Legal

Privacy Policy

Effective date: March 1, 2026

1. Introduction

Smidge (“we,” “us,” or “our”) operates the web application, API, and CLI tool at smdg.app. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

By using Smidge, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Data We Collect

Account Information

  • Email address
  • Display name and avatar (from OAuth provider or manually set)
  • GitHub username (if you sign in via GitHub)
  • Authentication tokens (managed by Supabase Auth)

Uploaded Content

  • Source files you upload (PDFs, documents, audio, images)
  • YouTube URLs and web page URLs you provide
  • Extracted text from your source materials (used for processing only)

Generated Content

  • Skill files (SKILL.md) and associated reference files
  • Configuration choices (skill name, description, category, type)

Usage Data

  • Credit balance and transaction history
  • Generation metadata (tokens used, processing duration)
  • Feature usage patterns (pages visited, actions taken)
  • Device information (browser type, operating system)
  • IP address (for rate limiting and abuse prevention)

Billing Data

  • Stripe customer ID and subscription status
  • Payment history (amounts, dates — we never see or store full card numbers)

3. How We Use Your Data

  • Provide the Service: Process your source materials through our AI pipeline, generate skill files, manage your account and credits
  • Improve the product: Analyze aggregate usage patterns to improve the pipeline, UI, and overall experience
  • Billing: Process payments, manage subscriptions, and maintain transaction records
  • Communication: Send transactional emails (login links, purchase confirmations, welcome messages), and occasional product updates
  • Security: Detect and prevent abuse, rate-limit API access, and maintain service integrity

We do not sell your data. We do not use your uploaded content or generated skills to train AI models. Your content is processed for the sole purpose of generating your requested output.

4. Third-Party Services

We use the following third-party services to operate Smidge:

  • Supabase — Database, authentication, and file storage. Your account data and generated skills are stored in Supabase. Supabase Privacy Policy
  • Stripe — Payment processing. Handles all billing and card information. Stripe Privacy Policy
  • Anthropic (Claude) & OpenAI — AI model providers. Your source content is sent to these APIs for processing during skill generation. Content is processed per their API terms and is not used for model training. Anthropic Privacy · OpenAI Privacy
  • Resend — Transactional email delivery (login links, receipts, notifications). Resend Privacy Policy
  • Vercel — Application hosting and edge network. Vercel Privacy Policy

5. Data Retention

  • Uploaded source files: Automatically deleted 30 days after upload
  • Extracted text: Deleted after processing is complete (not stored long-term)
  • Generated skills: Retained in your account until you delete them or delete your account
  • Account data: Retained until you request account deletion
  • Billing records: Retained as required by tax and financial regulations (typically 7 years)
  • Usage logs: Anonymized or deleted after 90 days

6. Your Rights

You have the following rights regarding your data:

  • Access: View all data associated with your account through your account settings
  • Export: Download all your generated skills and account data via the account page or API
  • Deletion: Delete individual skills, or delete your entire account and all associated data from your account settings
  • Correction: Update your profile information at any time

To exercise these rights or make a data-related request, email us at privacy@smdg.app. We will respond within 30 days.

7. Cookies

Smidge uses only essential cookies required for authentication. These are managed by Supabase Auth and are necessary to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Specifically, we set:

  • Authentication session cookies: Required for login state (Supabase Auth)

No consent banner is required because we only use strictly necessary cookies.

8. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row-level security policies on all database tables
  • API key hashing and secure token management
  • Rate limiting on all endpoints
  • Regular security reviews

No system is 100% secure. If you discover a security vulnerability, please report it to security@smdg.app.

9. Children's Privacy

Smidge is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete the account.

10. International Data Transfers

Your data may be processed and stored in the United States and other countries where our service providers operate. By using Smidge, you consent to the transfer of your data to these jurisdictions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Effective date” at the top of this page indicates when it was last revised.

12. Contact

For privacy-related questions or requests, contact us at:

See also: Terms of Service