Privacy Policy

Effective Date: February 10, 2026

At substr.io (“we,” “us,” or “our”), we take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our AI content creation platform at substr.io (the “Service”).

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address and authentication credentials (via Google OAuth).
  • Payment Information: Billing details processed through Stripe. We do not directly store your complete credit card information.
  • Workspace Content: Article topics, outlines, knowledge maps, brand voice profiles, and content drafts created within the platform.
  • Source Material: Transcripts, meeting notes, internal documentation, and other text files you upload to articles.
  • Support Communications: Messages and attachments you send to support@substr.io.

1.2 Information Collected Automatically

  • Usage Data: Article creation activity, workflow stage completions, feature usage patterns, and session activity.
  • Technical Information: IP addresses, browser type, device information, operating system, and access times via Vercel.
  • Analytics: Vercel Analytics for page views, session duration, and navigation patterns.

1.3 Information from Third Parties

  • AI Model Providers: When generating content, your article data (source material, outlines, voice profiles) is sent to AI model providers (OpenAI, Anthropic, Google, Perplexity) for processing. We receive usage metadata but do not store content beyond the duration of active processing. All providers are accessed via their API tier, which explicitly excludes customer data from model training.
  • Authentication: When you sign in via Google OAuth, we receive your email address and basic profile information as permitted by your Google account settings.

2. How We Use Your Information

  • Provide the Service: Facilitate content creation workflows, AI-assisted drafting, knowledge mapping, and SME collaboration.
  • Process Payments: Handle subscription billing and prevent fraud.
  • Communicate: Send service updates, billing notifications, security alerts, and respond to support requests.
  • Improve the Service: Analyze usage patterns to enhance features and optimize performance.
  • Security: Detect abuse, prevent unauthorized access, and enforce our Terms of Service.
  • Legal Obligations: Respond to lawful requests and enforce our legal rights.

3. How We Share Your Information

We do not sell your personal information. We share data only with:

3.1 Service Providers

  • Stripe: Payment processing and subscription management.
  • Vercel: Platform hosting and analytics.
  • Supabase: Database hosting and authentication.
  • Perplexity API: Smart Brief generation — research and competitor analysis.
  • AI Model Providers: Your article content is processed by providers (OpenAI, Anthropic, Google) per the workflow stage. Each provider is accessed via API tier only — your data is never used for their model training.

These providers are contractually obligated to protect your data.

3.2 SME Collaborators

When you invite a subject matter expert to review an article, they receive comment-only access to that specific article or outline. They cannot access other workspaces, clients, or any data beyond what you explicitly share with them.

3.3 Legal Requirements

We may disclose information if required by law, legal process, or to protect the rights, property, or safety of substr.io, our users, or the public.

3.4 Business Transfers

If substr.io is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change in advance.

4. Data Security

  • Encryption: All data in transit uses TLS encryption. Data at rest is encrypted by Supabase.
  • Data Isolation: Each organization's data is isolated via row-level security (RLS) — no cross-organization data leakage is possible.
  • Access Controls: Employee access to personal data is restricted on a need-to-know basis.
  • Source Material Handling: Uploaded transcripts and notes are stored in Supabase Storage and sent to AI providers only during active article processing. They are never stored by AI providers.

No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and managing SME invite access appropriately.

5. Data Retention

  • Active Accounts: All workspace content, articles, sources, and voice profiles are retained while your account is active.
  • Deleted Accounts: After account deletion, your data is retained for 90 days for legal compliance and recovery purposes, then permanently deleted.
  • Usage Logs: Activity and access logs are retained for 90 days.

6. Your Rights and Choices

GDPR Rights (EEA Residents)

If located in the EEA, you have the right to: access your data, rectification of inaccuracies, erasure, restriction of processing, data portability, objection to processing, and withdrawal of consent where processing is consent-based.

We process your data based on: contract performance (providing the Service), legitimate interests (security, fraud prevention), consent (marketing communications), and legal obligations.

All Users

  • Update your account information through your dashboard.
  • Request a copy of your workspace content, articles, and usage data.
  • Delete your account at any time from your account settings.
  • Unsubscribe from marketing emails via the unsubscribe link in any email.

To exercise these rights, contact support@substr.io. We will respond within 30 days.

California Privacy Rights (CCPA)

California residents have the right to know what personal information we collect, request deletion, and opt out of sale. We do not sell personal information.

7. International Data Transfers

Your information may be processed in countries outside your residence, including the United States, where our service providers operate. We implement appropriate safeguards including Standard Contractual Clauses and Data Processing Agreements with all providers.

8. Children's Privacy

The Service is not intended for users under 18. We do not knowingly collect information from children. If you believe we have inadvertently collected such information, contact support@substr.io and we will delete it promptly.

9. Cookies and Tracking

  • Essential Cookies: Required for authentication and session management.
  • Analytics: Vercel Analytics for aggregated usage statistics. No cross-site tracking.
  • Authentication: Google OAuth tokens for sign-in.

We do not use third-party advertising cookies or cross-site tracking technologies.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting a notice on substr.io and sending an email to your registered address. Continued use of the Service after the effective date of changes constitutes acceptance.

11. Contact Us

Email: support@substr.io
Website: substr.io

For GDPR-related inquiries, include “GDPR Request” in your email subject line.

substr.io

Expert-first AI content platform for technical and niche audiences.

© 2026 substr.io. All rights reserved.

The only AI content platform that structures expert input before drafting begins.