← Back to PowerLab

Privacy Policy

Last updated: 2026-04-25

We collect the minimum data needed to run PowerLab and don't sell it. This policy explains what we collect, why, who processes it, and how to delete it. For questions: privacy@marinepowerlab.com.

1. What we collect

Account data: email address, hashed password (we never see the plaintext), display name if you set one, subscription tier.

Project data: the projects, loads, components, scenarios, and quotes you create. This stays in your account unless you opt to make a project public via a share link.

Billing data: Stripe customer ID and last-4 of card. Full card numbers and bank info live with Stripe — we never touch them.

Usage: page views, feature interactions, error reports. We self-host this in Supabase rather than sending to a third-party analytics service.

Co-Pilot conversations: stored in your account so you can resume a thread. Deletable at any time from the project Co-Pilot tab.

2. What we don't collect

  • Location data beyond the city/region you optionally set on a project.
  • Phone numbers (unless you set one in your installer profile).
  • Health, biometric, or other sensitive personal data.
  • Tracking cookies for ad networks.

3. Cookies

We use one strictly-necessary cookie to keep you logged in (Supabase Auth session). We don't use third-party tracking cookies. Marketing UTMs in URLs are stored briefly to attribute the source of paid signups, then forgotten.

4. Who processes your data

  • Supabase — database, auth, file storage. EU/US regions.
  • Vercel — web hosting and edge runtime. Global edges.
  • Stripe — payments. PCI DSS Level 1.
  • Anthropic— Claude API powers Co-Pilot. Inputs/outputs may be retained briefly per their policies. Don't send confidential data to Co-Pilot.
  • Kit (ConvertKit) — email newsletter and onboarding emails. Only your email address is sent.
  • Upstash — Redis for rate limiting. No personal data, just hashed request signatures.
  • SiteGround— hosts marinepowerlab.com (the marketing site). Doesn't see PowerLab account data.

5. How long we keep it

Active accounts: indefinitely while you use the service. Deleted accounts: project data is retained for 30 days for accidental-deletion recovery, then permanently removed. Billing records: 7 years for tax compliance. Email unsubscribe tokens: indefinitely (we need them to honor unsubscribes).

6. Your rights

Access: download all your project data from the billing page. Correction: edit profile + project data directly in the app. Deletion: delete your account from the billing page; this permanently removes everything within 30 days. Portability: projects export as JSON via the API. Objection: opt out of marketing emails via the unsubscribe link in any email; transactional emails (billing, password reset) cannot be opted out while the account is active.

EU/UK residents: you have GDPR/UK-GDPR rights (lawful basis for our processing is contract performance). Canadian residents: PIPEDA applies. California: CCPA/CPRA applies and we don't sell personal information.

7. Children

PowerLab isn't directed at children under 13 and we don't knowingly collect their data.

8. Security

Data in transit: TLS 1.3. Data at rest: AES-256 in Supabase. Passwords: bcrypt (handled by Supabase Auth). Row-level security: every table that contains user data has RLS policies limiting access to the owning user. We perform regular advisor scans for security and performance regressions.

9. Public projects & the installer directory

If you publish a project via a share link or list yourself in the public installer directory, the data on those pages is intentionally public. Don't put anything you wouldn't want indexed by Google there.

10. Changes

We'll post material changes here and email account holders at least 30 days before they take effect.

11. Contact

privacy@marinepowerlab.com — for any privacy question, request, or complaint.