Privacy policy

Who this covers

This policy explains how Candor handles information for two kinds of people: recipients (account holders who collect feedback) and givers (anyone who responds to a feedback link, with no account required). We collect as little as possible, and the product is built so that anonymous feedback stays anonymous.

What we collect

• Recipients: your email, name, chosen link slug, optional profile photo and context blurb, notification preferences, and - only if you connect it - read-only calendar event metadata (titles, times, attendee emails).
• Givers: the feedback you submit. In named mode, the name (and email, if you choose to share it) you provide. In sealed (anonymous) mode, no identifying information is collected.
• Technical: a short-lived, salted hash of your IP address for rate limiting and abuse prevention. We never store raw IP addresses against feedback, and the giver form sets no cookies.

How anonymity works

For sealed responses, the connection between a comment and who wrote it is never stored - not hidden, not encrypted, never recorded at all. Timestamps shown to recipients are rounded to the week, and responses are released in batches, so no single response can be traced back to a moment or a person.

This is enforced at the database level, not by policy alone. We cannot reveal the author of a sealed response because that link does not exist in our systems.

How we use information

• To provide the service: host your link, deliver feedback, send requests and digests you've enabled.
• For AI summarization within your account only: feedback content may be processed to generate themes, sentiment, and suggested actions for you. It is not used to train third-party models and is not shared across accounts.
• We do not sell personal information, and we do not use feedback content for advertising.

Service providers

We share data only with vendors who process it on our behalf, under contract: Supabase (database, authentication, storage), Vercel (hosting), Resend (email delivery), Cloudflare (bot protection), Anthropic (AI summarization and abuse classification), and PostHog (product analytics - metadata only, never feedback content). Payment processing (Stripe) applies once paid plans launch.

Cookies & analytics

The public feedback form uses no cookies and no client-side tracking. The signed-in dashboard uses strictly necessary cookies for your session. Product analytics record metadata only (event types, counts, buckets) - never the content of feedback, and giver-side events are anonymous.

Retention & deletion

• Givers can delete their own response for 24 hours after submitting, via the link on the confirmation screen - this is a permanent hard delete.
• Recipients on the free plan see 60 days of history; older responses are hidden, not deleted, and return if you upgrade. Deleting your account permanently removes your links, questionnaires, and every response you've received.
• Hashed abuse-prevention data (rate-limit and opt-out hashes) is retained only as long as needed for that purpose.

Your rights

Depending on where you live (including under GDPR and CCPA), you may have the right to access, export, correct, or delete your personal information, and to opt out of certain processing. Recipients can export and delete from the app; anyone can email us to make a request. Givers who provided an email can use their confirmation link, or contact us.

Security

We use encryption in transit, encryption at rest for sensitive tokens, row-level access controls, and least-privilege access. No system is perfectly secure, but anonymity is protected structurally - there is no stored link to expose.

Children

Candor is not directed to children and is not intended for anyone under 16. We do not knowingly collect information from children.

Changes & contact

We'll update this policy as the product evolves and note the date above. Questions or requests: privacy@withcandor.app.