Privacy Policy

Last updated: 2026-05-30 · Data controller: Built Ventures LLC (Delaware, USA), contact hello@getsharp.tech

1. Who we are

Sharp (getsharp.tech) is operated by Built Ventures LLC. We are the data controller for personal data we collect via the Service. There is no Data Protection Officer at present; for any privacy enquiry email hello@getsharp.tech and we will respond within 30 days.

2. What we collect

• Account data: your email address and a hashed password. Password hashing is performed by Supabase Auth using bcrypt; we never see your plaintext password.
• Payment metadata: Stripe customer ID, billing country, payment status, and Season Pass expiry date. We do not see or store your full card number; Stripe holds card data under PCI DSS Level 1.
• Practice data: the questions you attempt, the answers you submit (typed text or transcribed audio), the grading outputs, the follow-up chains, and per-skill progress.
• Operational logs: standard server and edge logs (IP, user-agent, route, status code, timestamp) retained for up to 30 days for abuse prevention and operational debugging.

We do not use third-party advertising trackers and we do not run a marketing analytics suite (no Google Analytics, no Mixpanel, no Hotjar) in the initial production version.

3. Audio handling

When you submit an audio answer, the raw audio is sent in-flight to our transcription provider (OpenAI gpt-4o-transcribe) and the returned transcript is stored alongside your other answer data. The raw audio is not persisted on Sharp's servers; only the transcript is retained.

4. Why we process your data

• To deliver the Service you signed up for (contract: GDPR Art. 6(1)(b)).
• To bill, take payment, and handle refunds (contract + legitimate interest in operating the business: GDPR Art. 6(1)(b), 6(1)(f)).
• To send transactional emails (account confirmation, Season Pass receipts, renewal reminders) (contract).
• To prevent abuse and secure the Service (legitimate interest: GDPR Art. 6(1)(f)).
• To improve the Service (analyzing aggregated practice data to improve grading rubrics) (legitimate interest: GDPR Art. 6(1)(f)).

5. Sub-processors

We share the minimum data needed to operate the Service with the following sub-processors:

• Supabase (Postgres database, authentication, file storage) — US-based, GDPR-compliant.
• Vercel (hosting, edge network, serverless functions) — US-based, GDPR-compliant.
• Stripe (payments, Stripe Tax) — Ireland and US.
• Google (Gemini API) (AI grading and follow-up generation) — US-based. Prompts and responses are not used by Google to train its models for paid API customers.
• OpenAI (audio transcription via gpt-4o-transcribe) — US-based. Prompts and responses are not used to train OpenAI models for paid API customers.
• Resend (transactional email delivery) — US-based.

Where data is transferred outside the European Economic Area, the transfer is covered by Standard Contractual Clauses (SCCs) entered into via each provider's data-processing terms.

6. Your rights (GDPR / UK GDPR)

If you are in the EEA or UK you have the right to:

• access the personal data we hold about you,
• rectify inaccurate data,
• request erasure (subject to records we must keep for tax / accounting purposes, typically 7 years for payment records),
• port your data in a machine-readable format,
• restrict or object to processing based on legitimate interest,
• withdraw consent at any time where processing is consent-based,
• lodge a complaint with your local supervisory authority.

To exercise any of these rights, email hello@getsharp.tech. We will respond within 30 days.

7. Data retention

• Account and practice data: retained while your account is active and for 12 months after your last login, then deleted on a quarterly sweep, unless you ask for earlier deletion.
• Payment records: retained for 7 years to satisfy US and EU tax-record requirements.
• Operational logs: 30 days.

8. Cookies

Sharp uses only strictly necessary cookies: a Supabase Auth session cookie for logged-in users, and Stripe Checkout cookies during the payment flow. We do not use third-party advertising or analytics cookies in the initial production version. No cookie banner is shown because no consent is required for strictly necessary cookies under EU ePrivacy guidance.

9. Children

Sharp is not intended for users under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, email hello@getsharp.tech and we will delete it.

10. Changes to this policy

We will update this policy as needed. Material changes will be announced via email to active Season Pass holders and posted here with a new "Last updated" date.

11. Contact

Privacy enquiries, GDPR requests, complaints: hello@getsharp.tech.