← Conductor

Privacy Policy

Last updated: April 13, 2026

1. Introduction

Conductor (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service at conductor.software.

We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws. If you have questions, contact us at privacy@conductor.software.

2. Data We Collect

We collect the following categories of personal data:

Account Data

  • Email address (required for authentication)
  • Full name and profile photo (optional, from Google OAuth if used)
  • Authentication tokens (managed by Supabase Auth)

Project and Usage Data

  • Project names and configuration
  • Specs: titles, descriptions, statuses, and task content
  • Execution logs generated by the local orchestrator
  • Repository context (via Repomix snapshots you explicitly upload to enable AI-assisted spec creation)

Technical Data

  • IP address and browser user-agent (for security and rate limiting)
  • API key usage metadata (request timestamps, endpoints called)

Analytics Data

  • Page views, feature interactions, and session data (via PostHog)
  • PostHog may set cookies to identify returning sessions. See the PostHog privacy policy for details.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Conductor platform
  • Authenticate your account and keep it secure
  • Process payments and manage your subscription
  • Send transactional emails (account confirmation, billing receipts, critical service updates)
  • Analyze aggregate usage to improve the product
  • Respond to support requests and legal inquiries

We do not sell your personal data. We do not use your spec content or code to train AI models. Repomix snapshots are used solely to power the spec creation feature and are not shared with third parties.

4. Data Processors and Third Parties

We work with the following sub-processors:

Supabase

Database and authentication provider. Stores your account data, projects, specs, and tasks. Data is hosted in the EU (Frankfurt). See: supabase.com/privacy.

Vercel

Infrastructure provider. Hosts the Conductor web application. May process request metadata. See: vercel.com/legal/privacy-policy.

LemonSqueezy

Payment processor. Handles subscription billing, payment card data, and invoicing. Conductor does not store payment card information. See: lemonsqueezy.com/privacy.

PostHog

Product analytics. Collects anonymized event data to help us understand feature usage. You can opt out via browser settings or by contacting us. See: posthog.com/privacy.

5. Cookies

We use the following types of cookies:

  • Essential cookies: Required for authentication and session management (Supabase Auth). Cannot be disabled.
  • Analytics cookies: Set by PostHog to track product usage. Can be disabled by blocking cookies in your browser or contacting us.
  • Preference cookies: Store UI preferences such as theme (dark/light mode) and sidebar state. Stored in localStorage, not transmitted to our servers.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion:

  • Account data (email, profile) is deleted within 30 days
  • Project data (specs, tasks, logs) is deleted within 30 days
  • Billing records may be retained for 7 years to comply with tax and financial regulations
  • Anonymized analytics data may be retained indefinitely

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (“right to be forgotten”).
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request restriction of processing in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at privacy@conductor.software. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect and share, request deletion of your personal information, and opt out of the sale of personal information (we do not sell personal information). To exercise these rights, contact us at privacy@conductor.software.

9. Security

We implement appropriate technical and organizational security measures to protect your data, including HTTPS encryption, database row-level security (RLS) via Supabase, API key authentication, and rate limiting. However, no system is completely secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The “Last updated” date at the top indicates when the policy was last revised.

11. Contact

For privacy inquiries, contact our privacy team at: privacy@conductor.software

For enterprise data processing inquiries or to request a Data Processing Agreement, see our DPA page.

Terms of ServiceDPABack to Conductor