Convek

Privacy Policy

Last updated: 16 April 2026

Convek (“we”, “us”) takes your privacy seriously. This policy explains what data we collect, why, and how we protect it.

1. What We Collect

Account data

  • Email address - required to create an account and for transactional email (password reset, usage alerts, etc.)
  • Password - stored as a bcrypt hash by Supabase Auth. We never see or store your plaintext password.
  • Subscription data - your plan tier and billing status, synced from Stripe.

API usage data

  • Request logs - API key prefix, endpoint, query parameters (lat/lon/date), timestamp, response code. Used for rate limiting, billing, and debugging.
  • Daily usage counters - aggregated request counts per API key per day.

Contact & marketing data

  • Contact form submissions - name, email, subject, and message. Stored in our email system (Resend) and optionally in our CRM (Brevo) if you opt in to the mailing list.
  • Waitlist signups - email and requested country. Stored in Brevo.
  • Mailing list - email only, if you explicitly opt in via the contact form.
  • Campaign attribution - UTM source, medium, campaign, ad content, landing page, and timestamp when you arrive via a tagged link such as a Reddit ad. If you then create an account, we copy that attribution onto your profile so we can measure which channels lead to signups and paid subscriptions.

Technical data

  • Standard web analytics - page views, paths, referrers, campaign tags, country, device type, and browser. Collected by Vercel Analytics and Umami. We use this to understand which pages people visit after campaigns such as Reddit ads. No cross-site tracking.

2. What We Don't Collect

  • We don't sell your data. Ever.
  • We don't use advertising trackers.
  • We don't share your data with third parties for marketing purposes.
  • We don't collect payment card details - Stripe handles all payment processing.

3. How We Use Your Data

  • Providing the service - authenticating you, enforcing rate limits, delivering forecasts.
  • Transactional email - account confirmation, password reset, usage alerts, contact form replies.
  • Billing - processing payments via Stripe, managing subscriptions.
  • Improving the service - understanding usage patterns, identifying bugs, planning capacity.
  • Marketing - only if you explicitly opt in. We use Brevo for mailing list management. You can unsubscribe at any time.

4. Third-Party Services

We use the following third-party services that may process your data:

  • Supabase - authentication and database (hosted in EU)
  • Stripe - payment processing
  • Cloudflare - DNS, CDN, API hosting, email routing
  • Vercel - website hosting
  • Resend - transactional email delivery
  • Brevo - contact lists and CRM (mailing list, waitlist)

Each of these services has its own privacy policy. We select services that are GDPR-compliant or offer adequate data protection.

5. Data Retention

  • Account data - retained for the lifetime of your account. Deleted when you delete your account.
  • API usage logs - raw request metadata is retained for up to 14 days, then aggregated or deleted.
  • Contact form messages - retained in our email for support purposes. Deleted on request.
  • Mailing list - until you unsubscribe.

6. Your Rights (GDPR)

If you're in the EU/EEA, you have the right to:

  • Access - request a copy of the data we hold about you.
  • Rectification - correct any inaccurate data.
  • Erasure- request deletion of your data (“right to be forgotten”).
  • Portability - receive your data in a structured format.
  • Objection - object to processing of your data for marketing.
  • Withdraw consent - for any processing based on consent (e.g. mailing list).

To exercise any of these rights, email hello@convek.dev. We'll respond within 30 days.

7. Cookies

We use essential cookies for authentication, plus a limited first-party attribution cookie when you arrive via a tagged campaign link. That attribution cookie stores channel data such as utm_source=reddit so we can measure signups and subscriptions from that campaign. Our web analytics setup is privacy-focused and does not use third-party advertising cookies or cross-site tracking cookies.

8. Children

Convek is not directed at children under 16. We do not knowingly collect data from anyone under 16.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email. The “last updated” date at the top of this page reflects the latest revision.

Contact

Privacy questions? Get in touch or email hello@convek.dev.