Privacy Policy

Last updated: May 2026. Applies to all POA Defender accounts.

Key disclosure: When you generate a Plan of Action, the suspension notice and seller context you submit are transmitted to Anthropic, PBC (the company behind Claude AI) for processing. This is how the AI generation works. We do not sell your data to advertisers. We do not train AI models on your content.

1. Who We Are

POA Defender is operated by Saltern Studio (“we”, “us”, “our”). We are the data controller for personal data processed through the Service.

For privacy enquiries, contact us at privacy@poadefender.com.

2. What Data We Collect

Account data — when you register: your full name and email address. Collected and stored via Supabase Auth.

Submission data — when you generate a Plan of Action: the Amazon suspension notice you paste, and the seller context you provide (business type, products sold, team size, time selling on Amazon, existing policies). This data is stored in our database and transmitted to Anthropic for AI processing.

Generated POA content — the Plans of Action generated by the Service, including root cause, corrective actions, preventive measures, quality score, and quality notes. Stored in our database and accessible from your account history.

Payment data — when you make a payment: your Paystack customer code and payment reference. We do not store your card number, CVV, or bank account details — these are held by Paystack under PCI DSS compliance.

Usage data — your plan type, POA generation count, subscription status, and account creation date.

Technical data — session tokens (stored in browser cookies by Supabase Auth). We do not use advertising cookies or third-party tracking pixels.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service — including generating Plans of Action using AI
  • Manage your account, subscription, and billing
  • Send transactional emails — account confirmation, payment receipts, password resets
  • Enforce rate limits and prevent abuse
  • Improve the Service — aggregate, anonymised usage patterns only
  • Comply with legal obligations

We do not use your submission data (suspension notices, seller context, or generated POAs) to train AI models. We do not sell your data to third parties. We do not use your data for advertising.

4. Third-Party Data Processors

We share data with the following third parties as necessary to operate the Service. Each is contractually bound to process your data only as instructed and in accordance with applicable privacy law.

Anthropic, PBC

AI processing — generates your Plan of Action

Privacy policy ↗

When you generate a POA, your suspension notice and seller context are transmitted to Anthropic's API. Anthropic processes this data to generate the text of your Plan of Action. Anthropic does not use API data to train its models by default. Review Anthropic's privacy policy and API usage policy for full details.

Supabase, Inc.

Database, authentication, and session management

Privacy policy ↗

Your account data, submission data, and generated POAs are stored in Supabase's managed PostgreSQL database. Authentication tokens and session cookies are managed by Supabase Auth. Data is stored in encrypted-at-rest databases.

Paystack

Payment processing

Privacy policy ↗

All payment transactions are processed by Paystack. Paystack is PCI DSS Level 1 compliant. We receive a customer code and payment reference from Paystack — we never see or store your full card number or bank details.

Cloudflare, Inc.

Hosting and infrastructure (Cloudflare Workers)

Privacy policy ↗

The Service is deployed on Cloudflare Workers. Cloudflare processes network traffic, including IP addresses, as part of serving the application. Cloudflare's privacy policy governs this processing.

5. Cookies

We use one category of cookies: strictly necessary session cookies set by Supabase Auth to keep you signed in. These cookies are essential for the Service to function and cannot be disabled.

We do not use advertising cookies, analytics cookies, or third-party tracking pixels of any kind.

6. Data Retention

Account data — retained for the lifetime of your account plus 30 days after closure.

Submission data and generated POAs — retained for the lifetime of your account. You can delete individual POAs from your account history at any time.

Payment records — retained for 7 years as required by financial regulations.

After account closure — all personal data is deleted within 30 days, except payment records retained for the statutory period noted above.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your personal data (subject to legal retention requirements)
  • Portability: receive your data in a machine-readable format
  • Objection: object to processing based on legitimate interests
  • Restriction: request that we restrict processing of your data in certain circumstances

To exercise any of these rights, email us at privacy@poadefender.com. We will respond within 30 days.

8. GDPR (European Economic Area and UK)

If you are located in the EEA or UK, our lawful basis for processing your data is:

  • Contract performance — processing necessary to provide the Service you have subscribed to
  • Legitimate interests — fraud prevention, security, and improving the Service
  • Legal obligation — retaining payment records as required by law

You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.

9. CCPA (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information.

We do not sell personal information. To exercise your CCPA rights, contact us at privacy@poadefender.com.

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data transmitted over HTTPS/TLS
  • Database encrypted at rest (Supabase managed encryption)
  • Row-level security policies prevent cross-account data access
  • Payment card data never touches our servers — processed entirely by Paystack
  • Service role database key (bypasses RLS) used only in server-side API routes, never exposed to the client

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to security@poadefender.com.

11. Children

The Service is not directed at or intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice in the Service. The updated policy will be effective from the date noted at the top of the page.

13. Contact

For any privacy questions or to exercise your rights:

POA Defender

Email: privacy@poadefender.com