Privacy Policy

Last Updated: March 2026

Second Spring ("we," "us," or "our") operates the Second Spring platform, accessible at secondspring.design and related applications. This Privacy Policy describes how we collect, use, and protect your information.

1. Information We Collect

1.1 Account Information

When you create an account via Outseta, we collect:

• Email address

• Account identifier (account_uid)

• Subscription and billing information (managed by Outseta)

1.2 Business Information

Information you enter into the Business Hub:

• Business Facts: Business name, core problem, target customer, offer description, pricing, and other business context you provide

• Goals: Short-term and long-term business goals you define

• Planner Items: Tasks and action items you create

• Documents: AI-generated and user-edited business documents

1.3 Conversation Data

When you interact with AI strategy agents:

• Conversation history is managed and stored by OpenAI pursuant to your agreement with OpenAI and their privacy policy

• We store conversation metadata (session IDs, timestamps, associated business) but not the full conversation content in our own databases

1.4 Integration Credentials

If you connect external services (Google Calendar, Stripe, Instagram, Mailchimp, etc.):

• OAuth access tokens and refresh tokens (stored encrypted in Supabase)

• Provider account metadata (display name, email, avatar) as returned by the provider

• Scopes granted

1.5 Communication Preferences

If you opt in to proactive messaging:

• Channel identifiers (Telegram chat ID, phone number, email address, push subscription)

• Notification preferences (reminder time, timezone, frequency)

• Message history (content, timestamps, delivery status)

1.6 Usage Data

Standard technical information:

• Log data (IP addresses, browser type, pages visited)

• Feature usage patterns (anonymized)

2. How We Store Your Information

• Database: All business data is stored in Supabase (PostgreSQL), hosted on AWS infrastructure

• Encryption at rest: Supabase encrypts all data at rest using AES-256

• Encryption in transit: All data transmitted using TLS 1.2+

• Integration credentials: OAuth tokens are stored encrypted; we do not store credentials in plaintext

• Access control: Row-Level Security (RLS) ensures each user/team can only access their own data

• Serverless processing: API routes run on Vercel's edge infrastructure; no persistent servers store your data in memory

3. How We Use Your Information

3.1 To Provide the Service

• Providing AI strategy agent context (business facts, goals, and documents are injected into agent conversations)

• Executing recipes that generate business documents

• Processing integration connections and OAuth flows

• Sending proactive reminders and notifications (if opted in)

3.2 To Improve the Platform

We use anonymized, aggregated data to improve the Knowledge Graph and agent recommendations:

• We extract patterns from business data (e.g., "what strategies do businesses of type X commonly use?")

• All data used for the Knowledge Graph is fully anonymized — individual businesses cannot be identified

• No individual business names, owner names, revenue figures, or identifying information is stored in the Knowledge Graph

• Minimum aggregation threshold: patterns require contributions from at least 5 businesses before appearing in recommendations

3.3 We Do NOT:

• Sell your individual data to third parties

• Use your business data to train AI models that are sold or shared externally

• Share identifiable business information with other users or businesses

• Use your data for advertising targeting

4. Data Sharing

4.1 Service Providers

We share data with trusted service providers who process data on our behalf:

• OpenAI: Conversation content and business context sent to OpenAI for AI processing, subject to OpenAI's terms and privacy policy

• Outseta: Account and billing data managed by Outseta

• Supabase: Database storage and authentication services

• Vercel: Application hosting and serverless function execution

• Twilio: SMS and WhatsApp message delivery (if opted in)

• SendGrid: Email delivery (if opted in)

• Telegram: Telegram message delivery via Bot API (if opted in)

• Google, Stripe, Instagram, Mailchimp, etc.: Integration providers when you connect these services

4.2 Aggregate Insights

We may share aggregate, anonymized industry insights (e.g., "70% of coaching businesses use email as their primary channel") for platform improvement and research. This data cannot be linked to individual businesses.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government authority.

5. Your Rights

You have the right to:

• Access: Request a copy of all data we hold about you and your business

• Correct: Update or correct inaccurate information at any time via the Business Hub

• Delete: Request deletion of your account and all associated business data

• Export: Request an export of your business data in a portable format (JSON or CSV)

• Withdraw consent: Opt out of communications at any time; disable or revoke integration connections at any time

• Object: Object to processing of your data for the Knowledge Graph (contact us to opt out)

To exercise these rights, contact us at [privacy@secondspring.design].

6. Data Retention

Data Type Retention Account and business data Retained while your account is active + 90 days after cancellation Conversation metadata Retained for 12 months Execution history Retained for 24 months Communication messages Retained for 12 months Knowledge Graph contributions Retained indefinitely (fully anonymized; cannot be deleted individually)

On account deletion, all personally identifiable data is deleted within 30 days. Anonymized contributions to the Knowledge Graph are irrevocably anonymized and cannot be removed.

7. Communication and Opt-Out

All proactive communications (Telegram, WhatsApp, SMS, email, push) require explicit opt-in. You can:

• Disable any channel at any time via the Connect page in the app

• Send /stop to the Second Spring Telegram bot to unsubscribe immediately

• Reply STOP to any SMS message

• Click unsubscribe in any email

We will honor opt-out requests immediately.

8. GDPR (European Users)

For users in the European Economic Area, our legal bases for processing are:

• Contract performance: Processing necessary to provide the service you've subscribed to

• Legitimate interests: Anonymized analytics and knowledge graph improvements

• Consent: Proactive communications and optional integrations

You have additional rights under GDPR including the right to lodge a complaint with your supervisory authority.

9. CCPA (California Users)

California residents have the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. For requests, contact [privacy@secondspring.design].

10. Children's Privacy

The Second Spring platform is intended for business owners and is not directed at children under 16. We do not knowingly collect information from children under 16.

11. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email or a prominent notice in the application at least 30 days before the changes take effect.

12. Contact

For privacy questions, data requests, or concerns:

• Email: [privacy@secondspring.design]

• Address: [Company Address — to be added]

This privacy policy was last reviewed and updated in March 2026.