Privacy Policy

Last updated June 27, 2026

This Privacy Policy explains what data BountyReady (the “Service”) collects, how we use it, and the choices you have. We aim to collect as little as possible to run the Service.

1. Data we collect

• Account data: your email address and a password that we store only as a salted hash (bcrypt) — we never store your password in plain text. If you subscribe, a subscription status and billing identifiers.
• Run data: the scenario you select, the report text you submit, any request log you choose to upload (HAR or JSONL), and the grading results we generate.
• Technical data: your IP address, which we use to apply rate limits and prevent abuse, and a single session cookie (see below). We do not run third-party analytics, advertising, or tracking.

2. How we use data

• to operate the Service — provision targets, grade your reports, and show your results;
• to enforce plan limits, rate limits, and scope guardrails, and to protect against abuse;
• to maintain your account and respond to your requests.

We do not sell your personal data.

3. Cookies

We use one strictly-necessary cookie, preflight_session, to keep you signed in. It is cryptographically signed, HttpOnly, and (in production) Secure. We do not use advertising or cross-site tracking cookies, so no cookie-consent banner is required for non-essential tracking.

4. Where data is stored and who processes it

Application data is stored in a managed PostgreSQL database hosted on Supabase, in the European Union (eu-central-1). Supabase acts as a data processor / sub-processor on our behalf. If and when paid plans are enabled, a payment provider will process billing data as a separate sub-processor; their handling is described at checkout.

5. Data retention

Each run’s isolated target is ephemeral and expires automatically a short time after it is created. Your account, submitted reports, and grading results are retained while your account exists. When you ask us to delete your account, we delete your personal data except where we must retain limited records to comply with legal obligations.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, contact us at contact@preflight.example. We will respond within the time required by applicable law.

7. Security

We hash passwords with bcrypt, sign session cookies with an HMAC secret, serve the Service over TLS, and isolate each run’s target in its own sandbox. No system is perfectly secure, but we work to protect your data with reasonable technical and organizational measures.

8. Children

The Service is not directed to children and is intended for users who are at least the age of digital consent in their jurisdiction. We do not knowingly collect data from children.

9. Changes

We may update this Policy from time to time. Material changes will be reflected by updating the date at the top of this page.

10. Contact

Questions about your privacy or this Policy? Contact us at contact@preflight.example.