Privacy Policy
Cullen ("we", "us") is a Singapore-based business. This policy explains what we collect when you use the Cullen extension and trycullen.com, why we collect it, who processes it for us, and the choices you have. The short version: we collect what the product needs to work, we never see your card details, and we do not sell personal data.
1. What we collect
- Account data. Your email address, and your name if you sign in with Google. Sign-in with an email code shares only the email.
- Onboarding answers. The setup questionnaire (your niche, goals, on-camera preferences, voice, and boundaries) is stored against your account and composed into the brand file that personalizes your analyses. You can edit that brand file at any time in the panel settings.
- Captured public content. When you scan a profile, the extension sends the public data it read in your browser (posts, captions, engagement numbers, and public comments, including the public usernames of commenters) to our backend, attributed to your account so your scans work across devices.
- Usage and billing records. Analyses you run, credits granted and spent, and subscription state. Payment itself is handled by Paddle; we receive transaction metadata (what was bought, when, and a customer reference) and never your card number.
- Support email. If you write to us, we keep the correspondence.
We do not collect your Instagram, TikTok, or YouTube passwords, and the extension does not read your private messages, your feed, or pages you did not point it at.
2. How we use it
- To run the product: rank posts, produce analyses, remember your scans, meter credits, and gate paid features.
- To personalize: your onboarding answers shape the analysis and scripts Cullen writes for you.
- To keep the service honest: entitlement checks, rate limits, and abuse prevention.
- To improve Cullen, using aggregate patterns rather than your identity.
Captured public content also feeds Cullen's shared understanding of what performs: engagement records and public comments from pages that were scanned may be analyzed once and reused, so the same public post is not re-billed to every user who studies it. This shared record is about the public post, not about you, and does not include your identity.
3. Who processes data for us
- Supabase — database, authentication, and file storage for everything described above.
- A major cloud AI provider — analyzes captured public content (video, captions, comments) when you run a paid analysis, under terms that do not permit training on it.
- Paddle — Merchant of Record for payments, taxes, and invoices.
- Resend — sends sign-in codes and account email.
- Cloudflare — hosts this website.
Each processor receives only what its job needs. We do not sell or rent personal data to anyone, and there is no third-party advertising or tracking on our pages.
4. Retention and deletion
Account data is kept while your account exists. If you ask us to delete your account, we delete your profile, onboarding answers, brand file, credit history, and the links between you and everything you scanned. Records of public posts and public comments that are not tied to your identity may persist in the shared corpus described in section 2. Commenters who want a specific public comment removed from our records can write to us and we will remove it.
5. Your rights
You can ask us at any time to show you the personal data we hold about you, correct it, or delete it, consistent with Singapore's PDPA and, where it applies to you, the GDPR and similar laws. Email [email protected] from your account email and we will act on it promptly.
6. Cookies and local storage
We use storage for exactly one thing: keeping you signed in (your Supabase session in this site's local storage, and in the extension's own storage). No analytics cookies, no ad trackers.
7. Security
Data lives in Supabase behind row-level security, so an account can only read its own records; paid state and credit records can only be written by our backend, never by a client. Secrets and API keys are never shipped in the extension or this website. No system is perfectly secure, but if a breach ever affects your data we will tell you.
8. Changes
If this policy changes in a way that matters, we will post the new version here with a new effective date and email account holders about significant changes.
9. Contact
Privacy questions and requests: [email protected].