Privacy Policy

1. Information We Collect

1.1 Account Information

When you create a 38Hub account, we collect information provided through Google OAuth authentication, including your name, email address, and profile picture. We do not receive or store your Google password. Your account is identified by a unique user ID generated by our authentication provider, Supabase Auth. You may optionally provide additional profile information such as a display name, bio, or preferred language setting, which is stored in your user profile.

1.2 Usage Data

We automatically collect certain information about how you interact with the Service. This includes pages visited, features used, timestamps of actions, browser type and version, operating system, and referring URLs. This data helps us understand how the Service is used and identify areas for improvement. We do not use third-party analytics or tracking services; usage data is collected through server-side logging only and is not shared with external analytics providers.

1.3 Content Data

The Service stores content that you create, upload, or generate, including ideas, notes, articles, social media posts, scripts, images, and other creative works. This content is stored in our database to provide the Service to you. We also store metadata associated with your content, such as tags, categories, scores, formats, and creation dates. Any files you upload, including PDFs and images, are stored in Supabase Storage and associated with your account.

1.4 API Keys

38Hub operates on a Bring Your Own Key (BYOK) model. If you choose to use AI features, you provide your own API keys for third-party AI providers such as Anthropic (Claude) or OpenAI (GPT-4o). These keys are stored encrypted in your user profile within our database. We use your API keys solely to make API calls to the respective providers on your behalf, and we never share your keys with any other party or use them for any purpose other than providing you with AI-powered features within the Service.

2. How We Use Your Information

2.1 Providing the Service

We use your information to operate, maintain, and provide the features and functionality of the Service. This includes authenticating your identity, storing and retrieving your content, executing AI operations using your provided API keys, and syncing data across your devices. Your content data is processed to enable features such as AI idea scoring, content generation, format conversion, and content strategy recommendations.

2.2 Improving the Product

We use aggregated and anonymized usage data to understand how the Service is being used, identify bugs and performance issues, and improve existing features. We may analyze patterns in feature usage to prioritize our product roadmap. We do not use your individual content for training AI models or for any purpose beyond providing the Service directly to you. Any analytics we perform are based on aggregated, non-identifiable metrics.

2.3 Communication

We may use your email address to send you essential service communications, including account verification, security alerts, and important product updates. We may also send you optional notifications about new features, tips, and product news, which you can opt out of at any time through your account settings. We will never sell your email address to third parties or use it for unsolicited marketing from other companies.

3. Data Storage & Security

All user data is stored on Supabase, a secure, enterprise-grade cloud infrastructure built on top of PostgreSQL. Our database is hosted in secure, SOC 2-compliant data centers with automated backups, encryption at rest using AES-256, and encryption in transit using TLS 1.3. We implement Row Level Security (RLS) policies on all database tables, which means that every query is filtered at the database level to ensure users can only access their own data — even in the unlikely event of an application-level vulnerability.

API keys stored in your profile are encrypted before being written to the database. Access to production databases is restricted to essential personnel only, and all access is logged and audited. We perform regular security reviews and follow industry best practices for web application security, including CSRF protection, input sanitization, and secure session management through Supabase Auth.

File uploads, including PDFs and images, are stored in Supabase Storage with access controlled by signed URLs and storage policies that ensure only the file owner can access their uploads. We do not serve user-uploaded files publicly unless explicitly shared by the user.

4. AI Provider Data Handling

38Hub uses a Bring Your Own Key (BYOK) model for AI functionality. When you use AI features such as idea scoring, content generation, or text extraction, your content is sent directly to the AI provider (Anthropic or OpenAI) via their respective APIs using your personal API key. 38Hub acts as an intermediary, formatting your requests and parsing responses, but the data flows through the provider's standard API infrastructure.

We do not train any AI models on your data. Your content sent to AI providers is subject to each provider's own data handling policies. As of the date of this policy, both Anthropic and OpenAI have committed to not using data submitted through their APIs for model training purposes. We encourage you to review each provider's privacy policy and API terms of service for the most current information on how they handle API data.

We do not store AI-generated responses separately from your content. When an AI generates a draft, score, or suggestion, it is saved as part of your content within your account, subject to the same security protections described in Section 3. You retain full ownership and control over all AI-generated content produced through the Service.

5. Third-Party Services

38Hub integrates with the following third-party services to provide its functionality. Each service has its own privacy policy governing how it handles data:

• Supabase — Provides our database infrastructure, authentication (including Google OAuth), file storage, and real-time features. Supabase is SOC 2 Type II compliant. Data is stored in secure cloud environments with encryption at rest and in transit.
• Anthropic (Claude) — An AI provider used for content generation, idea scoring, and text analysis when you select Claude as your preferred AI provider and provide your own API key. Data sent to Anthropic is processed according to their API Terms of Service.
• OpenAI (GPT-4o) — An AI provider used for content generation, idea scoring, and text analysis when you select OpenAI as your preferred AI provider and provide your own API key. Data sent to OpenAI is processed according to their API data usage policy.
• Google — Used for OAuth authentication only. We receive your basic profile information (name, email, profile picture) when you sign in with Google. We do not access your Google Drive, Gmail, or other Google services.

6. Your Rights

You have the following rights regarding your personal data. You can exercise these rights at any time by contacting us at privacy@38hub.com or through your account settings where applicable:

• Right to Access — You may request a copy of all personal data we hold about you, including your account information, content data, and usage records. We will provide this information in a commonly used electronic format within 30 days of your request.
• Right to Correction — You may update or correct your personal information at any time through your account settings. If you discover inaccuracies in data we hold about you that cannot be corrected through the Service, you may request that we correct it.
• Right to Deletion — You may request the deletion of your account and all associated data at any time. Upon receiving a deletion request, we will permanently remove your account, content, API keys, and all associated data within 30 days, subject to the data retention provisions in Section 7.
• Right to Export — You may export your content and data from the Service at any time using our built-in export functionality. Exports are available in standard formats (JSON, CSV) to ensure portability.
• Right to Portability — You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider without hindrance from us.

7. Data Retention

We retain your personal data for as long as your account remains active and as needed to provide you with the Service. Your content, profile information, and settings are stored indefinitely while your account is active, and you may delete individual items or your entire account at any time.

Upon account deletion, we initiate a permanent data removal process. All personal data, content, uploaded files, API keys, and associated metadata are permanently deleted within 30 days of receiving the deletion request. During this 30-day period, your data is marked for deletion and is no longer accessible through the Service, but is retained in our backup systems. After the 30-day period, your data is purged from all systems, including backups.

We may retain certain anonymized, aggregated data that does not identify you personally for analytical and product improvement purposes even after account deletion. This data cannot be linked back to your account or identity.

8. Cookies

38Hub uses only essential cookies that are strictly necessary for the operation of the Service. We use authentication cookies set by Supabase Auth to manage your login session securely. These cookies contain a session token and are encrypted, HTTP-only, and have a limited lifetime. We also use localStorage to store your theme preference (light/dark mode) and other non-sensitive UI settings.

We do not use any analytics cookies, advertising cookies, or third-party tracking cookies. We do not use cookies for behavioral tracking, retargeting, or cross-site tracking. For more information about our cookie practices, please see our Cookie Policy.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected personal data from a child under 13, we will take immediate steps to delete that information from our systems.

If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at privacy@38hub.com so that we can take appropriate action. We encourage parents and guardians to monitor their children's online activities and to help enforce this policy by instructing their children to never provide personal information through the Service without permission.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you by posting a prominent notice on the Service and updating the "Last Updated" date at the top of this page. For significant changes that affect how we handle your data, we will also send a notification to the email address associated with your account at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this page periodically to stay informed about how we protect your information.