Privacy Policy

Who we are

Tankit is the data controller for everything described here. Reach us at support.tankit@gmail.com.

What we collect

Only what we need to run the show:

• Account basics — your email, first name, last name. From Google sign-in we also receive your Google account ID and the profile picture URL Google supplies.
• Technical signals— IP address and user-agent string, captured via Vercel's edge for abuse prevention and analytics.
• Session content— what you typed or said into Cram and Classic (your pitch text, anchor picks, multiple-choice answers, generated coaching reports). Voice input is transcribed to text; we don't store the raw audio.
• Payment metadata — PayPal subscription IDs, order IDs, capture status, country of payer (when PayPal supplies it). We never see your card number. PayPal handles all of that.
• Product analytics — page views, click events, score outcomes, anonymized at the Vercel Analytics layer.

Why we collect it

• Provide the service — your sessions, your scores, your coaching reports, your subscription status.
• Maintain your account — sign in, recover access, enforce one account per person.
• Process payments — start your subscription, capture one-time orders, handle renewals and cancellations through PayPal.
• Fraud prevention — block obvious abuse, throttle runaway usage, keep the LLM bill out of the danger zone.
• Make it better — anonymized analytics so we know which screens earn their keep.

Where it lives

We use a small number of US-based service providers. Your data crosses the Atlantic; here's the trail:

• Supabase (US infrastructure) — primary database and authentication. This is where your account, sessions, scores, and payment metadata are stored.
• Anthropic API(US) — your Classic pitch text and Cram answers are sent to Claude for the AI grilling and coaching report. Anthropic does not retain inputs or outputs from API calls on the default plan we're on.
• PayPal — handles billing under their own retention rules. We never receive your card number.
• Vercel (US) — hosts the app and runs Vercel Analytics.

For EU and UK users: we rely on Standard Contractual Clauses or each provider's equivalent transfer mechanism for cross-border flows.

How long we keep it

• Account + session data — kept indefinitely while your account is active. If you ask us to delete, we delete within 30 days (subject to legal retention exceptions below).
• Payment records — 7 years, because tax authorities ask for them.
• Server access logs— Vercel's default retention, typically 30 days or less.

Your rights

If you're in the EU/EEA (under GDPR), you have the right to: access your data, rectify inaccurate data, request erasure, data portability, restrict processing, withdraw consent, and lodge a complaint with your national supervisory authority.

Local data-protection laws may give you broadly similar rights — access, correction, deletion, withdrawing consent, and complaining to your data-protection authority.

To exercise any of these, email support.tankit@gmail.com from the address on your account. We'll reply within 30 days.

Cookies

We use one auth cookie. No tracking cookies, no advertising cookies. The full breakdown lives at /legal/cookies.

Children

Tankit is not for children. If you're under 16 (or under 13 in the US), you can't use the service. If you believe a child has given us their data, email us and we'll delete it.

Third-party processors

Each of these has their own privacy policy — we only send them what we need to:

• Supabase — supabase.com/privacy
• Anthropic — anthropic.com/legal/privacy
• PayPal — paypal.com/legalhub/privacy-full
• Vercel — vercel.com/legal/privacy-policy

Changes

If we change this in a way that materially affects you, we'll email subscribers at least 30 days before the change takes effect. Minor edits — typos, clarifications — go live without notice, but the “Last updated” stamp at the top always reflects the latest revision.

Contact

Data subject requests, deletion requests, anything you want to ask about your data — email support.tankit@gmail.com. We read every one.