1. Introduction and Contact
This Privacy Policy describes how OCM Asesorias SpA (RUT: 78.230.997-8), operating the Airsheet service ("Airsheet," "we," "us," or "our"), collects, uses, stores, and protects your personal data.
Data Controller: OCM Asesorias SpA, Curicó, Maule, Chile
Contact for Privacy Matters: support@airsheet.dev
We are committed to protecting your privacy and complying with applicable data protection laws, including the laws of Chile, the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA), where applicable.
2. Personal Data We Collect
We collect the following categories of personal data:
a. Data Provided by Third-Party OAuth Providers (Google/Microsoft)
- Identity Data: Full Name, Email Address, and Profile Picture
- Purpose: Used for account creation, login, and identification within the Service
b. Automatically Collected Data (Log Data)
- Usage Data (via Plausible): Anonymous statistics on time spent in conversations and platform usage. This data is collected in an event-driven manner and is not tied to an IP address or cookie.
- Server and System Logs (via Supabase & Resend): IP Address (in server logs), Device Data (OS/browser type), Request Metadata (timestamps, API endpoints), Error Logs, and Email Delivery Status (delivered, opened, clicked)
- Purpose: Security monitoring, diagnosing technical issues, system performance improvement, and ensuring email deliverability
c. Billing Data (via FastSpring)
Payment Information: We do not directly store your full credit card details. This information is collected and processed securely by our payment processor, FastSpring. We receive limited billing information (e.g., name, billing address, last four digits of the card) for transaction verification.
d. User Content
Conversations: The data and content you upload, create, or generate while using the AI Agent.
3. How We Use Your Data (Purpose and Lawful Basis)
We use your personal data for the following purposes, based on the corresponding legal basis:
| Purpose of Processing | Categories of Data Used | Lawful Basis (GDPR) |
|---|---|---|
| To Provide the Service (Account login, AI Agent function, billing) | Identity Data, Billing Data, User Content | Contract Necessity (Processing is necessary to perform the contract with you) |
| To Improve the Service (System performance, feature usage statistics) | Usage Data, Server Logs | Legitimate Interest (Improving our service and user experience) |
| To Send Service-Related Emails (Password resets, billing notifications) | Email Address, Resend Log Data | Contract Necessity |
| To Send Marketing Communications (Platform-related updates, promotions) | Email Address | Consent (You have the right to opt-out at any time) |
4. Data Sharing and Third-Party Processors
We share your data only with the following third-party service providers (Data Processors) who process data on our behalf:
| Processor | Service Provided | Data Shared | Location |
|---|---|---|---|
| Supabase | Cloud Hosting and Database | All data (encrypted) | USA (Ohio) |
| FastSpring | Payment Processing | Billing Data | Global |
| Plausible | Privacy-Respectful Analytics | Anonymous Usage Data | EU |
| Resend | Email Delivery | Email Address, Email Log Data | USA |
No Sale of Personal Data: We do not sell, rent, or share your personal data with third parties for cross-context behavioral advertising or marketing purposes.
5. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:
- User Content (Conversations): Deleted according to the tiered schedule outlined in the Terms of Service (Section 5.3)
- Account Data (Email, Name): Retained until you request account deletion, to allow for easy return to the Service
- Log Data: Retained for a short period (typically 30-90 days) for security and troubleshooting purposes
6. International Data Transfers
Your personal data is primarily stored on servers located in the United States (Ohio, USA). Since we offer our Service globally, this means your data may be transferred to, and processed in, a country outside of your jurisdiction.
For users in the EEA, we ensure your data is protected by implementing appropriate safeguards. We rely on Standard Contractual Clauses (SCCs), as approved by the European Commission, to govern the transfer of your data to our US-based sub-processors (Supabase, FastSpring, Resend). We have entered into Data Processing Addendums with these processors that incorporate the SCCs.
7. Data Security
We implement technical and organizational security measures to protect your data, including encryption at rest and in transit, server-side access controls, and the use of the Principle of Least Privilege (PoLP) for client-side access.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right to Access: The right to request copies of the personal data we hold about you
- Right to Rectification: The right to have inaccurate or incomplete data corrected
- Right to Erasure ("Right to be Forgotten"): The right to request the deletion of your personal data
- Right to Object/Restrict Processing: The right to object to or request that we restrict the processing of your personal data
- Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format
- Right to Opt-Out of Marketing: The right to opt-out of receiving marketing communications from us
To exercise any of these rights, please submit a request to support@airsheet.dev. We will respond to your request within the timeframe required by applicable law.
9. Cookies and Tracking Technologies
We use minimal cookies and tracking technologies:
- Essential Cookies: Required for authentication and session management
- Preference Cookies: Remember your settings (theme preferences, language)
- Analytics: We use Plausible Analytics, which does not use cookies or collect personal data
We do not use third-party advertising cookies or tracking pixels. You can control cookie preferences through your browser settings.
10. Changes to this Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through an in-app notification. Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the new terms.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Legal Entity: OCM Asesorias SpA (RUT: 78.230.997-8)
Location: Curicó, Maule, Chile
Support Email: support@airsheet.dev