All Legal Documents

Privacy Policy

Effective date: May 3, 2026

1. Information We Collect

We collect information you provide directly, information collected automatically when you use our services, and information from third-party sources.

Personal Information You Provide:

  • Name and email address (at sign-up or via public assessments)
  • Billing and payment information (processed by Stripe)
  • Profile details (avatar, display name)
  • Form and assessment responses
  • Moodboard feedback comments

Automatically Collected Information:

  • Device and browser information
  • Usage patterns and interaction data
  • Error and performance data (via Sentry — anonymised, no PII)
  • Analytics data (via Google Analytics — only with your consent, IP anonymised)

Information From Third Parties:

  • Authentication data from Google (if using Google sign-in)

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyse trends, usage, and activities
  • Detect, investigate, and prevent fraudulent transactions and abuse
  • Personalise and improve your experience
  • Generate assessment scores and recommendations (for public scorecards)

3. Information Sharing and Sub-Processors

We do not sell your personal information. We share data with the following service providers who process it on our behalf:

| Sub-Processor | Purpose | Data Shared | Location | |---|---|---|---| | Supabase | Database hosting, authentication, file storage | All account data, form responses, uploaded images | Sydney, Australia (ap-southeast-2) | | Vercel | Application hosting and delivery | Request logs, IP addresses (transient) | Global edge network | | Stripe | Payment processing | Billing details, subscription status | United States | | Sentry | Error monitoring and performance | Anonymised error reports (no PII) | United States | | Google Analytics | Website analytics (consent required) | Anonymised pageview data, device info | United States | | Beehiiv | Newsletter delivery (consent required) | Email, name, assessment score tags | United States | | Resend | Transactional email delivery | Email address, notification content | United States | | Anthropic | AI advisor functionality | Brand data submitted to advisor conversations | United States |

We may also share information:

  • Legal Requirements: When required by law or to respond to legal process
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: With your explicit consent or at your direction

4. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

  • All data transmitted over HTTPS (TLS encryption in transit)
  • Database encryption at rest (managed by Supabase)
  • Row-Level Security (RLS) policies ensure workspace data isolation
  • Authentication via Supabase Auth (magic link or OAuth — no passwords stored by m-nus)
  • Service role keys restricted to server-side operations only
  • Error tracking anonymised (sendDefaultPii disabled)

5. Data Retention

We retain your personal data for specific periods depending on the type:

| Data Type | Retention Period | |---|---| | Account and profile data | Until you delete your account, then permanently removed within 30 days | | Form and assessment responses | For the lifetime of the associated workspace, or until manually deleted by a workspace admin | | Public scorecard responses | 2 years from submission date, or until deletion is requested | | Moodboard feedback comments | For the lifetime of the associated moodboard | | Authentication logs | 90 days (managed by Supabase) | | Error logs (Sentry) | 90 days (Sentry default retention) | | Analytics data (Google Analytics) | 14 months (Google default, anonymised) | | Billing records | 7 years (legal/tax requirement) |

After the retention period, data is permanently deleted or anonymised.

6. Your Rights

You have the following rights regarding your personal data:

  • Access: View your personal data via Settings → Account → Download My Data
  • Portability: Export your data as a machine-readable JSON file via Settings → Account
  • Correction: Update your profile information at any time via Settings → Profile
  • Deletion: Permanently delete your account and all associated data via Settings → Account → Delete Account
  • Object / Restrict: Contact us to object to or restrict specific processing activities
  • Withdraw Consent: Manage cookie preferences via our consent banner. Unsubscribe from newsletters via the unsubscribe link in each email.

To exercise any of these rights, use the in-app controls or contact us at support@almond.studio.

7. Cookies

We use cookies and similar technologies as follows:

  • Essential cookies (always active): Authentication session, workspace selection, sidebar state. These are necessary for the app to function.
  • Analytics cookies (consent required): Google Analytics — only loaded after you accept via our cookie consent banner. IP addresses are anonymised.

You can manage your cookie preferences at any time via the cookie consent banner shown on your first visit, or by clearing your browser cookies to reset your preference.

For full details, see our Cookie Policy.

8. Public Assessments and Scorecards

When you complete a public assessment (scorecard):

  • We collect your name and email address before you begin, with your explicit consent
  • Your responses and scores are stored to generate your results
  • Your email is only shared with our newsletter provider (Beehiiv) if you explicitly opt in by checking the "Subscribe to our newsletter" checkbox
  • You can request deletion of your assessment data by contacting support@almond.studio

9. AI Advisor

When you use the AI advisor feature, your brand data (form responses, brand brain content) may be sent to Anthropic's API to generate responses. This data is processed according to Anthropic's data processing terms and is not used to train AI models.

10. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected such information, we will take steps to delete it.

11. International Transfers

Your information is primarily stored in Sydney, Australia (Supabase). Some sub-processors operate in the United States (see Section 3). We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where applicable.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. For significant changes, we may also notify you via email.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Data Protection Contact: support@almond.studio

We Are Almond Limited Auckland, New Zealand