Privacy Policy

Effective May 13, 2026.

This explains what data Porch collects, how it’s used, who processes it on our behalf, and the rights you have over it. Porch is operated by Vanillum Studio, a Delaware corporation (“we,” “us”).

1. What we collect

Account data. When you sign up, we store your email address and the metadata of the workspace you create (workspace name, billing plan, creation date).

Track data. The content you push through the SDK or API — step names, narration, progress numbers, summary and CTA. This is the data we render on the public track URL. We do not inspect it for advertising or training purposes.

Usage data. Standard server logs — IP address, user agent, request path, timestamp — used for security, debugging, and abuse prevention. We retain logs for up to 90 days.

Product analytics.We use a third-party analytics provider to understand how the dashboard and SDK are used in aggregate — which pages load, which features get adopted, where errors occur. This captures pseudonymous event data (anonymous device identifier, page URL, referrer, basic device and browser info, and product events like “track created”). It is used only to improve the product. We do not sell this data, and we never include the content of your tracks in analytics events.

Billing data. If you subscribe, Stripe collects your payment details directly. We never see card numbers; we receive only customer IDs, subscription status, and the last four digits for receipts.

2. How we use it

To run the service, render your tracks, send transactional emails (sign-in links, billing receipts, security notices), bill you for paid plans, support you when you ask, understand product usage in aggregate so we can improve the product, and enforce these terms. We do not sell personal data and we do not use customer data to train AI models.

3. Subprocessors

We use a small set of vendors to run the product. Each is contractually bound to handle data only as needed to deliver their service.

• Supabase — database, authentication, and realtime delivery (United States).
• Stripe — subscription billing and payment processing (United States, with global infrastructure).
• Vercel — hosting and edge delivery for the web app and API (United States, with global infrastructure).
• Product analytics provider — pseudonymous usage analytics and error monitoring for the dashboard and SDK (United States).

4. Cookies

Strictly necessary. A session cookie set by Supabase Auth so you stay signed in, and a preference cookie that remembers your color-scheme choice. These cannot be disabled without breaking the product.

Analytics.Our product analytics provider sets a first-party cookie (and uses local storage) to assign a pseudonymous device identifier so we can distinguish unique sessions and measure feature adoption. We do not use advertising or cross-site tracking cookies. Your browser’s “Do Not Track” or “Global Privacy Control” signal will be respected as an opt-out from analytics; you can also block third-party cookies in your browser settings.

5. Public track URLs

Track URLs are unguessable but unauthenticated by default — anyone with the link can read them. Don’t put data in a track that you wouldn’t want a recipient to forward. Tracks are retained for the period associated with your plan and then deleted; you can also delete a track manually from the dashboard at any time.

6. Data retention

We keep account data while your account is open and for a short wind-down period after closure (typically 30 days) so you can recover from accidental deletion. Track content follows the per-plan retention window listed in the dashboard. Server logs are retained for up to 90 days. Billing records are retained for as long as tax and accounting law requires.

7. International transfers

Our infrastructure is hosted in the United States. If you access Porch from outside the US, the data you submit will be transferred to and processed there. By using the service you consent to that transfer.

8. Your rights

You can access, correct, export, or delete your account data from the dashboard, or by emailing us. Depending on where you live (notably the EU/UK under GDPR, or California under CCPA), you may have additional rights — including the right to object to processing, restrict it, or lodge a complaint with a supervisory authority. We’ll honor those requests within the timeframes the law requires.

9. Children

Porch is a B2B developer tool. It’s not directed at children under 16, and we don’t knowingly collect data from them. If you believe a child has signed up, contact us and we’ll delete the account.

10. Security

Data is encrypted in transit (TLS) and at rest. Internal access is limited to what’s needed to operate the service. No system is perfectly secure; if we discover a breach affecting your data, we’ll notify you without undue delay.

11. Changes

We’ll post material changes at this URL with a new effective date and, where reasonable, notify you by email. Continued use after the change means you accept the updated policy.

12. Contact

Privacy questions, data requests, or breach reports: alex@vanillum.studio.

See also: Terms of Service.