supascribe
Get started

Privacy Policy

What data we collect, why we collect it, and how you can control it.

Last updated: July 4, 2025

Last updated: 4 July 2025

Supascribe Limited ("Supascribe," "we," "our," "us") respects your privacy. This policy explains what data we collect, why we collect it, and how you can control it when you visit supascribe.com or use any Supascribe product or service (together, the "Service").

1. Data We Collect

Account & Contact Data

  • Email address, name, organisation provided when you register or fill in our forms.

Subscriber Data (Embed Widgets)

  • Email addresses that your own readers enter into Supascribe capture widgets.

Usage & Device Data

  • IP address, browser type, pages visited, time spent, referrer URL gathered automatically via cookies and similar technologies.

Support Data

  • Messages and files you send to our support team.

We do not collect payment-card numbers; those are handled directly by Stripe.

2. Why We Collect Your Data

  • Operate the Service — create and secure accounts, display widgets, generate analytics. Legal basis: Contract (GDPR Art 6 (1)(b)).
  • Marketing Emails — send product updates, tips, and offers to registered users. You can unsubscribe at any time. Legal basis: Consent / Legitimate Interest.
  • Transactional Emails — verification, password resets, security alerts. Legal basis: Contract / Legitimate Interest.
  • Security & Abuse Prevention — detect and block spam or fraud. Legal basis: Legitimate Interest.
  • Legal Compliance — meet tax, accounting, and privacy-law obligations. Legal basis: Legal Obligation.
  • Product Improvement — use aggregated, anonymised analytics to improve features. Legal basis: Legitimate Interest.

Widget-Collected Emails

  • Controller vs Processor — You (the publisher) are the data controller; Supascribe acts as your processor.
  • Supascribe's use — We store and forward these addresses only to deliver the widget service. We do not use them for our own marketing, analytics, or resale.

3. How We Share Data

  • Service Providers — cloud hosting, email delivery, payment processing, and similar vendors who work under our instructions.
  • Publishers (your account) — subscriber emails collected through your widgets are delivered to you.
  • Legal Authorities — when required to comply with law or to protect rights, property, or safety.
  • Business Transfers — if we merge, sell, or reorganise, data may transfer as part of the deal; you will be notified in advance.

We never sell or rent personal data.

4. Cookies & Tracking

We use essential cookies to: keep you logged in, remember your preferences, and collect anonymised usage analytics.

You can disable cookies in your browser, but parts of the Service may stop working.

5. International Data Transfers

We are based in New Zealand but run global infrastructure. When we move personal data outside New Zealand, the European Economic Area, or the United Kingdom, we rely on recognised safeguards (such as Standard Contractual Clauses) to protect it.

6. Data Retention

  • Account data — kept while your account is active, then stored for up to 90 days in backups.
  • Subscriber emails (widget) — stored until you delete them or close your account; backups retained for up to 90 days.
  • Log & security data — kept for up to 12 months.
  • Aggregated analytics — kept indefinitely but cannot identify any individual.

7. Security

We protect your data with TLS encryption in transit and at rest, least-privilege access controls, regular patching and vulnerability scans, and continuous monitoring for abuse.

8. Your Rights

New Zealand Privacy Act 2020

You may request access to or correction of personal information we hold about you.

European Union / United Kingdom (GDPR)

You have rights to access, rectify, erase, restrict, and object to processing, as well as data portability. You can lodge a complaint with your local Data Protection Authority.

California (CCPA)

You have rights to know what personal information we hold, to delete it, and to be free from discrimination for exercising these rights. We do not sell personal information.

To exercise any right, email [email protected]. We may verify your identity before actioning your request.

9. Children

The Service is not directed to children under 18. If we learn that we have inadvertently collected such data, we will delete it.

10. Changes to This Policy

We may update this policy at any time. Changes are effective immediately upon posting. Continuing to use the Service after changes take effect means you accept the revised policy.

11. Contact Us

12. Data Processing Agreement (DPA)

If you need a signed DPA to comply with GDPR Article 28 or similar laws, email [email protected]. Our standard DPA becomes part of this policy once executed.

Questions about this policy? [email protected]