Privacy Policy

Last updated: May 2026

Pain Radar ("the Service") is operated by Jordan Slater from Queensland, Australia. This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and your rights under the Australian Privacy Act 1988.

1. What we collect

We collect the minimum personal information needed to operate the Service:

• Email address — when you sign up for an account or subscribe to the free digest. Used to send the digest, transactional emails (receipts, password resets), and account notifications.
• Authentication metadata — Supabase issues a unique user ID and stores your hashed password and session tokens. We never see your plaintext password.
• Subscription state — your current tier (free/Builder/Pro), Stripe customer ID, subscription status, and billing period end. Stored in our own database.
• User preferences — if you customise the opportunity score weights on the dashboard, those settings are stored against your user ID.
• Usage data — minimal server logs (request timestamps, status codes, user agent) retained for debugging and abuse prevention. We do not run a behavioural-analytics tracker.

2. What we do NOT collect

• We do not track your browsing behaviour across the web.
• We do not run third-party advertising or marketing trackers.
• We do not load Google Analytics, Facebook Pixel, or similar.
• We do not store credit card details — payment data is handled directly by Stripe, who are PCI-DSS compliant.
• We do not sell, rent, or share your personal information with marketers or data brokers.

3. How we use your data

• To provide the Service — authenticate you, render your dashboard, save your preferences.
• To send the weekly email digest if you've subscribed.
• To process subscription payments and renewals (via Stripe).
• To respond to support requests.
• To debug, secure, and operate the Service.
• To comply with legal obligations if required.

4. Public-source data — and what we do with it

The opportunities surfaced by Pain Radar are derived from publicly available text — comments left on public YouTube videos, and suggestions returned by Google's public Autocomplete endpoint. We do not collect personal information about the people who left those comments.

At ingestion time we run a PII-stripping pass that replaces email addresses, phone numbers, @-mentions, and personal profile URLs (Instagram, Facebook, LinkedIn, Twitter/X, Reddit user pages) with placeholder tokens before the text is stored. We do not attempt to identify, profile, or contact the original commenters.

5. Third-party services

To operate the Service we share a minimum of data with the following processors:

• Supabase (authentication + user data storage; Sydney region) — supabase.com/privacy
• Stripe (payments) — stripe.com/au/privacy
• Resend (transactional + digest email delivery) — resend.com/legal/privacy-policy
• Anthropic (LLM inference for pain extraction and scoring) — anthropic.com/privacy
• Voyage AI (text embeddings) — voyageai.com/privacy-policy
• Google (YouTube Data API, Autocomplete) — public data only, governed by Google's terms.
• Railway and Vercel (hosting) — for infrastructure.

These processors only receive the data needed to perform their specific function (e.g. Stripe receives your email + payment details; Anthropic receives the comment text we ingested but never sees your account email).

6. Where your data is stored

Your account data lives in Supabase's Sydney region, in compliance with the Australian Privacy Principles' guidance on cross-border disclosure. Payment data is held by Stripe in their PCI-compliant infrastructure. Pipeline-derived data (the public-source ingest and resulting cluster scores) lives in a SQLite database on our application server (Railway, currently US-region).

7. Cookies and local storage

Pain Radar uses the minimum browser storage required to keep you signed in:

• Supabase auth tokens are stored in your browser's localStorage by the Supabase JavaScript client. This is essential for the Service to remember that you're logged in.
• We do not set any marketing, analytics, or third-party cookies.
• Signing out (or clearing browser storage) removes the auth tokens.

8. Your rights

Under the Australian Privacy Act 1988 you have the right to:

• Access the personal information we hold about you.
• Correct any inaccurate information.
• Request deletion of your account and associated personal data. Note that some records (e.g. financial transactions) may need to be retained for legal/tax purposes.
• Unsubscribe from the digest at any time via the link in every email, or by contacting us.
• Make a complaint to us in the first instance. If unresolved, you may contact the Office of the Australian Information Commissioner (oaic.gov.au).

To exercise any of these rights, email privacy@painradar.co.

9. Data retention

We keep account data while your account is active and for a reasonable period afterwards in case you want to reactivate. Subscription/billing records are retained for the period required by Australian tax and accounting law (currently 5 years). Email digest opt-out records are retained indefinitely so we don't accidentally re-email someone who has unsubscribed.

10. Security

We use HTTPS for all traffic, encrypted databases, modern authentication (Supabase ES256 JWTs), and the principle of least privilege for processor access. No system is perfectly secure; if we detect a breach affecting your personal information we will notify you in line with the Notifiable Data Breaches scheme.

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe we have, please contact us and we'll delete it.

12. Changes to this policy

Material changes will be communicated by email and reflected on this page. The "Last updated" date at the top tracks the most recent revision.

13. Contact

Privacy enquiries: privacy@painradar.co
General support: support@painradar.co

Last updated: May 2026. This policy may be updated as Pain Radar evolves.