InnerFrame

Legal

Privacy Policy

Last updated: May 22, 2026

InnerFrame (InnerFrame LLC, "we," "us," "our") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have.

This policy applies to your use of the InnerFrame website, web application, and mobile application (together, the "Service"). By using the Service, you agree to the practices described here.

1. Who we are

InnerFrame is operated by InnerFrame LLC, a limited liability company organized under the laws of Utah, USA. Our registered address is 1669 Hayfield Dr., West Haven, Utah 84401. You can contact us about privacy questions at innerframetests@gmail.com.

2. What we collect

The data we collect falls into a few categories.

Account information

  • Email address
  • Name (display name)
  • Password hash (managed by Supabase Auth; we never store your plaintext password)
  • Account creation date and last sign-in time

Assessment data

  • Your answers to the 27 InnerFrame assessment questions
  • The words you select from the word-picker step
  • Any tie-breaker answers you provide
  • Your computed 7-letter frame code, flexibility score, and axis calculations

Connections and AI insights

  • The connections you add (display name, frame code, relationship type, your private notes)
  • AI-generated insight content about your connections
  • Pending and accepted/declined invites you send or receive

Frame Bot conversations

  • Messages you send and the AI replies you receive
  • Metadata about each call (model used, token counts, latency) for cost and abuse monitoring

Payment information

Payments are processed by Stripe. We store only Stripe customer and subscription identifiers and your subscription status. We never see, store, or have access to your card details — those go directly from your browser to Stripe.

Technical information

  • IP address (used for rate limiting on the assessment endpoint; retained briefly in an audit log)
  • Browser type and device type (logged by our hosting provider in standard server logs)
  • Session cookies (Supabase Auth) — essential for keeping you signed in

We do not use tracking cookies, advertising cookies, or third-party analytics that profile your behavior across sites.

3. How we use your data

  • To provide the Service: compute your frame profile, save your connections, run Frame Bot, generate AI insights about your relationships.
  • To process payments and manage your subscription: via Stripe.
  • To send transactional emails: invitation emails, password resets, account notifications. We don't send marketing email without your explicit consent.
  • To improve the Service: aggregate usage statistics, debugging and error monitoring. We don't profile individual users.
  • To prevent abuse: rate limiting, spam prevention, fraud detection.
  • To comply with legal obligations: respond to lawful requests from authorities, retain financial records where required.

4. Who we share it with

We share your data with the following service providers (called "subprocessors"), each of whom is contractually required to handle your data securely and only for the purposes we direct.

  • Supabase — database, authentication, and file storage. Hosts your account, assessments, connections, and chat history. (Hosted in the United States.)
  • Vercel — web hosting and serverless function execution. Serves the InnerFrame website. (Hosted globally with edge caching.)
  • Stripe — payment processing and subscription management. Handles all credit-card data. (Hosted in the United States.)
  • OpenAI — generates AI insights and Frame Bot replies. Receives your assessment answers, frame codes, and chat messages as part of the prompt. (Hosted in the United States.) OpenAI does not use our API data to train its models per its API data-usage policy.
  • Resend — transactional email delivery. Receives recipient email addresses and message bodies. (Hosted in the United States.)

We do not sell your personal information to anyone. We do not share your data with advertisers.

5. Where your data is stored

Our subprocessors store data primarily in the United States. If you are located outside the US, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) with subprocessors who handle EU/UK personal data.

6. How long we keep your data

  • Active accounts: we keep your data for as long as your account is active.
  • Deleted accounts: when you delete your account (via /account → Delete my account), we immediately delete your profile, connections, chat history, and AI insights. Financial records (one-time purchases, subscription history) are kept in anonymized form for up to 7 years per US tax law and Stripe's data-retention requirements.
  • Rate-limit logs: IP-based audit rows are pruned within 24 hours.
  • OpenAI usage logs: token counts and timestamps are kept while your account is active for cost monitoring and abuse detection.

7. Your rights

Depending on where you live, you have the following rights over your personal data:

  • Access: you can download every row of data we have on you in machine-readable JSON. Go to /account → Download my data.
  • Correction: edit your display name on /account. Change your email via /account (Supabase confirms with both old and new addresses).
  • Deletion: delete your account at any time via /account → Delete my account. Deletion is immediate and irreversible.
  • Portability: the export above is in JSON — a standard machine-readable format you can import into other services.
  • Object / restrict processing: contact us at the address above.
  • Complain to a regulator: if you're in the EU/UK, you can lodge a complaint with your local data-protection authority. In California, you can contact the California Privacy Protection Agency.

We respond to verifiable requests within 30 days. We may need to verify your identity (typically by confirming control of your account email) before acting on a request.

8. Cookies

We use a single essential cookie set by Supabase Auth to keep you signed in. This cookie is HTTPOnly (not readable by JavaScript), Secure (HTTPS only), and scoped to our domain. It expires when your session ends.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

9. Security

We protect your data with industry-standard measures, including:

  • HTTPS encryption in transit for every connection
  • Row Level Security in our database — every table enforces ownership at the database layer, not just the application layer
  • Sensitive fields (subscription, billing identifiers) are server-protected and cannot be modified by your own UI
  • Secret keys (Stripe, OpenAI, Resend) are stored server-side only and never bundled into the mobile or web client
  • Stripe webhook signatures verified on every callback
  • Regular dependency security audits and code reviews

No system is perfectly secure. If a breach affecting your data ever occurs, we will notify affected users without undue delay, as required by applicable law.

10. Changes to this policy

We may update this Privacy Policy as the Service evolves or as the law changes. When we make a meaningful change, we'll update the "Last updated" date above and, for significant changes, notify you via email or in-app banner. Continued use of the Service after a change indicates acceptance.

11. Contact us

Privacy questions, requests, or complaints, and general support: innerframetests@gmail.com.