FollowUpOS← Back

Legal

Privacy Policy

Effective date: April 25, 2026

This Privacy Policy explains how PCA Bookkeeping ("we", "us") collects, uses, and protects your personal data when you use FollowUpOS (the "Service") at https://followupos.com. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws (including the California Consumer Privacy Act).

1. Who we are

Data controller: PCA Bookkeeping
Address: [YOUR REGISTERED ADDRESS — STREET, CITY, POSTAL CODE, COUNTRY]
Contact: privacy@dealsharp.app

2. What we collect and why

2.1. Account data

When you sign up we collect your email address and a hashed password (via Supabase Auth). We may also collect a display name and a "voice sample" you paste in onboarding so the AI can rewrite drafts in your style.

Lawful basis (GDPR Art. 6): performance of a contract — we need this to provide the Service.

2.2. Lead and follow-up data you create

You enter information about your business contacts ("leads") into the Service: their name, company, role, LinkedIn URL, email, phone, notes, and the communications you've had with them. You are the data controller for this lead data; we process it on your behalf as your data processor.

Lawful basis: performance of a contract with you (and, with respect to your leads, your own lawful basis under your customer relationship).

2.3. Billing data

If you subscribe, our payment processor (Stripe) collects your billing details. We never see or store your full card number — Stripe sends us a customer ID and subscription status only.

Lawful basis: performance of a contract; legal obligation (tax and accounting records).

2.4. Usage and technical data

Our hosting provider (Vercel) logs basic technical information (IP address, user-agent, request paths) for security and reliability. We do not run third-party analytics, advertising, or tracking pixels.

Lawful basis: legitimate interest in keeping the Service secure and operational (GDPR Art. 6(1)(f)).

3. AI processing

When you click "AI draft" or "Rewrite in my voice", the relevant lead context (the lead's name, role, company, your notes about them, and your voice sample) is sent to Anthropic's Claude API to generate a message. Anthropic's published policy is that API inputs and outputs are not used to train their models and are deleted within 30 days unless required by law. See Anthropic's privacy policy.

4. Sub-processors

We rely on the following sub-processors to operate the Service. We require each to handle your data with appropriate safeguards.

  • Supabase, Inc.Database + authentication (US, EU regions available). Region: US (we use the EU region where available). Privacy policy.
  • Anthropic, PBCAI follow-up message drafting & rewriting (Claude API). Region: US. Privacy policy.
  • Stripe, Inc.Payment processing (subscriptions). Region: US / Ireland. Privacy policy.
  • Resend, Inc.Transactional email (daily digest). Region: US. Privacy policy.
  • Vercel, Inc.Application hosting & content delivery. Region: US. Privacy policy.

5. International data transfers

Some sub-processors are based in the United States. Where transfers from the EEA/UK to a third country occur, we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework as the legal mechanism, depending on the sub-processor's certifications.

6. How long we keep your data

  • Account & lead data: for the lifetime of your account. Deleted within 30 days of account deletion.
  • Billing records: retained for the period required by tax law (typically 7 years).
  • Email logs: 90 days for delivery diagnostics.
  • AI inputs: deleted by Anthropic within 30 days per their policy.

7. Your rights

Under the GDPR, UK GDPR, and CCPA you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • request erasure ("right to be forgotten") — you can delete your account from Settings at any time;
  • receive a copy of your data in a portable format — also available from Settings → "Export my data";
  • object to or restrict certain processing;
  • lodge a complaint with your local supervisory authority (e.g. AEPD in Spain, ICO in the UK, CNIL in France).

To exercise any right, email us at privacy@dealsharp.app. We respond within 30 days.

8. Cookies

We use a small number of strictly necessary cookies for authentication and session management. We do not use advertising or analytics cookies. You can browse the public marketing pages without consent; signing in requires accepting authentication cookies.

9. Children

The Service is not intended for use by anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@dealsharp.app and we will delete it.

10. Security

All traffic is encrypted in transit (HTTPS). Data at rest is encrypted by our sub-processors. Database access is restricted by row-level security so users can only ever read or write their own data. Passwords are hashed and salted by Supabase Auth.

11. Changes to this Policy

We may update this Policy from time to time. The Effective date above shows when it was last changed. Material changes will be communicated by email to active users.

12. Contact

For privacy questions or to exercise your rights, email privacy@dealsharp.app. Mail can be sent to [YOUR REGISTERED ADDRESS — STREET, CITY, POSTAL CODE, COUNTRY].