Interbang Privacy Policy
Effective date: 2026-06-13 Last updated: 2026-06-17
Interbang (the "Service") takes your personal information seriously. This Privacy Policy explains what we collect, how we use it, how long we keep it, and what rights you have over it.
This policy is updated as features and policies change. We will announce material changes separately.
1. Information we collect
1.1 At sign-up and sign-in (Google OAuth)
- Email address (required)
- Name and profile picture (public fields on your Google account)
- Google account identifier (sub)
1.2 What you enter while using the Service
- UT metadata — title, background, hypotheses, recruitment criteria
- Scenario and task guides
- Session information — participant name (alias allowed), age range, gender, occupation, background
- Session notes, observations, and insights
- Audio recordings — session recordings you upload yourself
- MCP Personal Access Tokens used for external LLM integration
1.3 At payment
- We do not store your card information; Paddle, our Merchant of Record, handles it in its own environment, which follows international payment security standards.
- We only retain payment identifiers, amounts, and timestamps.
1.4 Automatically collected information
- Cookies and browser storage — for keeping you signed in, remembering language preference, and persisting UI state
- Access logs — IP address, time of access, and similar fields are recorded at the infrastructure layer by our subprocessors (Vercel, Supabase). We do not keep separate copies.
- Error monitoring — when an error occurs, page and browser context is sent to our subprocessor (Sentry). Sensitive fields such as auth tokens and emails are masked before transmission.
- Product usage analytics — behavioral data such as page views and use of key features is sent to our subprocessor (PostHog). This is for anonymized, aggregate analysis to improve the Service; it uses browser storage only (no cookies). User content such as notes and transcripts, and share-link tokens, are never sent.
2. How we use the information
We use the collected information only for the following purposes:
- Providing the Service — account authentication, storing and displaying UT data, audio transcription (STT), generating quantitative reports, round comparisons, and external sharing
- Processing payments — credit top-ups, deductions, refunds, and receipt retention (legal requirement)
- Customer support — answering inquiries and responding to incidents
- Improving the Service — analyzing anonymized, aggregated usage patterns
- Meeting legal obligations — tax reporting, dispute response, and similar
We do not use the information for any other purpose, and we do not share it with third parties without separate consent.
3. Subprocessors
We delegate certain processing tasks to the subprocessors below. Each subprocessor handles information under its own terms and security standards.
| Subprocessor | Task | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account info, UT data, audio files | Seoul, South Korea |
| Vercel | Web hosting, CDN, serverless functions | Access logs, request data | United States |
| Paddle | Payment processing | Card details, payment amount and timestamp, email | United Kingdom |
| OpenAI | Audio-to-transcript (Whisper API) | Uploaded audio files, transcripts | United States |
| Social sign-in (OAuth) | Email, name, profile picture | United States (distributed across global data centers) | |
| Sentry | Error monitoring | Error context (personal data is masked) | United States |
| PostHog | Product usage analytics | Page-view and feature-use events, anonymous identifier | Germany (EU) |
We will update this policy whenever the list of subprocessors changes.
4. Retention period
| Item | Retention |
|---|---|
| Account info, UTs, sessions, notes, transcripts | When you request account deletion, your account is immediately deactivated and permanently deleted after a 30-day grace period. You can request recovery within the grace period. Data you delete directly from the Service (individual UTs, sessions, etc.) is removed immediately. |
| Audio recordings | Sent to OpenAI for transcription. Removed from storage immediately when you delete the corresponding session or transcript. |
| Payment receipts | Retained for 5 years under the Korean Act on the Consumer Protection in Electronic Commerce. Paddle holds these as the Merchant of Record; the Service stores only payment identifiers, amounts, and timestamps, and these are deleted along with your account. |
| Access logs | Retained according to our subprocessors' (Vercel, Supabase) own log policies. The Service does not maintain a separate log store. |
| Error logs | Retained according to Sentry's data retention policy. |
5. Your rights
You have the following rights:
- Access: Your account data is visible in the Service.
- Correction: UTs, sessions, notes, participant info, and similar items can be edited directly.
- Deletion: You can delete individual data from the Service, and you can request full account deletion at Settings > Delete account.
- Processing restriction and consent withdrawal: Email us and we will respond within 7 business days.
- Data export: You can download reports and session data as Markdown / JSON directly from the Service.
For identity verification, we respond to the email address registered on your account.
6. Marketing communications
At sign-up we separately ask for your consent to receive marketing communications (optional). Marketing communications include product updates, promotions, newsletters, and usage tips.
Under Article 50 of the Korean Act on Promotion of Information and Communications Network Utilization, marketing communications are only sent to users who have given prior consent.
You can withdraw your consent at any time. Withdrawal can be done immediately via the toggle on Settings > Account, and any sent emails will include an unsubscribe link in the footer. For any further questions, please contact support@interbang.app.
7. External sharing and integration
7.1 Share links
The Service offers share links so you can share UT, session, and round-comparison results with external viewers.
- Share links use UUID v4 tokens, which cannot be guessed.
- Shared views are automatically anonymized — participant names are replaced with aliases (P1, P2, …).
- You can deactivate a share link at any time; external access is blocked immediately.
- If a share link is leaked, you are responsible for deactivating it.
7.2 External AI tools (MCP)
With an MCP Personal Access Token that you issue yourself, external AI tools such as Claude can read data from the Service. Data is sent to the external tool only when you explicitly invoke it; the Service does not push user data to external LLMs automatically. You are responsible for managing and revoking issued tokens.
8. Cookies and browser storage
The Service uses the following cookies and browser storage:
| Item | Purpose | Retention |
|---|---|---|
| Supabase Auth cookie | Keeps you signed in | Until sign-out or automatic token expiry (about 1 week) |
| Language preference cookie | Remembers your KO/EN preference | 1 year |
| Browser storage (localStorage) | Stores UI state — session panel width, guide expand/collapse, visited flag, and similar (not personal information) | Until you clear browser data manually |
| Analytics storage (localStorage) | Holds the anonymous identifier for product analytics (PostHog) — no cookies are used | Until you clear browser data manually |
Blocking cookies or browser storage may limit some features such as staying signed in and restoring UI state.
9. Security safeguards
- Encryption in transit: All communications run over HTTPS (TLS).
- Encryption at rest: Databases and storage use the default at-rest encryption provided by subprocessors.
- Access control: Row-level security ensures users only access their own data.
- Sensitive data masking: Auth tokens and emails are masked before being sent to error monitoring.
- Payment information: We do not store card information; it is handled by Paddle, our Merchant of Record, which follows international payment security standards.
10. Children under 14
Under Article 31 of the Korean Act on Promotion of Information and Communications Network Utilization, collecting and using personal information of children under 14 requires the consent of a legal guardian. The Service is not intended for children under 14, and only users who are at least 14 may sign up. If a user is found to be under 14 after sign-up, the Operator will delete the account and related data immediately.
11. Privacy contact
| Field | Information |
|---|---|
| Responsible party | Interbang team |
| support@interbang.app |
Please send any requests, questions, or reports to the email above. We will respond within 7 business days.
12. Revision history
- 2026-06-13 Initial release
- 2026-06-17 Added product usage analytics (PostHog) — new entries under automatically collected information, subprocessors, and browser storage