Privacy Policy's Privacy PolicyPrivacy Policy
Your privacy is fundamental to how we build Supymem. This policy explains how we collect, use, and protect your data.
Last updated: January 11, 2026 | Effective Date: January 11, 2026
1. Introduction
Supymem ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our knowledge management platform and related services (collectively, the "Service").
By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.
Data Fiduciary: Supymem acts as a Data Fiduciary under applicable data protection laws, meaning we determine the purposes and means of processing your personal data.
2. Information We Collect
2.1 Information You Provide Directly
- •Account Information: Name, email address, password (hashed), profile picture, and organization details when you register.
- •Payment Information: Billing address and payment details (processed securely through our payment processor; we do not store full card numbers).
- •Communications: Information you provide when contacting our support team or participating in surveys.
- •User Content: Documents, notes, decisions, and other content you upload or create within the Service.
2.2 Information from Third-Party Integrations
When you connect third-party services, we collect data you authorize us to access:
- •Slack: Workspace information, channel names, message content (from channels you authorize), user profiles, and reactions.
- •GitHub: Repository metadata, code content, commit history, pull requests, issues, and comments.
- •Notion: Page content, database entries, and workspace structure.
- •Confluence: Space content, page content, and comments.
Important: We only request read-only access to your integrations. We never modify, delete, or post content on your behalf without explicit action from you.
2.3 Automatically Collected Information
- •Device Information: Browser type, operating system, device identifiers, and screen resolution.
- •Usage Data: Features used, pages visited, search queries, and interaction patterns.
- •Log Data: IP addresses, access times, referring URLs, and error logs.
- •Cookies: Essential cookies for authentication and session management. See our Cookie Policy for details.
3. How We Use Your Data
We process your personal data only for specific, explicit, and legitimate purposes:
Service Delivery
- • Provide and maintain the Service
- • Index and search your team's knowledge
- • Generate AI-powered insights and summaries
- • Process your queries and commands
Account Management
- • Create and manage your account
- • Process payments and billing
- • Send transactional communications
- • Provide customer support
Improvement & Analytics
- • Analyze usage patterns
- • Improve our algorithms and features
- • Debug and fix issues
- • Conduct research and development
Security & Compliance
- • Detect and prevent fraud
- • Enforce our terms of service
- • Comply with legal obligations
- • Protect rights and safety
AI Processing: We use AI models to process your data for search, summarization, and insights. Your data is not used to train our AI models without your explicit consent.
4. Data Sharing & Disclosure
We do not sell your personal data. We may share your information only in the following circumstances:
- •Service Providers: With trusted third-party vendors who assist us in operating our Service (cloud hosting, payment processing, email delivery, analytics). These providers are contractually bound to protect your data.
- •Within Your Organization: With other members of your organization as configured by your organization's administrators.
- •Legal Requirements: When required by law, court order, or government request, or to protect our rights, privacy, safety, or property.
- •Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.
- •With Your Consent: For any other purpose with your explicit consent.
Our Service Providers Include:
5. Data Security
We implement comprehensive security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
Technical Safeguards
- • TLS 1.3 encryption in transit
- • AES-256 encryption at rest
- • Secure password hashing (bcrypt)
- • Regular security audits
- • Intrusion detection systems
Organizational Measures
- • Role-based access controls
- • Employee security training
- • Incident response procedures
- • Regular backup and recovery testing
- • Vendor security assessments
Data Breach Notification
In the event of a data breach that affects your personal data, we will notify you and the relevant authorities within 72 hours of becoming aware of the breach, as required by applicable law.
6. Your Rights (Data Principal Rights)
As a Data Principal, you have the following rights regarding your personal data:
Right to Access
Request a copy of the personal data we hold about you and information about how it is processed.
Right to Correction
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data, subject to legal retention requirements.
Right to Withdraw Consent
Withdraw your consent for data processing at any time. This does not affect prior lawful processing.
Right to Data Portability
Request your data in a structured, commonly used, machine-readable format.
Right to Grievance Redressal
Lodge a complaint with us or the relevant data protection authority.
How to Exercise Your Rights: Email us at asmit@supymem.com with your request. We will respond within 30 days. You may also use the account settings in the Service to manage your data.
7. International Data Transfers
Your personal data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place:
- •Our primary data processing occurs on Google Cloud Platform servers located in the United States.
- •We use Standard Contractual Clauses and other approved transfer mechanisms where required.
- •All international transfers comply with applicable data protection laws, including the DPDP Act requirements for cross-border data transfers.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 30 days after deletion |
| User Content | Duration of account + 30 days after deletion |
| Integration Data | Until integration is disconnected + 7 days |
| Usage Analytics | 24 months (anonymized after 12 months) |
| Payment Records | 7 years (legal requirement) |
| Security Logs | 12 months |
When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
9. Legal Compliance
9.1 Digital Personal Data Protection Act, 2023 (India)
We comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025. As a Data Fiduciary, we:
- •Obtain clear, informed, and freely given consent before processing personal data
- •Process data only for specified, explicit, and legitimate purposes
- •Implement reasonable security safeguards to protect personal data
- •Honor Data Principal rights including access, correction, erasure, and grievance redressal
- •Notify the Data Protection Board and affected individuals of data breaches
- •Ensure cross-border data transfers comply with prescribed conditions
9.2 Information Technology Act, 2000 (India)
We comply with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:
- •Section 43A: We maintain reasonable security practices and procedures for sensitive personal data
- •Section 72A: We do not disclose personal information in breach of lawful contract
- •SPDI Rules: We have documented information security policies and implement ISO 27001 aligned practices
9.3 Other Applicable Laws
Depending on your location, additional data protection laws may apply, including GDPR (EU), CCPA (California), and others. We strive to comply with all applicable data protection regulations.
Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such information.
10. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Protection Officer
Email: asmit@supymem.com
General Inquiries
Email: asmit@supymem.com
Grievance Redressal
If you are not satisfied with our response to your privacy concern, you may lodge a complaint with the Data Protection Board of India or the relevant supervisory authority in your jurisdiction.
We aim to respond to all privacy-related inquiries within 30 days.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by:
- •Posting the updated policy on our website with a new "Last Updated" date
- •Sending an email notification to registered users for significant changes
- •Displaying a prominent notice within the Service
Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.