Privacy Policy

Account information. When you sign up, we collect your name, email address, phone number, company name, country, and city. We use this to create your account, provision your organization, and contact you about the Service.

Customer Content. The Service stores tickets, messages, attachments, time entries, invoices, and other materials you and your end users submit. This is governed by our Terms of Service and treated as your data.

Payment information. Subscription billing is handled by Stripe, Inc. We never see or store your full card number. Stripe shares with us a customer ID, the last four digits of your card, the card's brand and expiry, and billing-address fields you provide to Stripe.

Usage and device information. We collect IP address, browser type, operating system, referrer URL, pages visited, time on page, and similar telemetry. This is used to operate, secure, and improve the Service.

Cookies and similar technologies. See “Cookies and Tracking” below.

Communications. If you email us or fill out a form, we retain that correspondence to respond and to keep records.

We use the information we collect to:

• Provide, maintain, and improve the Service;
• Process subscription payments via Stripe;
• Send transactional email (account setup, password reset, billing notifications) via Amazon SES;
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with applicable legal obligations and respond to legal requests;
• Communicate updates about the Service, security notices, and legal changes;
• Understand aggregate usage patterns through analytics so we can prioritize improvements.

We do not sell or rent personal information. We do not use Customer Content to train machine-learning models.

We use the following third-party providers to operate the Service. Each is contractually bound to handle information consistent with this Policy and with applicable law:

• Amazon Web Services (AWS) — application hosting, data storage (DynamoDB), file storage (S3), email delivery (SES). Region: US East (N. Virginia).
• Stripe, Inc. — subscription billing and payment processing. Stripe is PCI-DSS Level 1 certified.
• Google LLC — Google Analytics (anonymous usage analytics, opt-in) and reCAPTCHA Enterprise (bot protection on signup, login, and password-reset forms).
• Anthropic, PBC — when LLM features are enabled on your plan, we may send ticket titles and tag libraries to Anthropic's Claude API for tag inference. Disabled by default.

We may also share information when required by law, in response to a valid legal process, to enforce our Terms of Service, or to protect the rights, safety, or property of SupportFix, our customers, or the public.

In the event of a corporate transaction (merger, acquisition, asset sale, or financing), information may be transferred to the acquiring entity, subject to commitments under this Policy.

We use first-party cookies for authentication (a session token after sign-in) and to remember UI preferences (theme, dismissed banners). These are essential for the Service to function and cannot be disabled without breaking sign-in.

We use Google Analytics to understand how visitors use our public marketing pages. Analytics cookies are set only after you accept them via the cookie banner shown on first visit. You can decline; analytics will then be disabled for that browser. We use Google Consent Mode v2 to communicate your choice to Google.

We do not use third-party advertising cookies or sell information to advertisers.

Depending on your jurisdiction, you may have rights regarding your personal information, including:

• Access — request a copy of the personal information we hold about you;
• Correction — ask us to correct inaccurate or incomplete information;
• Deletion — ask us to delete your personal information, subject to limited exceptions (e.g., information we must retain for accounting or legal-compliance reasons);
• Portability — receive a copy of your data in a portable format;
• Objection / restriction — object to certain processing or ask us to restrict it;
• Withdraw consent — withdraw consent for processing where we rely on consent (e.g., analytics).

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to deletion, and the right to opt out of “sale” or “sharing” of personal information (we do neither). EU and UK residents have rights under GDPR / UK GDPR including the rights listed above plus the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@supportfix.ai. We will respond within the timelines required by applicable law.

We retain Customer Content for the duration of your subscription. Following cancellation or termination, we retain Customer Content for up to 90 days to allow for reactivation or export, after which we delete or anonymize it unless we are required by law to retain it longer (for example, payment-audit records and billing history are retained for at least 7 years for tax and accounting purposes).

Backups follow a separate retention schedule. We use AWS-managed point-in-time recovery (35 days) and longer-term backup vaults; deleted data may persist in backups for the backup window before being purged.

We protect information using a combination of technical and organizational measures, including:

• TLS 1.2+ encryption for all data in transit;
• AES-256 encryption at rest for DynamoDB and S3;
• Strict IAM-scoped access to production systems with audit logging;
• Multi-factor authentication for administrative access;
• Regular dependency scanning and prompt patching of known vulnerabilities;
• Bot protection (reCAPTCHA) on public authentication endpoints;
• Segregated test and live billing environments.

No system is completely secure. If we become aware of a breach involving your personal information, we will notify affected customers and applicable authorities as required by law.

The Service is hosted in the United States. If you access it from outside the U.S., information you submit will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to lawfully transfer personal data from the EEA, UK, and Switzerland to the U.S.

The Service is not directed to children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@supportfix.ai and we will delete the information promptly.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the latest revision. Material changes will be communicated via email or in-product notification at least 30 days before they take effect.

Privacy questions or requests? Email privacy@supportfix.ai. Security disclosures? Email security@supportfix.ai.