Privacy Policy

Last Updated: May 19, 2026

1. Introduction

Supergroup ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Information you provide:

• Account information, including your email address and display name
• Messages, attachments, and other content you send through the Service
• Reports you submit about another user, including the reported message content and the reason you provide
• Block lists indicating users you have chosen to block
• Invitations you send, including the email addresses of people you invite
• Waitlist signup information (email address)
• Communications with us, such as support requests or feedback

Information collected automatically:

• Device information, including device type, operating system, and unique device identifiers
• Usage data, such as conversations you participate in, read markers, and feature usage
• Log data, including IP address, browser type, and access times
• Push notification tokens for delivering notifications to your devices

Information from services you connect:

• If you choose to connect a calendar account, such as Google Calendar, we receive your free/busy availability from that calendar and the email address associated with the connected account. Connecting a calendar is optional — see Section 7 for details.

3. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve the Service
• Deliver messages and notifications to you and other users
• Generate AI-powered replies, AI-generated images, and AI-assisted web search results when you use those features (see Section 4)
• Generate link previews for URLs shared in conversations (see Section 5)
• Review reports of user behavior and take appropriate moderation action (see Section 6)
• Suggest meeting times and create calendar events when you use the scheduler feature with a connected calendar account (see Section 7)
• Process invitations and the credit system that rewards inviters
• Process waitlist signups and contact you about product availability
• Respond to your inquiries and provide customer support
• Monitor and analyze usage trends to improve the user experience
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

4. AI Features

The Service includes AI-powered features such as conversational replies, image generation, and assisted web search. When you use these features, the relevant content of your messages or queries is transmitted to our AI provider, Amazon Web Services (AWS) Bedrock, for processing. Per the AWS Bedrock terms of service, AWS does not retain this data or use it to train its models. AI-generated responses and images are returned to the conversation in which you invoked the feature.

5. Link Previews

When you or another user shares a URL in a conversation, our servers fetch the destination page to generate a preview (title, description, and thumbnail image). The destination website sees a request from our servers, not from your device, so your IP address is not exposed to the linked site as a result of preview generation.

6. User Reports and Moderation

When you report another user, the report (including the reported message and your stated reason) is delivered to our internal moderation channel, which is hosted by Slack Technologies, Inc. on our behalf. Our moderation team reviews each report and may take action up to and including suspending the reported account. Block lists are stored on our servers and are visible only to you.

7. Connected Calendar Accounts

The Service includes an optional scheduler feature that helps people in a conversation find a time to meet. To improve its suggestions, you may choose to connect a calendar account, such as Google Calendar. Connecting a calendar is entirely optional: the scheduler works without it, and you can disconnect at any time from Settings → Connected Accounts.

When you connect a Google Calendar account, you grant Supergroup permission to:

• Read your free/busy availability — the times you are busy, not the titles, attendees, locations, or other details of those events — so the scheduler can propose times that work for everyone.
• Create calendar events on your primary calendar when a meeting time is agreed in a conversation, with the other participants added as attendees.

To provide this feature, we store the OAuth access and refresh tokens that Google issues when you connect. These tokens are encrypted at rest, and we use them only to read your free/busy availability and to create events you have agreed to within the Service. We do not read the contents of your calendar beyond free/busy availability. When you disconnect a calendar account, we revoke the tokens with the provider and delete them from our systems.

Supergroup's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google Calendar data for advertising, we do not sell it, and we do not transfer it to third parties except as needed to provide the scheduler feature, comply with applicable law, or protect against security threats.

8. How We Share Your Information

We do not sell your personal information to third parties. We share your information in the following circumstances:

• With other users: Messages and content you send are visible to the members of the conversations in which they are sent.
• Service providers and processors: We rely on the following third-party providers to operate the Service. Each is bound by contractual obligations to protect your information:
  • Amazon Web Services (AWS): hosting, database, file and image storage (Amazon S3), and AI processing (Amazon Bedrock).
  • Amazon Simple Email Service (SES): delivery of transactional emails, including magic-link sign-in emails.
  • Apple Push Notification service (APNs): delivery of push notifications to your iOS devices.
  • Slack Technologies, Inc.: delivery of user moderation reports to our internal moderation channel.
  • Google LLC: if, and only if, you connect a Google Calendar account, we exchange OAuth tokens with Google and send calendar event details (title, time, and attendee email addresses) to Google Calendar when a meeting is scheduled.
• Legal requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request.
• Safety: We may disclose information to protect the rights, property, or safety of Supergroup, our users, or others.

9. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure in the United States. We implement appropriate technical and organizational measures to protect your information, including encryption at rest and TLS encryption for all data in transit. Credentials for connected calendar accounts are additionally encrypted before storage. However, no method of transmission over the Internet or electronic storage is 100% secure.

10. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Credentials for a connected calendar account are retained only until you disconnect that account, after which they are revoked and deleted. If you request deletion of your account, we will delete your personal data within 30 days. Some data may be retained in encrypted backups for up to 90 days. We may retain anonymized or aggregated data indefinitely for analytical purposes.

11. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate or incomplete data
• Deletion: Request that we delete your personal data
• Portability: Request a copy of your data in a structured, machine-readable format
• Objection: Object to certain processing of your personal data

To exercise any of these rights, please contact us at hey@supergroup.chat.

12. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

13. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your own. By using the Service, you consent to the transfer of your information to the United States, where our servers are located.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on the Service and updating the "Last Updated" date. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at hey@supergroup.chat.