This Privacy Policy describes how Cabbge ("Cabbge", "we", "us") collects, uses, discloses, and protects personal data when you use our Service. It is written to comply with India's Digital Personal Data Protection Act 2023 (DPDP Act) and standard global expectations.
Cabbge is a business-to-business SaaS product. We process data primarily about (a) the people who sign up to use our Service (you, the customer representative), and (b) the brands, websites, and public content you ask us to analyse. We do not knowingly process personal data about individual home buyers.
1. Data Controller and Contact
Cabbge acts as the data fiduciary (controller) for personal data about our own customers, and as a data processor for personal data contained in Customer Data you submit.
For privacy questions, requests, or complaints, contact our Privacy Officer at privacy@cabbge.com. We will respond within 30 days.
2. What We Collect
Account and billing data — name, work email, company name, billing address, tax ID where applicable, subscription tier, payment status. Card numbers are handled by our payment processor and never touch Cabbge servers.
Customer-submitted data — brand details, the URLs you choose to track, brand context, brand voice / positioning notes, and content you generate inside the platform.
Scan data — results of AI visibility scans, audit scores, mention-tracker output, off-domain coverage checks, score history, drift alerts, and derivative analyses.
Usage data — API request logs, feature-interaction events, IP address, browser / device metadata, session identifiers. We use this for product analytics, security, debugging, and rate-limiting.
Support and communications data — emails and chat conversations between you and us.
3. What We Don't Collect
- We do not collect personal data about your end customers or website visitors. You should not upload customer contact lists to Cabbge.
- We do not process payment card numbers directly. Card data is handled by our merchant of record (Dodo Payments) under their PCI-DSS compliant infrastructure.
- We do not sell personal data to third parties. Ever.
- We do not collect special-category data (health, biometric, financial beyond billing basics, etc.) and you should not submit any.
4. Lawful Basis and Purposes
We process data on these bases:
- Performance of contract — to provide the Service you signed up for.
- Legitimate interest — to improve the Service, prevent abuse, secure the platform, and communicate with you about your account.
- Consent — for optional communications (product updates, newsletters) that you can opt out of at any time.
- Legal obligation — to retain billing records, comply with tax authorities, and respond to lawful government requests.
5. Sub-Processors
We use the following trusted sub-processors to deliver the Service. Each has its own security posture and privacy commitments. Customer Data is processed within these systems only as needed to operate the Service.
| Sub-processor | Purpose | Data type | Region |
|---|---|---|---|
| Supabase | Database and authentication | All Customer Data, account data | AWS ap-south-1 (Mumbai) |
| Vercel | Application hosting and edge network | Request logs, in-transit data | Global edge + primary region in Mumbai |
| OpenAI | Language-model and web-search APIs | Prompts derived from Customer Data; no training on our API data | United States |
| Google (Gemini) | Language-model and grounded-search APIs | Prompts derived from Customer Data | United States / Global |
| Google PageSpeed Insights | Performance and SEO audits | Public URLs only | Global |
| Dodo Payments | Payment processing and merchant of record | Billing information, card data | United States / Global |
| Anthropic (optional) | Backup language-model provider | Prompts derived from Customer Data | United States |
We will provide at least 30 days' notice of material changes to this sub-processor list to paying customers with an active subscription.
6. AI Providers and Training
We use OpenAI and Google Gemini APIs under commercial agreements that prohibit the use of your prompts or completions to train their public models. OpenAI's API data is retained for up to 30 days for abuse-monitoring and is then deleted, except where you opt out via Zero Data Retention (ZDR). Google Gemini operates similarly under its commercial API terms.
Cabbge does not train any model on Customer Data. Machine-learning features of the Service are powered by commercial third-party models that we invoke on your behalf.
7. Cross-Border Transfers
Some of our sub-processors operate in the United States and other jurisdictions. Data transfers are made under the provider's published data-transfer safeguards, including Standard Contractual Clauses where applicable. For DPDP-regulated data, we rely on the absence of a central-government restriction on the relevant country and on the provider's contractual commitments.
8. Retention
We retain data only as long as needed to provide the Service and meet our legal obligations:
- Customer Data — for the lifetime of your subscription, plus 30 days after termination to allow export.
- Scan history — retained for the lifetime of your subscription so volatility and drift metrics remain meaningful.
- Billing records — retained for at least seven years to comply with Indian tax and audit requirements.
- Logs and operational telemetry — typically rotated within 90 days.
- Support communications — retained for three years for dispute-resolution.
9. Your Rights
Under the DPDP Act and applicable privacy laws, you have the right to:
- Access your personal data and request a copy.
- Correct inaccurate or out-of-date personal data.
- Request erasure of personal data, subject to our legal retention obligations.
- Withdraw consent for non-essential processing at any time.
- Nominate another person to exercise your rights in the event of incapacity or death.
- Lodge a complaint with the Data Protection Board of India.
To exercise any of these rights, email privacy@cabbge.com. We will verify your identity and respond within 30 days.
10. Security
We apply industry-standard technical and organisational measures to protect personal data, including:
- Transport encryption (TLS 1.2+) for all data in transit.
- Encryption at rest within our database and object storage (AES-256 by sub-processor default).
- Least-privilege access controls for team members.
- Row-level security policies so customers can only read and modify their own data.
- Secret management via Vercel environment variables with access scoped per project.
- Regular review of dependencies for published vulnerabilities.
No system is perfectly secure. If you believe you have found a security issue, email security@cabbge.com. We commit to acknowledging reports within 72 hours and will notify affected customers without undue delay in the event of a confirmed personal-data breach, in line with DPDP Act timelines.
11. Cookies
Cabbge uses cookies strictly necessary for authentication and session management (e.g. keeping you signed in, remembering demo-mode state). We do not use third-party advertising cookies on the application. The public website may use privacy-preserving analytics that do not identify individual users.
12. Children
The Service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a minor has submitted personal data, contact us and we will delete it.
13. Changes to this Policy
We may update this Privacy Policy. Material changes will be announced by email or in-product notice at least 30 days before they take effect for paying customers. The "Last updated" date at the top reflects the current version.
14. Contact
Privacy Officer: privacy@cabbge.com
Security reports: security@cabbge.com
General legal: legal@cabbge.com