Convexly

Privacy Policy

Effective date: March 8, 2026

1. Overview

Convexly ("we", "us", "our") respects your privacy. This Privacy Policy describes how we collect, use, and protect your personal information when you use the Convexly platform ("the Service").

2. Information We Collect

Account information:

  • Email address (required for account creation)
  • Display name (optional)
  • Authentication tokens (managed by Supabase Auth)

Decision data you provide:

  • Decision titles, descriptions, and categories
  • Probability estimates and payoff scenarios
  • Outcome results and reflection notes
  • Assumptions and risk assessments
  • Team data (if using Team features)

Automatically collected:

  • Usage analytics (page views, feature usage) for product improvement
  • Error logs for debugging and reliability
  • IP address and browser type (standard server logs)

Payment information:

Credit card and billing details are collected and processed exclusively by Stripe. We never store, access, or transmit your full credit card number. We receive only a confirmation of payment status and the last 4 digits of your card for display purposes.

3. How We Use Your Information

  • Core functionality: Computing calibration scores, Brier metrics, Upside Ratios, and other decision analytics
  • AI features: Processing decision text through OpenAI for structuring and coaching (see Section 7)
  • Email communications: Sending weekly digests, monthly summaries, review reminders, and onboarding emails via Resend
  • Billing: Processing subscription payments via Stripe
  • Product improvement: Aggregated, anonymized usage patterns to improve the Service

We do not sell, rent, or trade your personal information to third parties. We do not use your decision data for advertising purposes.

4. Data Storage and Security

Your data is stored in Supabase (hosted on AWS infrastructure) with the following security measures:

  • Encryption at rest: All database data is encrypted using AES-256
  • Encryption in transit: All connections use TLS 1.2+
  • Row-Level Security (RLS): Database policies ensure users can only access their own data
  • JWT authentication: API requests are authenticated with signed tokens
  • API key hashing: Public API keys are stored as SHA-256 hashes, not plaintext

5. Third-Party Services

We share data with the following services, only as necessary to operate the platform:

ServicePurposeData Shared
SupabaseDatabase & authAll account and decision data
StripePaymentsEmail, subscription status
ResendEmail deliveryEmail address, email content
OpenAIAI structuringDecision text (see Section 7)
VercelHostingServer logs, IP addresses

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except:

  • Aggregated, anonymized analytics data (permanently retained)
  • Financial records required for tax/legal compliance (retained per applicable law)
  • Backup data (purged within 90 days of account deletion)

7. AI Data Processing

When you use AI-assisted features (decision structuring, coaching), the text of your decision is sent to OpenAI's API for processing. Important details:

  • We use the OpenAI API (not ChatGPT) — your data is not used to train OpenAI models
  • Decision text is sent only when you explicitly use AI features
  • OpenAI retains API data for up to 30 days for abuse monitoring, then deletes it
  • You may opt out of AI features entirely by not using the AI structuring tools

8. Cookies and Tracking

Convexly uses minimal cookies:

  • Authentication cookies: Required for login sessions (essential, cannot be disabled)
  • Theme preference: Stores your dark/light mode choice (localStorage)
  • Onboarding state: Tracks which tooltips you've dismissed (localStorage)

We do not use third-party tracking cookies, advertising pixels, or cross-site tracking. We do not use Google Analytics or similar surveillance-based analytics tools.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of your personal data (use the Export page)
  • Correction: Update inaccurate information (via Settings)
  • Deletion: Request deletion of your account and data
  • Portability: Export your data in standard formats (CSV)
  • Objection: Object to processing of your data for specific purposes
  • Restriction: Request limitation of data processing

To exercise these rights, contact us at privacy@convexly.app. We will respond within 30 days.

10. Email Communications

We send the following types of emails:

  • Transactional: Account creation, password reset (cannot be unsubscribed)
  • Onboarding: 3-email welcome sequence for new users
  • Weekly digest: Calibration report with coaching insights
  • Monthly summary: Monthly performance overview
  • Review reminders: Notifications when decisions are due for review

You can unsubscribe from non-transactional emails at any time via the unsubscribe link in any email or through Settings → Notifications.

11. Children's Privacy

Convexly is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For privacy questions or data requests, contact us at privacy@convexly.app.

Terms of ServiceBack to Home