Privacy Policy

This Privacy Policy describes how PM Rewired ("we", "us") collects, uses, and shares information when you use our websites and applications (the "Service"). It applies alongside our Terms of Service.

This policy is written for product managers and teams evaluating or using the Service. It is not a substitute for a data processing agreement (DPA) or enterprise security review—contact us before uploading highly regulated data.

Account information: email address, authentication identifiers, and profile fields from our identity provider (Supabase Auth), including MFA enrollment status when you enable it.

Usage and billing: subscription tier, generation usage, workflow metadata, seat and workspace membership, and payment-related identifiers processed by Stripe (we do not store full payment card numbers on our servers).

Content you provide: text you submit to AI workflows, saved outputs, templates, and team-visible artifacts when you choose team visibility.

Demo and preview use: when you run an unauthenticated demo, we process the notes you paste and may store a pseudonymous visitor identifier (derived from network and browser signals, not your email) to enforce weekly demo limits.

Technical and security data: device and browser type, IP address, timestamps, and logs needed for security, rate limiting, debugging, and fraud prevention.

Product analytics: event names and properties you trigger in the app (for example billing page views or workflow completions) stored in our analytics tables.

Optional integrations: if you connect Jira Cloud via OAuth, we store access tokens and site metadata needed to perform actions you request until you disconnect.

To generate outputs, we send the prompts and context necessary for your request to configured large-language-model providers (for example OpenAI and/or Cohere, depending on plan and workflow).

We use these providers as subprocessors under our agreements with them. Their handling of data is also governed by their policies. We configure the Service to fulfill your requests; we do not use your submitted content to train our own models.

Do not submit special-category, health, or highly confidential personal data unless your organization has approved cloud AI tools for that material.

Marketing demos may be used without an account. Notes you submit in a demo are transmitted to our API and AI providers for generation. We retain a hashed visitor key and week identifier in our database to enforce fair-use limits—not your email unless you later create an account.

Demo outputs are not saved to your account history unless you sign in and run workflows under your plan.

Provide, maintain, and secure the Service; authenticate users; enforce plan and demo limits; process payments; deliver team invites; and comply with law.

Run AI workflows by sending necessary prompts to configured LLM providers.

Send transactional messages (for example sign-in links, password reset, billing notices, or team invites) through our email configuration (typically Supabase Auth SMTP and/or other providers we configure).

Monitor reliability and abuse using logs and error reporting (for example Sentry when enabled in an environment).

Improve the product using aggregated usage patterns and product analytics—not by selling your workflow content.

We share data with service providers that help us operate the Service—such as hosting, authentication, database, payments, AI, email, and observability—under contractual safeguards appropriate to their role.

Team-visible content is shared with other members of your workspace by design when you save with team visibility.

We may disclose information if required by law, to respond to valid legal process, or to protect rights, safety, and security.

We do not sell your personal information. We do not share personal information with third parties for their independent advertising purposes.

Depending on features you use, data may be processed by: Supabase (auth and database); Stripe (payments); OpenAI and/or Cohere (AI generation); Sentry (error monitoring, when configured); cloud hosting providers for our web and API applications; and Atlassian (only if you connect Jira OAuth).

Optional email delivery may use providers configured in Supabase Auth or our API (for example Brevo or similar transactional email services).

We may update subprocessors as the Service evolves; material changes to how we process personal data will be reflected in this policy.

If you use a Team plan, account and usage metadata are associated with the workspace. Content you mark as team-visible is stored so other members of that workspace can access it per product design.

Team admins can see membership and aggregated usage analytics; they do not automatically receive the full text of every private Pro save unless you choose team visibility.

When you leave a team or are removed, your access to team-visible content ends; personal Pro content saved as private remains governed by your individual account settings.

For enterprise, DPA, or security questionnaire needs beyond this policy, contact us before uploading regulated data.

We use cookies and similar technologies for authentication sessions (via Supabase Auth), security, and basic site functionality.

Free-tier workflow history stored only in your browser (local storage) is not synced to our servers until you upgrade and save new runs to your account.

Creating an account or signing in does not upload or migrate existing browser-only saves to the cloud.

We retain account, billing, and usage data while your account is active and as needed for billing, security, dispute resolution, and legal obligations. You may request deletion of your account by contacting support; some records (for example payment history) may be retained where required by law or Stripe record-keeping.

Cloud history begins when you upgrade to a paid plan and save new runs to your account. Older local-only saves remain on your device unless you export them yourself before upgrading or clearing browser storage.

Demo quota records use pseudonymous identifiers and are kept only as long as needed to enforce limits.

We use industry-standard measures including encrypted connections (HTTPS), access controls, and authenticated API access. Paid workflow routes and billing are protected by authentication and plan checks.

No method of transmission or storage is completely secure. Use judgment with highly sensitive material and follow your organization’s policies.

We may process and store information in the United States and other countries where we or our subprocessors operate. Those locations may have different data-protection laws than your country.

Where required, we rely on appropriate safeguards (such as standard contractual clauses or equivalent mechanisms offered by subprocessors) for cross-border transfers.

Depending on your location, you may have rights to access, correct, delete, or port personal data, to restrict or object to certain processing, or to withdraw consent where processing is consent-based.

California residents may have additional rights under the CCPA/CPRA, including the right to know, delete, and correct personal information, and to opt out of "sale" or "sharing"—we do not sell personal information as defined by those laws.

EEA, UK, and Swiss users may lodge a complaint with a supervisory authority. To exercise rights, email us at the address below. We will respond within a reasonable period and in accordance with applicable law (typically within 30 days).

The Service is not directed to children under 16, and we do not knowingly collect their personal information. Contact us if you believe a child has provided personal data and we will take appropriate steps.

We may update this policy; we will post the revised version with an updated date. Material changes may be notified in-product or by email where appropriate.

Privacy questions or requests: support@pmrewired.com. Include "Privacy request" in the subject line and the email address associated with your account.