Privacy Policy

Last updated: May 2026

This policy explains what personal data we collect, why, and what we do with it. It applies to GeoPilot AI, operated by Smart Bhujal in Andhra Pradesh, India. We aim to comply with the Digital Personal Data Protection Act 2023 (India) and the GDPR (for users in the EEA/UK).

What we collect

From your OAuth provider (Google or GitHub):

  • Email address
  • Display name
  • Profile picture URL (optional)

From your use of the Service:

  • Files you upload (shapefiles, CSV, GeoJSON, GeoTIFF, etc.)
  • Database credentials you save for the Connections feature, encrypted at rest in Supabase Vault
  • Prompts you send to the AI and the responses generated
  • Project and layer metadata (names, colours, geometry)
  • Basic usage telemetry (prompts per day, storage used, plan info)
  • IP address and User-Agent string, for security and audit logging only

From payments (if you subscribe):

  • Email, name, country, and payment method last-4 digits via Razorpay
  • We do not store full card numbers. Razorpay is PCI-DSS compliant.

Why we collect it

  • Provide the Service. Files, prompts, and metadata are needed to run analyses.
  • Bill paid plans. Payment info via Razorpay.
  • Send transactional email. Sign-in alerts, payment receipts, refund confirmations.
  • Audit and security. IP, User-Agent, and timestamps for unusual-activity detection.
  • Improve the product. Aggregated, anonymised usage stats only.

What we share

We share data only with the third parties needed to run the Service:

  • AI model providers (Anthropic, Google, OpenAI) — relevant prompt context to fulfil your request. None of these providers train on our customer prompts under their enterprise terms.
  • Razorpay — for payment processing.
  • Supabase — managed Postgres, where your account and project data live.
  • Google Cloud Storage — where uploaded files and generated layers are stored.
  • Vercel — application hosting and edge compute.
  • Resend — transactional email.

We do not sell personal data. We do not share data for third-party advertising.

Where data lives

Data is stored in cloud infrastructure that may operate from regions outside India (currently Mumbai for Supabase and US-Central for Google Cloud Storage). By using the Service you consent to this transfer.

How long we keep data

  • Account profile, projects, layers: until you delete them or cancel and the 30-day grace window ends.
  • Audit log (sign-ins, billing events): 12 months.
  • Payment records: 7 years (Indian tax law requirement).
  • Cancelled accounts: 30-day read-only grace, then permanent deletion of all User Content.

Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to legal retention requirements)
  • Export your data in a portable format
  • Withdraw consent for non-essential processing

To exercise any of these rights, email support@smartbhujal.com. We respond within 30 days.

Cookies and tracking

We use only the cookies needed to keep you signed in (NextAuth session cookie) and to remember your preferences. We do not use third-party advertising or cross-site tracking cookies.

Children

The Service is not directed at children under 18. We do not knowingly collect data from minors.

Security

Data is encrypted in transit (TLS 1.2+) and at rest. Database credentials in the Connections feature are stored in Supabase Vault using pgsodium-backed encryption. We follow least-privilege access for production systems.

Changes

Material changes to this policy will be communicated by email or in-app notice. The “Last updated” date above reflects the most recent revision.

Contact

Privacy questions: support@smartbhujal.com.

Related policies
Refund PolicyCancellationTerms of ServicePrivacyContact