How we handle your data.

This policy applies to anyone using trymainsign.com or services run by MainSign. It explains what we collect, how we use it, who we share it with, and what your rights are. If something here is unclear, email hello@trymainsign.com — we'll explain it.

Effective May 7, 2026. We update this policy as MainSign evolves; significant changes are emailed to active subscribers.

• Account data: your name (if provided), email address, and a hashed password — managed by Supabase Auth, our authentication provider. We never see your password in plain text.
• Subscription data: a Stripe customer ID, your subscription status (free, basic, pro), and the email Stripe associates with your billing. Stripe handles all card numbers and payment data — we never see them.
• Scan data: the business name, business category, city, optional website URL you provide, the AI responses we receive on your behalf, and the scores and recommendations we derive from those responses.

• Payment card numbers, CVVs, or billing addresses — Stripe handles all of that.
• Browser fingerprinting beyond standard Vercel and Supabase request logs.
• Behavioral tracking, ad-tech identifiers, or cross-site tracking pixels.
• Personally identifiable information about your customers — MainSign only sees the business owner accounts who use the product, not the customers of those businesses.

We use the data we collect to:

• Generate scans — we send your business name, category, and city to AI providers as part of real queries a customer might ask.
• Surface your visibility — we store the AI responses we receive so we can score them, compare you to competitors, and show you trends over time.
• Power email digests and alerts — so you receive the weekly or monthly summaries your subscription includes.
• Improve the product — aggregate, anonymized usage may inform feature decisions; no individual data is shared.

We do not use your data to train AI models or build profiles about you.

To measure how AI platforms describe your business, we send queries to three providers:

• OpenAI (ChatGPT and GPT models) — processes our queries to generate responses. Per OpenAI's API policy, API inputs and outputs are not retained for model training. Their privacy policy: openai.com/policies/privacy-policy.
• Anthropic (Claude) — processes our queries to generate responses. API inputs and outputs are not retained for training. Their privacy policy: anthropic.com/legal/privacy.
• Google AI (Gemini) — processes our queries to generate responses. API inputs are not retained for training under the Google AI Studio API terms. Their privacy policy: policies.google.com/privacy.

What we send these providers is what's needed to ask the question — typically a business name (e.g. “Joe's Pizza”), a category (“Italian restaurant”), and a city. We do not send your account email, your payment details, or any information about your customers to any AI provider. Each provider's privacy policy applies to data they process.

• We don't sell your data.
• We don't share your data with advertisers.
• We don't use your data to train AI models — yours, ours, or anyone else's.
• We don't email you about products other than MainSign.
• We don't permit third parties to access your account data unless required by law (for example, a valid subpoena).

• Stripe — payment processing, billing portal, invoices.
• Supabase — database hosting, authentication, row-level security.
• Vercel — application hosting and content delivery.
• Resend — transactional email delivery (welcome emails, digests, alerts).
• Google Places API — verifying that a business exists before running a scan, to prevent fake-business signups.

Each of these services has its own privacy policy. We share with them only what's required to provide the service.

• All data in transit is encrypted via HTTPS/TLS.
• Data at rest is encrypted by our database provider (Supabase).
• Authentication uses the PKCE OAuth flow with secure recovery tokens.
• Database tables enforce row-level security, so your scans are visible only to your account.
• Payment data lives only with Stripe — we never see, store, or transmit card numbers.

You can ask us to:

• Access — tell you what we have on file. Email hello@trymainsign.com and we'll send a summary within 30 days.
• Delete — remove your account and associated data. Email hello@trymainsign.com. Note: cancelling your subscription via the Stripe Customer Portal does not automatically delete your account data; explicit deletion requires emailing us.
• Export — receive a copy of your scan history and account data. Same email.
• Correct — update your account or business information. Some fields are self-serve in your dashboard; others (like changing your monitored business) require email until self-serve editing ships.

We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, email hello@trymainsign.com and we'll remove the account.

MainSign's servers and data processing are primarily in the United States. If you use MainSign from outside the US, your data is processed in the US. By using MainSign, you consent to this processing.

We may update this policy as MainSign evolves. Significant changes — for example, new categories of data we collect or new third-party services — get an email to active subscribers. The latest version always lives at trymainsign.com/privacy with the “Last updated” date at the top.