Privacy Policy

Last Updated: April 24, 2026

Introduction

  • PocketFounder (operated by SmartMango) is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information at pocketfounder.smartmango.ai.
  • This policy complies with GDPR (EU), CCPA (US), PIPL (China), and PDPO (Hong Kong).

What We Collect

  • Authentication is handled entirely by Clerk, a SOC 2 Type II compliant provider. We never receive your password. Sign-up may include a Cloudflare Turnstile CAPTCHA step.
  • In our PostgreSQL database we store only four fields per user: Clerk User ID, Stripe Customer ID, credit balance, and account creation timestamp. We do not store your email, name, or payment details.
  • During idea generation your profile inputs (skills, interests, location, time availability, pain points) are processed transiently in Redis for ~10 minutes and then auto-evicted. They are never written to our persistent database.
  • Generated ideas live in your browser (localStorage), not on our servers. You can clear them at any time.
  • IP addresses are used only for rate limiting (10 req/min, 3 concurrent) and are stored in Redis with short TTLs — no long-term logging.

How We Use Your Data

  • To provide AI idea generation via our selected LLM subprocessors (DeepSeek, Alibaba Cloud DashScope for Qwen, Google Gemini)
  • To process credit-pack purchases, refunds, and disputes via Stripe
  • To manage your account, credits, and sign-in via Clerk
  • To prevent abuse via rate limiting and input sanitization
  • We do not sell your data, run ads, or use tracking cookies

Your Rights

  • Access, correct, or delete your personal data
  • Withdraw consent at any time
  • Request data portability
  • Lodge complaints with supervisory authorities (e.g., Hong Kong PCPD, EU DPAs, China CAC)

Data Security

  • TLS 1.3 in transit; encryption at rest at the managed database and Redis layers
  • Environment-aware Content-Security-Policy and anti-clickjacking headers
  • Clerk authentication with middleware-enforced route protection; job polling bound to an HttpOnly SameSite=Strict cookie so no user can read another user's job state
  • Rate limiting via atomic Redis Lua scripts; 64 KB request body cap; parameterised SQL queries only
  • Prompt-injection sanitizer (19 patterns) runs on all user text before it is sent to any LLM; error messages are scrubbed for API keys and bearer tokens
  • Stripe webhook signatures verified on every event; multi-layer Redis idempotency keys prevent double-crediting

Cookies & Local Storage

  • Clerk session cookies keep you signed in
  • `pf_job` (HttpOnly, SameSite=Strict, 10-min TTL) binds a generation job to its requester
  • localStorage stores your language preference, profile inputs (for form autofill), selected AI model, and generated idea history — all client-side only
  • No tracking cookies, no advertising cookies, no third-party analytics beyond Vercel's privacy-friendly aggregate metrics

Contact Us

General Inquiries

support@smartmango.ai

Privacy Concerns / Data Protection Officer

privacy@smartmango.ai