Privacy Policy

Pinkdragon Technologies Pvt. Ltd (undoBase.io). ("we," "us," or "our") operates Undobase.io (https://www.undobase.io), a service that helps teams edit Supabase data with audit logs and undo.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights. If you use the Service on behalf of an organization, you represent that you have authority to accept this policy for that organization.

The data controller for personal data described in this policy is Pinkdragon Technologies Pvt. Ltd (undoBase.io).. Contact: hello@undobase.io.

Account data: email address, authentication identifiers from Supabase Auth, profile information you provide (such as display name), and workspace membership roles.

Usage data: actions you take in the Service (such as edits, undo, project connections), IP address, browser type, and timestamps — including data stored in our change log (table name, operation, before/after values, change notes, and related metadata).

Analytics data (production only): when Google Analytics is enabled, we collect page views, referral information, and general device/browser characteristics (and approximate location derived from IP) through GA4 to understand how the site and product are used. We do not use GA4 for third-party advertising.

Connection data: Supabase project URLs and encrypted secret API keys you submit when connecting a project. Keys are encrypted at rest (AES-256-GCM) and are not exposed to the browser.

Billing data (when enabled): payment-related information processed by our payment provider; we do not store full payment card numbers on our servers.

Communications: messages you send to support or signup for product updates.

When you edit rows in a connected Supabase project, we process the row data necessary to perform your requests. That data resides in your Supabase instance; we access it temporarily to display and modify it per your instructions.

Change history we store may include field-level before and after values from your tables. You control which projects are connected and who has access via workspace roles.

We use personal data to: provide and secure the Service; authenticate users; enforce plan limits when billing is enabled; maintain audit logs and undo; improve reliability; communicate about the Service; comply with law; and prevent abuse.

We do not sell your personal data. We do not use your data for third-party advertising.

Where GDPR applies, we rely on: (a) contract — to provide the Service you requested; (b) legitimate interests — security, fraud prevention, product improvement, and aggregate usage analytics (including GA4 in production), balanced against your rights; (c) consent — where required (e.g. optional marketing emails); (d) legal obligation — where we must retain or disclose data.

We share data with service providers who process it on our behalf under contractual safeguards, including:

Supabase — authentication and application database hosting (account, workspace, project metadata, change logs, encrypted credentials).

Cloud hosting provider — application infrastructure (e.g. application servers and deployment platform).

Stripe — payment processing when paid billing is enabled.

Google Analytics — website usage analytics in production (page views and related technical data processed by Google as our analytics provider).

We may disclose data if required by law, to protect rights and safety, or in connection with a merger or acquisition with notice where appropriate.

We retain account and workspace data while your account is active and for a reasonable period afterward unless law requires longer retention.

Audit log retention depends on your plan and preferences; older entries may be pruned automatically. You can configure retention settings where the product provides them.

Encrypted project credentials are deleted when you disconnect a project or delete your account, subject to backup retention cycles.

We use technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS), encryption at rest for secret API keys, access controls, and audit logging. No method of transmission or storage is 100% secure.

We may process data in the United States and other countries where our providers operate. Where required, we use appropriate safeguards such as standard contractual clauses for transfers from the EEA/UK.

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. You may withdraw consent where processing is consent-based.

To exercise rights, contact hello@undobase.io. You may lodge a complaint with your local supervisory authority.

California residents may have additional rights under the CCPA/CPRA, including knowing what we collect and requesting deletion, subject to exceptions.

The Service is not directed to children under 18. We do not knowingly collect personal data from children.

We may update this Privacy Policy. We will post the revised version at https://www.undobase.io/privacy and update the "Last updated" date. Material changes may be communicated by email or in-product notice.

Privacy questions and requests: hello@undobase.io.