Privacy Policy

Last Updated: December 23, 2025

Controller & Contact

For any privacy questions, you can reach us at support@gossipic.com. We value your privacy and strive to use data only as needed to provide and improve our services in a privacy-friendly way and in compliance with the EU General Data Protection Regulation ("GDPR") and other relevant privacy laws.

Scope

This policy explains how we process personal data in different scenarios: when you visit our website, sign up or onboard, use our product (including our free report generation tools), receive communications from us, or make payments. We describe what data is used, for what purpose, on what legal basis (under Article 6 GDPR), who our service providers ("processors") are (Article 28 GDPR), any international transfers, and your rights.

(1) When You Visit Our Website

In brief: We use our website to inform you about Gossipic and provide access to our tools. Our site is hosted by Vercel, a global cloud platform. We may employ analytics to understand how the site is used.

  • Purpose: To load the website for you and ensure its security and performance.
  • Data & Cookies: When you visit, we (or our hosting provider) may collect information such as your IP address, browser type/version, and device identifiers. This is essential for the site to function (e.g., security, load balancing).
  • Legal Basis: The processing of basic connection data is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing a secure and functional website.
  • Processors:
    • Vercel (Vercel Inc., USA): We use Vercel to host our website. Vercel processes site visits and delivers content via a global Content Delivery Network (CDN).
    • Analytics (Future Use): We may implement tools such as Google Analytics 4 or PostHog to understand how visitors interact with our site. If active, these tools will operate with pseudonymized data to avoid collecting personally identifying information where possible.

(2) When You Sign Up or Onboard

In brief: When you register for a Gossipic account, we collect the information needed to create and manage your user identity. We use Supabase for authentication and database storage.

  • Purpose: To create your user account, authenticate you, and set up your workspace in our application.
  • Data Collected: You typically provide an email address and a password. We generate a unique User ID for your account. During signup and login, we also process technical data like your IP address for security.
  • Legal Basis: Contract (Art. 6(1)(b) GDPR) – we need this data to provide the service you are requesting (account creation).
  • Processors:
    • Supabase (Supabase, Inc.): We use Supabase to handle user authentication and database management. Your email and secure login credentials are processed by Supabase. Our Supabase instance is located in the United States.

(3) When You Use Our Product & Free Tools

In brief: Once you use the Gossipic application or our free report generation tools, we process your data to deliver the service's functionality.

  • Purpose: (A) To generate the reports or content you requested; (B) To store your preferences and history (if logged in); (C) To improve the product based on usage patterns.
  • Data Collected: We process the input data you provide (e.g., parameters for report generation) and the resulting output.
  • Legal Basis: Contract (Art. 6(1)(b) GDPR) for registered users. For free tools used without an account, we rely on Legitimate Interest (Art. 6(1)(f) GDPR) to prevent abuse and maintain service stability.
  • Processors:
    • Supabase (USA): All core application data, including your generated reports and user profile settings, is stored in our Supabase database.

(4) Communications (Reports, Newsletters & Support)

In brief: If you request a free report, sign up for updates, or contact support, we use your contact info to communicate with you.

  • Purpose: To deliver the specific resource you requested (e.g., a PDF report via email) and to send you product updates or marketing information if you have opted in.
  • Data Collected:
    • Lead Magnets: If you use a free tool that requires an email to receive results, we collect your email address. We may add this email to our newsletter list to send you relevant updates. You can unsubscribe from these updates at any time.
    • Support: If you email support@gossipic.com, we collect your email address and the content of your message to help resolve your issue.
  • Legal Basis:
    • For delivering the requested report: Contract (Art. 6(1)(b) GDPR).
    • For subsequent marketing/newsletters: Consent (Art. 6(1)(a) GDPR) or Legitimate Interest (Art. 6(1)(f) GDPR) depending on your region and how you engaged with us.
  • Processors:
    • Email Providers: We may use third-party email infrastructure (such as AWS SES or Resend) to deliver transactional emails and reports reliably.

(5) When You Make a Payment (Paddle)

In brief: We use Paddle as our Merchant of Record (MoR). This means when you subscribe to Gossipic, you are technically buying from Paddle, not directly from us. We do not store or process your credit card details.

  • Purpose: To manage subscriptions, handle global taxes, and process payments securely.
  • Data Collected: When you click "Upgrade" or "Buy," a Paddle overlay appears. You provide your payment details (Credit Card/PayPal) and billing address directly to Paddle.
    • What we see: Paddle provides us with a "Subscription Status" (e.g., Active, Past Due) and a token to identify your customer record. We do not have access to your full credit card number or bank details.
    • Invoicing: Paddle sends all invoices and receipts directly to your email.
  • Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).
  • Processors:
    • Paddle (Paddle.com Market Ltd, UK / Paddle, Inc, USA): Paddle acts as the Merchant of Record. They are responsible for processing your payment and handling tax compliance (like VAT/GST). You can view Paddle's own Privacy Policy on their website for details on how they handle financial data.

(6) Third-Country Transfers

We are located in India. Additionally, our primary service providers (Supabase, Vercel) process data on servers located in the United States.

If you are visiting from the European Union (EU) or UK, please note that your data will be transferred outside of the European Economic Area (EEA). We ensure these transfers are protected through:

  1. Standard Contractual Clauses (SCCs): Our agreements with providers like Supabase and Vercel include SCCs to ensure GDPR-level protection.
  2. Merchant of Record Model: By using Paddle (UK/USA), strictly financial data is handled by an entity with robust compliance frameworks appropriate for global transactions.

(7) Storage & Retention

  • Account Data: We keep your data for as long as you have an active account. You may request deletion at any time.
  • Waitlist/Leads: If you requested a free report but did not create an account, we may retain your email for marketing purposes until you unsubscribe.
  • Backups: Deleted data may remain in our secure database backups for a short period (typically up to 30 days) before being permanently purged.

(8) Your Rights

You have the right to access, rectify, erase, object to, or restrict the processing of your personal data.

  • To exercise these rights: Simply email us at support@gossipic.com.
  • Response: We will respond to your request within one month, free of charge.

(9) Changes to this Policy

We may update this Privacy Policy to reflect changes in our services (e.g., adding new analytics tools or features). The "Last Updated" date at the top will always indicate the latest revision. We encourage you to review this policy periodically.