Privacy

Account: email address and an encrypted password hash. Optional: full name. Managed by Supabase Auth.

Company facts: the URL you submit and the structured facts our AI extracts from it (industry, milestones, metrics, customer quotes, executive team). You can review, edit, and delete these at any time from Settings → Company.

Source documents: if you upload a pitch deck or paste a LinkedIn URL, the file or fetched HTML is stored in private Supabase Storage with row-level security keyed to your user id.

Activity: which awards you shortlist, which briefs you generate, which submissions you mark as won/lost. Standard product analytics — no third-party trackers, no advertising pixels.

Billing: handled by Polar.sh, which is a Merchant of Record. Polar holds your payment details; we only see subscription status and metadata (user id, plan).

Anthropic Claude (Haiku 4.5 and Sonnet 4.6) processes your submitted text and extracted facts to score awards, generate briefs, and ingest catalog entries. We use Anthropic's zero-data-retention API tier — your inputs are not retained by Anthropic and not used to train any model.

Apify is used for fetching publicly available web content (your company website, the websites of award organizers). We do not send your private facts to Apify.

Row-Level Security in our Postgres database scopes every query to your user id. Other tenants cannot read your data. Our team can access data only via service-role credentials, which are used for: cron jobs (alerts, catalog refresh), debugging on your explicit request, and account deletion.

We never sell, share, or otherwise disclose your data to third parties for marketing or any non-operational purpose.

We use Resend to send transactional email: deadline alerts (30/14/7/3 days), password resets, and Supabase email confirmations. You can disable any deadline alert from Settings → Email alerts. We do not send marketing email.

You can export your facts and briefs as Markdown or JSON anytime via the support email.

You can delete your account permanently from Settings → Danger zone. This cascades through every table and removes your data within seconds. The auth row is also removed from Supabase.

For GDPR-specific requests (access, portability, erasure beyond the in-app delete), email privacy@laurelmark.io.

• Supabase — database, auth, file storage
• Anthropic — AI extraction, scoring, brief generation (zero data retention)
• Apify — public web scraping
• Resend — transactional email
• Polar.sh — billing and payments (Merchant of Record)
• Vercel — hosting and edge network

We use one cookie: the Supabase auth session token. No analytics, no advertising, no cross-site tracking.

If we change anything material, we will email account holders before the change takes effect.