Legal
Privacy
Last updated: April 27, 2026.
This page explains what SuperThinking collects, where it goes, who else touches it, and how to delete it. It covers both the marketing site and the product. We try to keep the language plain — if something is unclear, email privacy@superthinking.ai.
Who we are
SuperThinking is operated by the company building superthinking.ai. For the purposes of EU GDPR and UK GDPR we are the data controller for account data and the data processor for content you ingest into your workspace through integrations.
What we collect when you sign up
- Your email address and (if you set one) a display name.
- An OAuth identifier from your sign-in provider (Google, GitHub, etc.) so we can authenticate you next time.
- A hashed IP address and user-agent string for abuse detection.
- Workspace name, role, and members you invite.
- Billing details when you start a paid plan — handled directly by Stripe; we never see your card number.
What we collect when you connect an integration
Each source you connect streams events into your workspace. We store those events so the cortex can evaluate them, dispatch actions to your connected AI, and surface them in your timeline. The exact shape of the data depends on the source kind:
- Gmail / Google Calendar (OAuth)
- Message subjects, senders, recipients, bodies, attachments metadata, labels, timestamps. Calendar invites, attendees, event titles, locations, descriptions. Pulled via Google's history API on a poll. Use of Gmail data complies with Google's Limited Use requirements — we do not transfer this data to third parties for advertising or unrelated machine-learning training, do not allow humans to read it except where you grant explicit support access, and disclose all sub-processors below.
- WhatsApp Cloud API
- Inbound customer messages (text, media metadata, location, button replies), the sender's WhatsApp ID, your business phone number ID, delivery statuses.
- Slack Events API
- @-mentions, DMs and channel messages the bot is invited into, reactions, sender Slack user IDs, channel IDs, timestamps, thread relationships.
- Email forwarding
- The full content of any message you forward to your private inbox address — subject, sender, body, headers, attachments metadata.
- HubSpot, Intercom
- Contact records, conversation messages, deal updates, pipeline stage changes, ticket events.
- GitHub
- Repository events you select — PR opens, issue activity, push events, workflow runs, deployment statuses, including author handle and commit metadata.
- Stripe
- Payment events, dispute updates, subscription state changes, customer IDs (we never see card numbers — Stripe handles those).
- Linear, Notion, Sentry, Vercel, PagerDuty, Jira
- Issue, incident, deploy, page activity events as the provider sends them.
- RSS feeds
- Public feed items polled every five minutes.
- Generic webhook
- Whatever JSON you POST to your inbound URL.
You control what reaches the cortex. Pause or delete a source any time and we stop ingesting from it; deleting a source also queues its event history for purge.
What we do with the data
- Run each event through the cortex (a Gemini Flash-Lite model) which decides one of four actions: ignore, remember, think, or act.
- If think or act, send a prompt to the AI you have connected (Claude, ChatGPT, or any OpenAI-compatible endpoint you point us at).
- Store an embedding of each event so the cortex can reference similar past events — this is how the “memory” behaviour works.
- Show the event in your workspace timeline and in any rule traces.
- Aggregate workspace-level usage metrics (event count, dispatch latency, model spend) so we can bill you accurately and detect outages.
We do not train any model on your event content. We do not sell your data. We do not share it with advertisers.
Where we store it
- Events, sources, outputs, rules, and embeddings live in MongoDB Atlas (US region by default; EU region available on request for paid plans).
- Sensitive fields (OAuth tokens, App Secrets, API keys) are encrypted at rest with AES-GCM using a per-workspace key encryption key (KEK) derived from a master key held in our hosting provider's secret manager.
- All traffic is TLS 1.2+ in transit.
- Backups are encrypted and retained for 30 days, then rotated out.
Sub-processors
We use these vendors to run the service. Each handles a narrow, listed function. We do not pass your event data to anyone else.
| Vendor | Purpose | Region |
|---|---|---|
| Anthropic, Inc. | Claude API — cortex 'think' and dispatch to Claude outputs. | United States |
| Google LLC (Cloud) | Gemini API — cortex evaluation (Flash-Lite). Gmail / Calendar OAuth and polling. | United States |
| OpenAI, L.L.C. | ChatGPT dispatch when you select OpenAI as an output. | United States |
| MongoDB, Inc. | Primary database (events, sources, outputs, rules, embeddings). | United States / EU on request |
| Vercel Inc. | Application hosting, edge runtime, transactional logs. | Global edge; US primary |
| Resend, Inc. | Transactional email (sign-in links, alerts, password resets). | United States |
| Stripe, Inc. | Subscription billing and payment processing. | United States |
| Upstash, Inc. | Redis-backed rate limiting. | United States / EU |
| PostHog Inc. | Product analytics on the application. | United States / EU |
| Cloudflare, Inc. | DNS, edge network protection, DDoS mitigation. | Global edge |
We notify workspace admins by email at least 30 days before adding a new sub-processor. A signed Data Processing Addendum (DPA) covering this list is available — email privacy@superthinking.ai.
How long we keep it
- Active workspace data (events, rules, sources, outputs) — kept until you delete it, or until you cancel the workspace.
- Cancelled workspaces — purged within 30 days of cancellation, sooner if you ask.
- Backups — encrypted, rotated out within 30 days.
- Billing records — retained for the period required by tax and accounting law (typically 7 years).
- Audit logs (sign-ins, role changes) — 12 months.
Your rights
Under the EU GDPR, UK GDPR, and California Consumer Privacy Act (CCPA), you have the right to:
- Access the data we hold about you and receive a portable export.
- Correct inaccurate data.
- Request deletion (the “right to be forgotten”).
- Restrict or object to processing.
- Withdraw consent for any optional processing at any time.
- Lodge a complaint with your local data protection authority.
For workspace admins, a lot of this is self-service inside the app — delete a source, delete an event, delete a workspace. For anything you cannot do in the UI, email privacy@superthinking.ai and we will respond within 30 days (usually within 72 hours).
International data transfers
Our default region is the United States. If you are based in the EU, UK, or another jurisdiction with cross-border restrictions, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum) for transfers. EU residency for primary storage is available on Pro and Business plans.
Children
The service is not directed at children under 16. If you become aware that a minor has provided personal data without parental consent, contact us and we will delete it.
Cookies and analytics
We use a session cookie to keep you signed in. We also use PostHog and (on the marketing site) Google Analytics to understand which pages people read and which features they use. These are configured to anonymise IP addresses where possible. We do not run ad-network trackers.
Security incidents
If we discover a breach affecting your personal data we will notify affected workspace admins by email within 72 hours of becoming aware, and the relevant supervisory authority where required by law. We run encryption at rest, role-based access on production data, audit logging, and least-privilege engineering access.
Provider-specific notes
Google user data (Gmail, Calendar). Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data solely to provide and improve user-facing features of SuperThinking; we do not transfer that data for ads or unrelated training, do not allow humans to read it except with your explicit consent or for security/legal reasons, and disclose every sub-processor in the table above.
Meta / WhatsApp. Use of WhatsApp Business Platform data complies with the Meta Platform Terms and the WhatsApp Business Solution Terms. Customer phone numbers and message content are stored encrypted, accessible only to your workspace.
Changes to this policy
We will post material changes here with the new “Last updated” date and email workspace admins. If a change reduces your rights, we will give you at least 30 days' notice and the option to export your data and cancel.
Contact
Privacy questions, deletion requests, DPAs: privacy@superthinking.ai.