Legal

Privacy Policy

Last updated: May 8, 2026

This policy explains what data Compass collects, why, and what you can do about it. Compass is operated by Compass Studio (referred to as “we,” “us,” or “Compass” below). The product runs at getcompass.studio.

1. What we collect

When you sign up and use Compass, we collect:

Account details: your name, email address, password (hashed, never readable to us), and optionally an avatar image.
Workspace content: leads, contacts, notes, pricing inputs, calendar entries, and other information you choose to enter.
Webhook data: any lead enquiry payload your website or third-party tools (Zapier, Meta Lead Ads) send to your webhook endpoint.
Usage signals: anonymous pageview counts and Core Web Vitals via Vercel Analytics. No cross-site tracking, no advertising cookies.
Session cookies: required to keep you signed in. Set by our auth provider (Supabase) and read only by Compass.

2. How we use it

To run the service you signed up for.
To send transactional email (signup confirmation, password reset, results emails you trigger).
To debug errors, monitor uptime, and improve performance.
To bill you, if you're on a paid plan (handled by Stripe; we never see your full card number).

We do not sell your data. We do not share it with advertisers. We do not train AI models on your workspace content.

3. Where it's stored

Your workspace data lives in a managed Postgres database on Supabase (Singapore region). Email is sent through Brevo. Hosting and edge delivery is on Vercel. Each provider has its own privacy practices; links to their policies are at the bottom of this page.

Workspaces are isolated by row-level security: every query is scoped to your user ID at the database layer, so other Compass users cannot read your data even if our application code had a bug.

4. Third-party services we rely on

Supabase: database, authentication, and file storage. Privacy.
Vercel: hosting, edge delivery, and anonymous analytics. Privacy.
Brevo: transactional email delivery. Privacy.
Stripe (paid plans): payment processing. Privacy.

5. Your rights

You can, at any time:

Accessyour data, by exporting it from Settings → Account.
Correct inaccurate information by editing it in the app.
Deleteyour account and all associated workspace data from Settings → Account. Deletion is permanent and cannot be reversed.
Object to specific processing orport your data elsewhere by emailing hello@getcompass.studio.

If you're in the EU/UK we treat these as your GDPR rights; in California, CCPA; in Australia, the Australian Privacy Principles. Whichever jurisdiction protects you most strongly is the one that applies.

6. Retention

We keep your data while your account is active and for up to 30 days after deletion (so you can recover if you change your mind). After that the data is purged from production. Backups follow the same lifecycle, with one additional grace window of up to 30 days.

7. Security

All traffic is HTTPS-only with HSTS preload. Auth credentials are stored as salted hashes by Supabase. The service role key (which would bypass row-level security) is held server-side only and never sent to browsers. Workspaces are isolated at the database layer, not in application code.

8. Children

Compass is for people running businesses. We don't knowingly collect data from anyone under 16; if you believe a minor has signed up, email us and we'll delete the account.

9. Changes to this policy

If we make material changes we'll email signed-in users at least 14 days before they take effect. Minor wording changes (typos, clearer phrasing) happen without notice. The “Last updated” date at the top of this page is the source of truth.

10. Contact

Privacy questions or requests: hello@getcompass.studio.

This document is plain-English on purpose. Where there's ambiguity, the Terms of Service and applicable law govern.