Privacy Policy
Last updated: May 2026
1. Who we are
TruthDeck (truthdeck.xyz) is an AI-powered startup intelligence platform for the Indian startup ecosystem. This policy explains what personal data we collect, why, and how it is stored.
2. Data we collect
Account data
Email address and hashed password via Supabase Auth. We never see your raw password.
Payment data
Payments are processed by Cashfree and Stripe. We store only your email address, chosen plan tier, and payment reference IDs. Full card details are never stored on our servers.
Waitlist data
Name, email address, and self-reported role — used only to send your invite email.
Alert subscriptions
Email address and watched startup slugs — used solely to send score-change notifications.
Monthly investor check-ins
When a founder submits a monthly update (cash in bank, burn rate, MRR) that data is visible only to the investor who requested it and is not shown on public profiles.
Audit logs
IP addresses are logged for security-relevant events only: dispute submissions, rate-limit violations, bot detections, and admin logins. Retained 90 days.
Reviews
Role and relationship to the startup. Your email address is not attached to public review records.
3. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database & auth | All account and app data (AWS ap-south-1 / Mumbai) |
| Sentry | Error monitoring | Error traces; 5% session replays (text masked, media blocked) |
| Resend | Transactional email | Email address + message content |
| Cashfree / Stripe | Payment processing | Payment details (PCI DSS — not stored by us) |
| OpenAI | AI analysis | Startup names and public claim text |
We do not use behavioral analytics (no Google Analytics, Mixpanel, Amplitude, etc.) and do not track page views or click events.
4. Data storage and retention
All data is stored in Supabase on AWS ap-south-1 (Mumbai). Audit logs are retained 90 days. Account data is retained until you delete your account. Payment records may be retained longer to meet tax obligations.
5. Your rights
- Request a copy of the personal data we hold about you
- Request correction of inaccurate data
- Delete your account via Settings → Delete Account
- Unsubscribe from alert emails via the link in any email we send
Email us at privacy@truthdeck.xyz to exercise any of these rights.
6. Cookies
We use only a single session cookie set by Supabase Auth to keep you logged in. No advertising or third-party tracking cookies are used.
7. Security
All traffic is encrypted via HTTPS with HSTS enforced. API keys are stored as SHA-256 hashes — the raw key is shown only once at creation. Passwords are hashed by Supabase Auth. Rate limiting is enforced on all public endpoints via Upstash Redis.
8. Changes to this policy
Material changes will be announced via the in-app banner. The "last updated" date at the top reflects the most recent revision.
9. Contact
Questions? privacy@truthdeck.xyz