Privacy Policy

1. Introduction

GodEye ("the Service", operated at godeye.app) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have. This policy applies to all users of the Service, including visitors, registered users, and subscribers.

2. Data Controller

GodEye is operated by an independent team. For any privacy-related inquiries, you can reach us through the contact information provided on the Service or via our Telegram channel.

3. Data We Collect

We collect and process the following categories of personal data:

• Account data: email address and encrypted authentication credentials (managed by Supabase). Required to create and maintain your account.
• Analytics data (consent required): page views, click interactions, anonymized session replays (all form inputs masked), browser type, screen resolution, and approximate location derived from IP address. Collected via PostHog and Google Analytics only after you accept the cookie banner.
• Session replays (consent required): PostHog records visual replays of how you navigate the site. All text entered into form fields — including passwords, search queries, and personal information — is automatically masked and never captured. Session replays help us identify usability issues and improve the Service.
• Error and performance data (no consent required): when a technical error occurs, Sentry automatically captures diagnostic information including your IP address (which is anonymized), browser type and version, operating system, the page URL, and the technical error details. This is strictly necessary for maintaining service reliability.
• Payment data: if you purchase a subscription, payment processing is handled entirely by third-party processors (e.g. Stripe). We never see, store, or have access to your full credit card number or payment credentials. We only receive confirmation of payment status.
• Preferences: theme selection, language preference, sidebar module order, and starred assets. These are stored locally in your browser (localStorage) and are never transmitted to our servers.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under the GDPR and equivalent regulations:

• Contract performance: account data is processed to provide the Service you signed up for.
• Consent: analytics and session replay data are only collected after you explicitly accept cookies via the banner. You may withdraw consent at any time.
• Legitimate interest: error monitoring (Sentry) is necessary to maintain a functional, secure, and reliable Service. We have assessed that this interest does not override your fundamental rights.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following service providers, who process it on our behalf under appropriate data processing agreements:

• Supabase (US): authentication and database hosting. Stores your email and encrypted credentials.
• PostHog (US): product analytics and session replays. Receives anonymized usage data only if you accept cookies.
• Google Analytics (US): traffic analytics. Receives page view data only if you accept cookies.
• Sentry (US): error monitoring. Receives anonymized diagnostic data when errors occur.
• Stripe (US): payment processing for subscriptions. Receives only the data necessary to process your payment.
• Vercel (US): website hosting and content delivery. May process your IP address as part of standard web hosting.
• Cloudflare (US): DNS and API proxy. May process your IP address for DDoS protection and routing.

6. International Data Transfers

Your data may be transferred to and processed in the United States by our service providers (Supabase, PostHog, Google, Sentry, Stripe, Vercel, Cloudflare). These transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable. By using the Service, you acknowledge these transfers.

7. Data Retention

We retain your data only as long as necessary:

• Account data: retained while your account is active. Deleted upon account deletion request.
• Analytics data: PostHog data is retained per PostHog's retention policy. Google Analytics cookies expire after 2 years.
• Error data: Sentry retains error reports for 90 days by default.
• Payment records: retained as required by applicable tax and financial regulations.

8. Your Rights

Under the GDPR and similar privacy laws, you have the following rights:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may request correction of inaccurate data.
• Right to erasure: you may request deletion of your personal data ("right to be forgotten").
• Right to restriction: you may request that we limit processing of your data.
• Right to data portability: you may request your data in a structured, machine-readable format.
• Right to object: you may object to processing based on legitimate interest.
• Right to withdraw consent: you may withdraw cookie consent at any time by clearing your browser's localStorage (the "godeye-cookie-consent" key) — the cookie banner will reappear.
• Right to lodge a complaint: you have the right to file a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us through the channels provided on the Service.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including: encrypted authentication via Supabase (HTTPS, HttpOnly cookies), rate limiting on our API, restricted CORS policies, security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy), and sandboxed server processes with minimal privileges. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Cookies and Tracking

For detailed information about the cookies and browser storage technologies we use, please see our Cookie Policy. In summary: essential cookies (authentication, language) are always active; analytics cookies (PostHog, Google Analytics) are loaded only after your explicit consent; and we use no advertising, marketing, or cross-site tracking cookies.

11. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. The "last updated" date at the top reflects the most recent revision. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.