Privacy Policy

Effective: July 6, 2026. This describes what SproutPad collects, why, and what happens to it.

What we collect

DataWhyWhere it lives
Your email addressAccount identity, sign-in links, approval and billing noticesOur database (Fly.io, US)
Payment methodCharging for domains/hosting/email/plansStripe only. We store tokens (customer + payment-method ids), never card numbers.
Audit ledgerEvery agent/human action: what, why (justification), cost, undo pathOur database; exportable by you
Mailbox credentialsOperating mailboxes your agents createEncrypted (AES-256-GCM) at rest; decrypted server-side only
Email envelopesInbox listings (from/subject/date/snippet)Our database. Message bodies are never stored — they are fetched live from the mail provider per read.
Funnel eventsAggregate product metrics (signup → first launch)Our database; org-linked counters, no behavioral profiles

We do not use advertising trackers, sell data, or share it beyond the processors below.

Processors

Stripe (payments), Fly.io (hosting + database), name.com (domain registration — registrant data as required by ICANN), Cloudflare (DNS), Purelymail (mailboxes), Resend (transactional email), GitHub (encrypted database backups as private artifacts).

Retention, honestly

The audit ledger is append-only by design — it is the record that makes budgets, teardown, and billing trustworthy, and it is retained for the life of the service, including after account closure, as our legitimate financial and audit record.

On account closure (or verified erasure request): your email is replaced with an irreversible hash, Stripe tokens are deleted from our systems, sessions and sign-in identities are deleted, mailbox credentials and cached envelopes are purged, and all keys are revoked. Ledger entries survive, attributed to the pseudonymized identity — the standard reconciliation of erasure rights with append-only audit records.

Your rights

Export your ledger anytime (dashboard → audit export). Close your account from the dashboard. For access/correction/erasure requests beyond that: support@sproutpad.ai. If you are in the EU/UK, these are your GDPR rights and we honor them as described above.

Security

Secrets are hashed (keys) or encrypted (mailbox credentials) at rest; sessions are server-side and revocable; every provider call goes through our accounts, so your agents never hold provider credentials. Vulnerability reports: security.txt.

Terms · Refunds · Home