Privacy Policy

Gaja AI Private Limited ("we", "us", "our") operates the SuperBased desktop application and website (superbased.app). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our product and services.

1. Information We Collect

1.1 Account Information

When you create an account or sign in, we collect your email address, name, and authentication credentials through our authentication provider (Clerk). This information is necessary to provide you with access to our services and manage your subscription.

1.2 Usage Data

We may collect anonymized usage statistics such as feature usage frequency, application version, operating system type, and crash reports. This data does not include the content of your screenshots, AI queries, or any personal files.

1.3 Anonymous Install Heartbeat

When the desktop application launches and you are not signed in, SuperBased sends a small heartbeat to our servers no more than once every 24 hours. The heartbeat lets us understand how many installations are active and helps us prioritise platforms and versions for support and updates. Each heartbeat contains:

• Hashed machine identifier — a one-way SHA-256 hash of your operating system's machine ID. We use this only to deduplicate one install from another, and we cannot reverse it back to a machine ID or to you.
• Operating system (e.g. darwin, win32, linux) and application version.
• Hostname — the local network name your computer reports for itself (e.g. my-laptop). On many systems this is auto-generated and contains no personal information, but it can contain a name (e.g. janes-macbook-pro) on consumer devices. If you would prefer not to share it, you can disable the heartbeat entirely (see below).
• Hashed source IP address — your IP address is hashed on our server before storage so we can roughly count distinct origins without retaining the IP itself.

The heartbeat does not include screenshots, files, AI queries, account credentials, browsing activity, or any document content.

Stopping after sign-in. The moment you sign in to SuperBased, the heartbeat stops for that machine and the previously-recorded anonymous row is deleted from our database. Your machine then appears under your account in the normal way.

How to opt out. The heartbeat is enabled by default. You can disable it at any time in the desktop application under Settings → Privacy → Anonymous Install Reporting. Once disabled, no further heartbeats will be sent from that installation.

1.4 Global Keyboard Listener

To make features like push-to-talk dictation and interaction recording work from any application, the desktop app installs a global keyboard listener on your operating system. This listener is active by default after installation. It is used solely to detect the specific shortcut keys you have configured (for example, holding Cmd+Opt on macOS or Ctrl+Alt on Windows to start dictation, or pressing Ctrl+Shift+R to toggle recording). You can disable either feature at any time in Settings → Dictation or Settings → Recording, after which the listener is no longer used by that feature.

What the keyboard listener does not do:

• It does not log, store, or transmit any keystrokes other than the configured shortcut keys.
• It does not capture passwords, payment details, or anything you type into other applications.
• It does not send any keystroke data to our servers — all keypress detection happens entirely on your local machine.
• For interaction recording, when you explicitly start a session, captured keystrokes can optionally be masked to *** in the on-disk event log via the Mask typed text setting (enabled by default).

If you would prefer that no global keyboard listener is installed at all, disable both Dictation and Interaction Recording in Settings.

1.5 Usage Analytics

To understand how SuperBased is being used and improve the product, the desktop app forwards a small set of aggregate usage events to our admin console. Each event represents one occurrence of an action you take in SuperBased — for example, "captured a screenshot," "ran a dictation session," "made an AI query." Events are batched and sent approximately once per minute. Each event includes:

• The event type (e.g. capture, dictation, ai_query, tce, recording).
• An event subtype describing the action variant (e.g. manual, realtime, compress).
• The name of the foreground application at the time of the event (e.g. Chrome, VSCode, Slack) so we can understand which apps SuperBased is most useful in.
• An optional numeric value for events where it is meaningful (e.g. words transcribed, tokens saved, response length).
• The desktop app version.
• Either your user account identifier (when you are signed in) or your hashed device identifier (when you are signed out). If you sign in after using the app anonymously, the previously-recorded anonymous events are linked to your account.

What usage analytics do not include:

• The contents of your screenshots, OCR text, or any image data.
• The contents of your AI queries or AI responses.
• The contents of your dictation transcripts.
• The contents of any files you open or work with.
• Window titles, document titles, file paths, URLs, or any other text from your other applications. Only the application name (e.g. "Chrome") is sent — not what you are doing inside it.
• Keystrokes, clipboard contents, passwords, or payment details.

How to opt out. Usage analytics are enabled by default. You can disable them at any time in the desktop application under Settings → Privacy → Usage Analytics. Once disabled, no further usage events will be sent and any events queued in memory are dropped.

1.6 Payment Information

Payment processing is handled by our third-party payment provider (Paddle). We do not directly collect, store, or process credit card numbers or banking information. Please refer to Paddle's privacy policy for details on how they handle payment data.

1.7 Information We Do NOT Collect

• Screenshots: Your screenshots are stored locally on your device. We do not upload, access, or store your screenshots on our servers.
• OCR Data: Text extraction via Tesseract runs entirely on your local machine. No text data is sent to our servers.
• AI Queries: When you use AI analysis features, your screenshots and instructions are sent directly from your device to the AI provider you have configured (e.g., Anthropic, OpenAI, Google, Azure). We do not intercept, store, or process this data.
• API Keys: Your AI provider API keys are encrypted using your operating system's secure credential storage (DPAPI on Windows, Keychain on macOS) and are never transmitted to our servers.
• Recording Sessions: All recording session data (screenshots, metadata, timelines) is stored locally on your device.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Manage your account and subscription
• Send you important updates about the product (security patches, major version releases)
• Provide customer support
• Analyze anonymized usage patterns to improve the product
• Comply with legal obligations

3. Third-Party Services

SuperBased integrates with or uses the following third-party services:

• Clerk — Authentication and user management
• Paddle — Payment processing and subscription management
• AI Providers (Anthropic, OpenAI, Google, Azure) — AI analysis, used only when you explicitly request it, with data sent directly from your device to the provider
• Whisper API — Voice transcription, used only when you activate voice input
• Imgur — Screenshot hosting, used only when you explicitly choose to upload

Each of these third-party services has its own privacy policy. We encourage you to review them.

4. Data Storage and Security

Your core data (screenshots, OCR text, AI responses, recordings) is stored locally on your device. We employ industry-standard security measures including:

• OS-level encryption for sensitive credentials (API keys, authentication tokens)
• HTTPS for all communications between the app and our servers
• Secure authentication via Clerk
• Localhost-only HTTP API (port 47592) that does not accept external connections

5. Data Retention

We retain your account information for as long as your account is active or as needed to provide services. If you request account deletion, we will delete your account data within 30 days, except where we are required by law to retain it.

Local data on your device (screenshots, recordings, gallery) is under your full control. You can delete it at any time through the application or by removing the application data directory.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and associated data
• Portability: Request your data in a portable format
• Objection: Object to specific processing activities

To exercise these rights, contact us at contact@marmut.app.

7. Children's Privacy

SuperBased is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

8. International Data Transfers

Gaja AI Private Limited is based in India. If you are accessing SuperBased from outside India, please be aware that your account information may be transferred to, stored, and processed in India. By using our services, you consent to this transfer.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on our website and, where appropriate, through in-app notifications. Your continued use of SuperBased after changes take effect constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: contact@marmut.app
• Website: superbased.app
• Company: Gaja AI Private Limited, India