SupernalSupernal

Privacy Policy

Last Updated: March 27, 2026

This Privacy Policy applies to Supernal Coding and all related products and services operated by Supernal Intelligence, Inc. ("Supernal", "we", "us", or "our"), including the Supernal Coding desktop application, web dashboard, CLI tools, and any AI agent features.

By using Supernal services, you agree to the data practices described here. If you do not agree, please do not use our services.

1. The Desktop App is Local-First

Supernal Coding Desktop is designed to run on your machine. The following data never leaves your device to Supernal servers:

  • Your source code, files, and repositories
  • Agent session transcripts and conversation history
  • Workspace configurations and project state
  • Crash logs (stored locally at ~/Library/Application Support/Supernal Desktop/crash-log.txt)
  • License data (stored encrypted on your device, not uploaded)

When agents execute tasks, they operate on your local filesystem and environment. Supernal does not receive a copy of the work your agents perform.

2. What We Do Collect

Account Information

When you create an account: your email address, name, and authentication credentials. This is used to identify you, manage your subscription, and communicate with you about your account.

License Verification

When the desktop app validates your license, it sends your license key and product ID to api.supernal.ai. No usage data, file contents, agent transcripts, or identifying machine information beyond what is required for activation is transmitted. License keys are validated against a hardware fingerprint stored on your device — this fingerprint is not sent to our servers.

AI Provider Requests

When agents make AI calls (to OpenAI, Anthropic, or other providers), those requests go directly from your machine to the AI provider using your API key. Supernal does not proxy, store, or receive a copy of your AI requests or responses. Those requests are subject to the privacy policies of the AI provider you choose.

Usage Analytics

If analytics are enabled (opt-in), we may collect anonymous usage patterns such as which features are used, error rates, and performance metrics. We do not collect the content of your work or your agents' outputs. You can opt out in Settings.

Web Services

When using our web properties (supernal.ai, the web dashboard), we collect standard web analytics data including browser type, pages visited, and approximate location (city-level via IP). We use this to improve the product.

Support Communications

If you contact support, we retain that correspondence to assist you and improve our services.

3. AI Agents — What They Can Access

Supernal Coding enables AI agents to act on your behalf on your local machine. You control what agents can access through permissions you grant during setup. Depending on your configuration, agents may be able to:

  • Read and write files in directories you specify
  • Execute shell commands in your terminal environment
  • Make API calls using credentials you provide
  • Access browser content through browser integration tools
  • Send and receive messages on platforms you connect (Slack, Discord, etc.)

Supernal does not receive the output of these agent actions. Agents operate on your device and the results stay there unless you explicitly share them. You are responsible for reviewing and controlling what agents are permitted to do in your environment.

4. How We Use Information

  • To provide, operate, and improve our services
  • To manage your account and subscription
  • To validate license entitlements
  • To communicate service updates, security notices, and support responses
  • To detect and prevent fraud or abuse
  • To comply with legal obligations

We do not sell your personal information to third parties.

5. Data Sharing

We may share data with:

  • Infrastructure providers: Hosting, database, and authentication services (e.g., Supabase, Vercel) that process data on our behalf under data processing agreements.
  • AI service providers: When you use AI features, your prompts go directly to providers you configure (OpenAI, Anthropic, etc.) under your own API key. Supernal is not a party to those transactions.
  • Payment processors: License purchase transactions are handled by our payment provider. We do not store full payment card details.
  • Law enforcement or legal process: When required by applicable law, court order, or to protect our legal rights.

6. Security

We implement layered security controls including:

  • macOS code signing and notarization for the desktop app
  • Encrypted license storage with hardware binding
  • Content Security Policy, CORS restrictions, and security headers on all web services
  • Automated dependency vulnerability scanning and patching
  • Secrets scanning on every code commit

For a full description of our security architecture, see our SECURITY.md.

No system is perfectly secure. We cannot guarantee absolute security of data transmitted over the internet.

7. Data Retention

We retain account information for as long as your account is active or as needed to provide services. License validation records are retained for the duration of your subscription plus any legally required period. If you close your account, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

Data stored locally on your machine (agent transcripts, crash logs, workspace state) persists until you delete it. We have no ability to access or delete this data remotely.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent where processing is consent-based

To exercise any of these rights, email privacy@supernal.ai. We will respond within 30 days.

9. Children

Our services are not directed to children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us immediately at privacy@supernal.ai.

10. California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA / CPRA). We do not sell or share personal information for cross-context behavioral advertising. You have the right to: know what personal information we collect and how it is used; delete your personal information; correct inaccurate personal information; opt out of any sale or sharing (which we do not conduct); and non-discrimination for exercising these rights. To exercise CCPA rights, contact privacy@supernal.ai.

11. EU/EEA and UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, the following applies in addition to the rest of this policy.

Legal basis for processing (GDPR Article 6)

We process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the Services you have subscribed to (account management, license validation, billing)
  • Legitimate interests — analytics to improve the Services, security monitoring, and fraud prevention, where these interests are not overridden by your rights
  • Legal obligation — compliance with applicable laws and regulations
  • Consent — optional analytics and marketing communications, where you have opted in. You may withdraw consent at any time.

Data transfers outside the EEA (GDPR Chapter V)

Supernal Intelligence, Inc. is based in the United States. When you use our Services, your personal data is transferred to and processed in the United States, which does not have an adequacy decision from the European Commission equivalent to EEA standards.

We rely on the following safeguards for international transfers:

  • Standard Contractual Clauses (SCCs) — our data processing agreements with sub-processors (including Supabase and Vercel) incorporate the EU Standard Contractual Clauses approved by the European Commission, providing appropriate safeguards for your data.

Sub-processors and data locations:

  • Supabase (database) — US-East (Ohio). Data processing agreement in place.
  • Vercel (hosting, CDN) — US regions. Data processing agreement in place.
  • AI providers (OpenAI, Anthropic, etc.) — AI inference calls go directly from your machine to your chosen provider under your own API key; Supernal is not the data controller for these transfers.

You may request a copy of the safeguards we rely on by contacting privacy@supernal.ai.

Your rights under GDPR

In addition to the rights described in Section 8, EEA/UK residents have the right to:

  • Lodge a complaint with your local data protection authority (DPA). In the EU, find your DPA at edpb.europa.eu. In the UK, contact the ICO at ico.org.uk.
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances

Supernal Intelligence, Inc. is the data controller for personal data processed through our Services. We do not currently have a designated EU/UK representative or Data Protection Officer, as we do not engage in large-scale systematic processing of sensitive personal data. If this changes, we will update this policy accordingly.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours of becoming aware of the breach, where required by applicable law (GDPR Article 33)
  • Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
  • Document all breaches internally, including those not requiring notification, with details of the breach, its effects, and remedial action taken

If you discover or suspect a security issue, please report it immediately to security@supernal.ai.

13. Data Retention — By Category

We retain different categories of data for different periods:

  • Account information — retained for the life of your account plus 90 days after closure
  • License and billing records — 7 years from transaction date (tax and legal compliance)
  • Support communications — 3 years from last interaction
  • Security and audit logs — 2 years from creation
  • Anonymous analytics — up to 26 months (standard analytics retention)
  • License validation records — duration of active subscription plus 90 days

Data stored locally on your device (agent transcripts, workspace state, crash logs) is not subject to our retention schedule — it persists on your machine until you delete it. We have no access to delete it remotely.

14. Changes to This Policy

We may update this Privacy Policy. When we do, we will update the "Last Updated" date above and, for material changes, notify you by email or prominent in-app notice at least 14 days before changes take effect. If the desktop app's first-launch disclosure is materially changed, it will be re-displayed for your acknowledgment.

Contact

Privacy questions: privacy@supernal.ai
Security issues: security@supernal.ai
Legal: legal@supernal.ai
General: info@supernal.ai
Mail: Supernal Intelligence, Inc., Santa Clara County, California, USA

Effective Date: March 27, 2026