Privacy Policy
Last updated: May 2026
Short version: Capvoro stores your account and progress in Supabase. We use PostHog for anonymous usage analytics. When you submit a task, your text is processed by our AI coaching engine to give you feedback. We never sell your data.
Capvoro ("we", "our", "us") operates capvoro.app. This Privacy Policy describes what personal data we collect, why we collect it, who we share it with, and what rights you have over it.
1. Data We Collect
Account data. When you sign up, we collect your email address and a hashed password. You may also provide a display name and an optional profile photo URL.
Learning progress. We record which lessons you have completed, quiz scores, XP, daily streaks, and task submissions so your progress is preserved across sessions.
Task & artifact content. When you submit a task response, that text is stored in our database and processed by our AI coaching engine to generate feedback, scoring, and polished portfolio outputs. See Section 4 for full details on AI processing.
Community content. Posts and comments you publish in the Capvoro community are stored and visible to other users. Deleting your account removes your profile but your content may remain in anonymised form.
Usage analytics. We collect anonymised usage events (page views, feature interactions) to understand how the product is used and where to improve it. These events do not include your task content or personally identifiable information.
Technical data. Standard server logs include your IP address, browser user-agent, and request timestamps. We use this data only for security and rate-limiting purposes.
2. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:
- Contract: to deliver the learning service you signed up for (account, progress, tasks).
- Legitimate interests: anonymised analytics and security logging that help us operate the service safely.
- Consent: optional communications such as product updates (you can unsubscribe at any time).
3. Third-Party Services We Use
We share data with the following sub-processors to operate Capvoro. Each is bound by their own data processing agreements and security standards.
Supabase (supabase.com): Hosts our database and handles authentication. Your email, hashed password, and all learning data are stored in Supabase infrastructure. Supabase is SOC 2 Type II certified and stores data on AWS in the US East region. Supabase Privacy Policy.
PostHog (posthog.com): Provides product analytics. Events are anonymised and do not contain task content or identifying information beyond a pseudonymous session ID. PostHog Privacy Policy.
Upstash (upstash.com): Provides Redis-based rate limiting to protect the API from abuse. Only IP addresses and request counts are stored, for a rolling window of up to 60 seconds. Upstash Privacy Policy.
RevenueCat (revenuecat.com): Will be used to manage paid subscriptions when premium features launch. RevenueCat validates purchases server-side and never stores raw card details. It is SOC 2 Type II certified. RevenueCat Privacy Policy.
Resend (resend.com): Handles transactional email delivery (welcome emails, account notifications). We send only your email address to Resend for delivery purposes. Resend does not have access to your learning content or any other account data. Resend Privacy Policy.
4. AI Processing of Your Task Submissions
Important: When you submit a task on Capvoro, the text you write is processed by our AI coaching engine to generate feedback, a quality score, and a polished portfolio version of your work.
What is sent to Anthropic: Your task response text, the task title, and the course context. We do not send your email address, name, or any other personal identifiers to Anthropic.
How Anthropic uses it: Anthropic processes this content under their API terms to return a response. Anthropic does not use your API-submitted content to train their models by default. See Anthropic's Privacy Policy for full details.
AI-generated outputs: Feedback, scores, and polished artifacts returned by the AI are stored in your Capvoro account and displayed only to you (and, optionally, when you share a portfolio link you generate yourself).
By submitting a task you acknowledge and agree to this AI processing. If you do not want your task text processed by our AI coaching engine, please do not submit tasks.
5. Data Retention
- Your account and all associated learning data are retained for as long as your account is active.
- If you delete your account, we remove your personal data within 30 days, except where retention is required by law.
- Server logs (IP, timestamps) are retained for up to 90 days for security purposes.
- Rate-limit counters in Redis expire automatically within 60 seconds.
6. Cookies & Local Storage
Capvoro uses a single HTTP-only, secure authentication cookie set by Supabase to keep you logged in. We do not use advertising cookies or cross-site tracking cookies.
We store lightweight preferences (such as onboarding status) in your browser's local storage. This data never leaves your device.
7. Your Rights
Depending on where you are located, you may have the following rights:
- Access: request a copy of the personal data we hold about you.
- Correction: ask us to correct inaccurate data.
- Deletion: request that we delete your account and associated data.
- Portability: receive your data in a machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdrawal of consent: unsubscribe from any optional communications at any time.
To exercise any of these rights, email us at privacy@capvoro.app. We will respond within 30 days.
8. Children's Privacy
Capvoro is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. Security
We implement industry-standard security measures including HTTPS-only transmission, HTTP-only cookies, server-side authentication, rate limiting on all API endpoints, and row-level security policies in our database. No system is 100% secure; if you discover a vulnerability, please disclose it responsibly to security@capvoro.app.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If changes are material, we will notify you by email or a prominent notice within the app.
11. Contact
For any privacy questions or requests, contact us at: