API tokens or personal access tokens from your Supabase account
- **Project Access Keys**: When you authenticate, we retrieve your project's service role keys and anon keys from the Supabase Management API
- **Token Names**: Optional names you assign to saved authentication methods for your convenience

### 2.2 Automatically Collected Information
- **Usage Data**: Basic app usage statistics (features used, crash reports)
- **Device Information**: iOS version, device model, app version

### 2.3 AI Assistant Data Collection
- **Chat Conversations**: When you use the Supanator AI chat assistant, your questions and conversation history are sent to our secure proxy server
- **Project Schema Information**: Database table names, column names, function names, and storage bucket information from your connected Supabase project
- **Support ID**: A unique anonymous identifier generated on your device for rate limiting and support purposes, synced across your devices via iCloud Keychain

### 2.4 Information We Do NOT Collect
- Personal identification information (name, email, phone number)
- Location data
- Contact information
- Payment information (handled by Apple App Store)
- Actual database content (row data, file contents, secrets)

## 3. How We Use Your Information

We use the collected information solely to:
- **Authentication**: Facilitate OAuth 2.0 login and manage authentication sessions with Supabase
- **API Key Retrieval**: Use your OAuth tokens or personal access tokens to retrieve your project's API keys from Supabase Management API
- **Project Access**: Connect to and manage your Supabase projects using your retrieved API keys
- **Token Management**: Automatically refresh OAuth access tokens before expiration to maintain seamless access
- **App Functionality**: Enable database management, storage operations, edge functions, and other Supabase features
- **AI Assistance**: Provide AI-powered help through the chat feature (optional)
- **Preferences**: Save your authentication methods and preferences locally on your device
- **Performance**: Improve app performance and fix bugs
- **Rate Limiting**: Enforce usage limits on AI features during beta (10 requests per hour)

## 4. Data Storage and Security

### 4.1 Local Storage
- **OAuth Tokens**: OAuth access tokens, refresh tokens, and expiration times are stored securely in iOS Keychain on your device
- **API Keys**: Service role keys and anon keys retrieved from your Supabase projects are stored locally in iOS Keychain
- **No Server Storage**: We do NOT store your OAuth tokens, API keys, or credentials on any external servers
- **Encryption**: All sensitive data is encrypted using iOS native Keychain security features
- **Token Refresh**: OAuth access tokens are automatically refreshed before expiration to maintain seamless access

### 4.2 Fresh Install Detection
- Uninstalling the app will clear all stored credentials upon reinstallation
- This ensures your sensitive data doesn't persist after app removal

### 4.3 Widget Data
- Analytics data for widgets is stored in a secure app group container
- Only accessible by the main app and widget extension

### 4.4 AI Chat Data
- Chat conversations are NOT stored permanently on our servers
- Conversations are processed in real-time and forwarded to OpenAI
- Your Support ID is hashed for privacy before being used for rate limiting
- Support ID is stored in iCloud Keychain and syncs across your Apple devices

## 5. Third-Party Services

### 5.1 Supabase
- **OAuth Integration**: When you use OAuth login, we facilitate the authorization flow through Supabase's official OAuth 2.0 API using our registered OAuth application
- **Token Exchange**: During OAuth authentication, we use a secure Cloudflare Worker backend to exchange authorization codes for access tokens (this protects sensitive OAuth application credentials)
- **Management API**: We use your OAuth tokens or personal access tokens to retrieve your project's API keys through the Supabase Management API
- **Direct Connection**: After authentication, Supanator connects directly to your Supabase project using your retrieved API keys
- **Data Flow**: All database, storage, and function operations occur directly between your device and Supabase servers
- **No Data Interception**: We do not intercept, store, or process your Supabase project data on any intermediate servers
- **Token Revocation**: When you log out, we securely revoke your OAuth tokens through our backend to invalidate access
- **Supabase Terms**: Your use of Supabase is governed by Supabase's own privacy policy and terms of service

### 5.2 OpenAI (AI Chat Assistant)
- **Service Provider**: Supanator AI uses OpenAI's GPT models to provide intelligent assistance
- **Data Transmitted**: Your chat messages and project schema information (table names, column names, function names) are sent to OpenAI via our secure proxy server
- **Data NOT Transmitted**: Actual database content (row data), API keys, passwords, or other sensitive credentials
- **OpenAI's Privacy**: Your data is subject to OpenAI's data processing practices and privacy policy
- **No Permanent Storage**: We do not store your AI conversations on our servers after processing
- **Usage Limits**: During beta, AI chat is limited to 10 requests per hour per user to manage costs

**IMPORTANT**: Do not share passwords, API keys, personal information, or other sensitive data in AI chat conversations.

### 5.3 Apple Services
- App Store for distribution and in-app purchases
- StoreKit for subscription management
- iCloud Keychain for Support ID synchronization across devices
- Your subscription data is managed by Apple

## 6. Data Sharing

We do NOT:
- Sell, trade, or rent your information to third parties
- Share your credentials with anyone
- Access your Supabase data for any purpose other than app functionality
- Collect or store analytics about your Supabase projects
- Store your AI chat conversations permanently

We DO share:
- AI chat messages and project schema with OpenAI for processing (as described in Section 5.2)
- Anonymous usage data with our proxy server for rate limiting purposes

## 7. Your Rights

You have the right to:
- **Log Out**: Remove all stored OAuth tokens, API keys, and credentials from your device at any time
- **Revoke OAuth Access**: Log out to revoke Supanator's OAuth access to your Supabase account
- **View Stored Data**: See what authentication methods and projects are stored on your device
- **Delete Credentials**: Remove individual saved tokens or clear all authentication data
- **Clear Chat History**: Delete AI chat conversation history at any time
- **Decline AI Features**: Choose not to use the AI chat feature
- **Uninstall**: Permanently remove all local data by uninstalling the app
- **Manage Subscriptions**: Control your subscription through iOS Settings
- **Access Support ID**: View your anonymous Support ID from the app's feedback page

## 8. Children's Privacy

Supanator is not intended for use by children under 13 years of age. We do not knowingly collect information from children under 13.

## 9. Disclaimer and Limitation of Liability

### 9.1 No Warranty
SUPANATOR IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

### 9.2 Limitation of Liability
IN NO EVENT SHALL THE DEVELOPER OF SUPANATOR BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR IN CONNECTION WITH THE APP OR THE USE OR OTHER DEALINGS IN THE APP.

### 9.3 User Responsibility
- **Device Security**: You are solely responsible for securing your device. Your Supabase project's admin credentials (service role keys) are stored on your device
- **OAuth Access**: When using OAuth, you grant Supanator access to your Supabase account. You can revoke this access at any time through Supabase's dashboard or by logging out
- **API Key Security**: Service role keys provide full administrative access to your Supabase project. Protect your device with a passcode, Face ID, or Touch ID
- **Actions and Liability**: You are responsible for any actions taken using your Supabase credentials through the app
- **AI Chat Content**: You are responsible for the content you share in AI chat conversations
- **Sensitive Information**: Do not share passwords, API keys, personal data, or other secrets in AI chats
- **Data Loss**: We are not liable for any data loss, security breaches, or damages resulting from your use of the app
- **Risk Acknowledgment**: You use this app, including its admin capabilities and AI features, at your own risk

### 9.4 Third-Party Services
- We are not responsible for the availability, accuracy, or reliability of Supabase services
- We are not liable for any issues arising from Supabase service interruptions or changes
- Your relationship with Supabase is governed by their terms, not ours
- We are not responsible for OpenAI's AI responses, accuracy, or any actions taken based on AI suggestions
- AI-generated content may contain errors and should be verified before use in production environments
- Your use of OpenAI services through our app is subject to OpenAI's terms of service

### 9.5 No Professional Advice
This app and its AI chat feature are not intended to provide professional database administration advice. AI suggestions should be reviewed and tested before implementing in production environments. Always consult with qualified professionals for critical database operations.

## 10. Indemnification

You agree to indemnify, defend, and hold harmless the developer of Supanator from and against any and all claims, liabilities, damages, losses, costs, expenses, or fees arising from your use of the app or violation of these terms.

## 11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by updating the "Effective Date" at the top of this policy. Continued use of the app after changes constitutes acceptance of the updated policy.

## 12. Data Retention

- **OAuth Tokens**: Access tokens and refresh tokens remain stored in iOS Keychain until you log out or uninstall the app
- **API Keys**: Service role keys and anon keys remain stored until you log out or uninstall the app
- **Token Expiration**: OAuth access tokens are automatically refreshed before expiration; expired tokens are replaced seamlessly
- **AI Chat Conversations**: NOT stored on our servers after processing
- **Support ID**: Persists in iCloud Keychain until you uninstall the app from all your devices
- **Rate Limiting Data**: Automatically deleted after 1 hour on our servers
- **No Remote Access**: We do not have access to delete your locally stored data remotely
- **Subscription Information**: Retained by Apple according to their policies

## 13. International Use

This app is designed for use globally. By using Supanator outside of your country, you consent to the transfer and processing of your data in accordance with this policy.

## 14. Contact Information

For questions about this Privacy Policy or the app, please contact:
- Email: jean.robert.nino@icloud.com
- Through the in-app contact form
- App Store: Through the App Store support feature

## 15. Acceptance of Terms

By using Supanator, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and accept all risks associated with using the app.

## 16. Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Privacy Policy will otherwise remain in full force and effect.

## 17. Governing Law

This Privacy Policy is governed by the laws applicable to software distributed through the Apple App Store, without regard to conflict of law principles.

---

**Remember**: Supanator is an independent tool not affiliated with Supabase Inc. Use at your own discretion and risk.