Privacy Policy

Last updated: May 8, 2026

1. Who We Are

mySecond, LLC (“mySecond,” “we,” “us”) is a Delaware limited liability company operating mysecond.ai and the mySecond product. We are the data controller for the personal data described below. For privacy questions, requests, or complaints, email privacy@mysecond.ai.

2. Data We Store

mySecond stores the following data in Supabase to power your PM operating system:

  • Account data — email, password hash (Supabase auth), authentication providers
  • Context files — company.md, product.md, personas.md, competitors.md, goals.md and any custom files you create
  • Agent outputs — results from automated agent runs (competitive intel, growth analysis, customer insights)
  • Suggestions — proposed file edits submitted by PMs, including diff content and review status
  • Team membership — team name, member roles (admin, head of product, PM), and invitation status
  • Audit logs — including a record of every deletion request fulfilled, to demonstrate compliance

3. Legal Basis for Processing (EU/UK)

If you are in the EU, UK, or EEA, we process your personal data on the following lawful bases under GDPR Article 6:

  • Contract — account data, billing data, and product data are processed to deliver the service you signed up for
  • Legitimate interest — analytics and product improvement, balanced against your privacy and limited to non-essential data only
  • Consent — non-essential cookies and marketing communications; you can withdraw consent at any time
  • Legal obligation — retention of billing records and deletion audit logs to comply with tax and data-protection law

4. Billing Data

Payment processing is handled entirely by Stripe. We never store your credit card number, CVV, or full card details on our servers.

We store your subscription state (plan type, billing status, trial dates) to control access to features. You can manage your billing details directly through the Stripe customer portal.

5. Context Sync

The sync-context.js script transfers context file content and content hashes between your local machine and the mySecond API. This allows Claude Code to access the latest approved context files.

Sync uses authenticated API calls with your team API key. File content is transmitted over HTTPS. A local sync state file tracks which files have changed to minimize unnecessary transfers.

6. AI Processing

Agent chat messages are sent to the Anthropic API(Claude) for processing. Per Anthropic's API terms, messages sent through the API are not used to train models. Anthropic retains API inputs and outputs only briefly for abuse monitoring (typically up to 30 days, longer for content flagged for safety review), after which they are deleted.

During onboarding, we may fetch publicly available content from URLs you provide to extract company and product context. This content is processed through Claude and saved as context files with your approval.

We do not use AI to make automated decisions about you that produce legal or similarly significant effects, within the meaning of GDPR Article 22.

7. Analytics and Cookies

We use PostHog to track product usage events such as tab views, file edits, and feature engagement. This data helps us understand how the product is used and where to improve. No message content or file content is included in analytics events.

Where required by law (including the EU, UK, and EEA), we will request your consent before setting non-essential cookies. You can accept, reject, or change your preferences at any time via the cookie banner. Essential cookies needed to operate the service (e.g., authentication session) are always set.

8. Subprocessors

We share personal data with the following subprocessors so they can provide services on our behalf. Where the subprocessor offers a data-processing agreement (DPA) for the services we use, we sign or accept it; we periodically review subprocessor commitments to confirm adequate confidentiality and security measures consistent with GDPR Article 28.

  • Supabase (United States) — database, authentication, and file storage
  • Vercel (United States) — application hosting and edge delivery
  • GitHub (United States) — source-control and package hosting for the Claude Code plugin; stores synced context files and the access tokens used to deliver them to connected teams
  • Railway (United States) — background worker infrastructure for plugin generation
  • Stripe (United States) — payment processing and subscription billing
  • Anthropic (United States) — AI model inference (Claude); not used for model training
  • PostHog (United States) — product analytics
  • Sentry (United States) — application error monitoring and diagnostics
  • Kit (formerly ConvertKit, United States) — transactional and marketing email
  • Resend (United States) — transactional email delivery

For team accounts, the customer (your employer) is the data controller for personal data about its team members; mySecond acts as a data processor under the customer agreement. We will update this subprocessor list and notify active customers of material changes in advance where reasonably possible.

9. International Data Transfers

All of our subprocessors process data in the United States. Where you are located outside the United States, your personal data is transferred to the US to be processed. Where the subprocessor's DPA incorporates them, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum (or UK IDTA) to ensure your data receives equivalent protection.

10. Your Rights

If you are in the EU, UK, EEA, California, or another jurisdiction with similar data-protection law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectify — correct inaccurate personal data
  • Erase (“right to be forgotten”) — request deletion of your personal data
  • Restrict or object — limit how we process your data, or object to certain processing
  • Portability — receive a copy of your data in a machine-readable format
  • Withdraw consent — for any processing based on consent (such as analytics cookies or marketing email)
  • Complain — lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@mysecond.ai. We will respond without undue delay and within 30 days of receiving your request, as required by GDPR Article 12.

11. Data Retention

Your data persists for as long as your account is active. If you cancel your subscription, your data is retained for a period afterward so you can reactivate, after which it becomes eligible for deletion.

When you request deletion, we remove your personal data from our systems and instruct our subprocessors to delete or anonymize it, within a reasonable period and as required by applicable law. Some subprocessors complete deletion on their own schedules. A limited set of records is retained where the law requires it (GDPR Article 5(2) accountability and applicable tax and accounting law), with identifying personal data anonymized:

  • Billing records — retained 7 years for tax and accounting compliance
  • Deletion audit log — retained indefinitely as proof we honored the deletion request; identifying fields are anonymized
  • Security event logs — retained up to 12 months for security and abuse-monitoring

12. Notice to California Residents

If you are a California resident, the CCPA and CPRA give you specific rights. The categories of personal information we collect are described in Section 2 (Data We Store); we collect this information for the business purposes described throughout this policy.

We do not sell or share your personal information for cross-context behavioral advertising, as “sell” and “share” are defined under the CCPA/CPRA. We do not process “sensitive personal information” for purposes beyond those exempt under CCPA §1798.121.

You may exercise your CCPA/CPRA rights (access, deletion, correction, opt-out of sale/sharing, limit use of sensitive personal information, non-discrimination) by emailing privacy@mysecond.ai. We do not discriminate against users who exercise these rights.

13. Security

  • All data transmitted over HTTPS
  • Customer data is encrypted at rest by our database provider
  • Row-Level Security (RLS) used to isolate tenant data so each team can only access its own data
  • API key authentication for the sync script
  • Supabase authentication with secure session management
  • Service-role keys for privileged operations are stored as encrypted environment variables and never shipped to the client

In the event of a personal-data breach, we will notify the relevant supervisory authority and affected users as required by applicable law (including, where GDPR applies, without undue delay in accordance with Articles 33 and 34).

14. Children

mySecond is a B2B product for product management teams and is not directed to individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has provided us personal data, email us and we will delete it.

15. Changes to This Policy

We may update this policy from time to time. We will revise the “Last updated” date at the top, and for material changes we will notify active customers by email.

16. Contact

For questions about this privacy policy, to exercise your data rights, or to request data deletion, contact privacy@mysecond.ai.