Skip to content
Goodspeed

Privacy Policy

How Goodspeed collects, uses, and protects your personal information.

Last updated: June 1, 2026

Jump to section

This Privacy Policy describes how Goodspeed Apps LLC ("Goodspeed", "we", "us", or "our") collects, uses, discloses, and protects information when you use the Goodspeed platform, including the website at goodspeed.app, the administrative interface at admin.goodspeed.app, subdomains we provision for your generated applications ({your-app}.goodspeed.app), and any APIs, mobile apps, or related services (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Service.

1. Quick Summary

We collect the information you provide and the information we observe while you use the Service. We use that information to operate the Service, prevent abuse, comply with the law, and improve what we offer. We do not sell your personal information. We use third-party AI providers (Anthropic, OpenAI, and others) to generate the content the Service produces; we have contractual commitments with those providers that prohibit them from training their models on your content. We retain information only as long as we need it. You have rights under US state laws and (if you are in the EU/UK) under GDPR/UK GDPR; we describe how to exercise them in Section 11.

2. Who We Are

Data controller: Goodspeed Apps LLC, address available on request.

Privacy contact: privacy@goodspeed.app

For EU/UK users: We do not currently have a designated representative under Article 27 GDPR because our EU/UK traffic is below the threshold that requires one. If we exceed the threshold, we will appoint and disclose a representative.

3. Information We Collect

3.1 Information You Provide

  • Account information. When you create an account, we collect your email address, a hashed password (we never store your password in plain text), and a display name if you provide one.
  • Authentication identifiers. If you sign in with GitHub, we collect your GitHub username, user ID, email, and the OAuth access token you authorize. We never receive your GitHub password.
  • Payment information. When you subscribe to a paid plan, we collect billing details necessary to process payment. Payment card numbers are collected and stored by Stripe, our payment processor. We retain only a Stripe customer ID, last four digits of your card, brand, and expiration; we never have access to your full card number.
  • Profile and preferences. Any profile information, settings, notification preferences, or onboarding answers you provide.
  • Project content. Prompts, descriptions, ideas, attachments, screenshots, feedback, generated app code, design assets, and any other content you submit to or generate via the Service.
  • Support communications. Information you provide when you contact us for support, including ticket content and attachments.

3.2 Information We Collect Automatically

  • Usage data. Pages visited, features used, agent runs, errors encountered, response times, and similar telemetry.
  • Device and connection data. IP address, browser type and version, operating system, referrer URL, language preference, time zone, and similar technical metadata.
  • Cookies and similar technologies. See Section 8.

3.3 Information from Third Parties

  • Payment status. Stripe sends us information about your subscription status, invoices, charges, refunds, and disputes via webhook.
  • GitHub. When you connect a GitHub account, we receive your public profile, your email (if it is public or you have authorized sharing), and the repositories you authorize for access.
  • AI providers. We receive the outputs that the AI providers generate in response to prompts from the Service. We do not receive personal information about the AI provider's other customers.

3.4 Information We Do Not Collect

  • We do not knowingly collect information from anyone under the age of 18. The Service is not directed to children, and you must be at least 18 years of age to use it. If we learn we have collected information from someone under 18, we will delete it promptly.
  • We do not request or accept "Protected Health Information" as defined under HIPAA. Do not submit PHI to the Service.
  • We do not request "Cardholder Data" outside of what Stripe collects under PCI-DSS.

4. How We Use Information

We use the information we collect to:

  1. Provide the Service. Authenticate you, generate the applications you request, host your generated apps, process payments, and communicate with you about the Service.
  2. Improve the Service. Analyze usage to fix bugs, improve performance, identify popular features, and develop new ones. We aggregate or anonymize data wherever feasible for this purpose.
  3. Secure the Service. Detect, investigate, and respond to fraud, abuse, security incidents, and violations of our Terms of Service or Acceptable Use Policy.
  4. Communicate with you. Send transactional emails (account verification, password resets, billing receipts, security alerts, service announcements). If you have opted in, send product updates and marketing.
  5. Comply with law. Respond to lawful requests, satisfy tax and accounting obligations, and enforce our agreements.

4.1 Legal Bases (EU/UK Users)

Under GDPR and UK GDPR, we rely on the following bases:

  • Contract (Art. 6(1)(b)): processing necessary to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): operating, securing, and improving the Service; our interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a)): optional marketing communications, optional analytics cookies, and other discretionary uses.
  • Legal obligation (Art. 6(1)(c)): tax, accounting, anti-fraud, and lawful-request compliance.

5. AI Providers and Your Content

Generating applications requires sending prompts and context to third-party AI providers, which currently include:

  • Anthropic, PBC (Claude models): content sent to Anthropic is governed by Anthropic's commercial terms, which include a contractual prohibition on training Anthropic's models on customer inputs and outputs without explicit permission.
  • OpenAI, OPCO LLC (GPT models): content sent to OpenAI under the API is governed by OpenAI's API terms, which similarly prohibit training on API inputs and outputs by default.
  • Voyage AI (embedding models): used for retrieval and similarity tasks.

We disclose every AI subprocessor in our Subprocessors page. We do not authorize any of them to use your content to train their models. If we add or change AI providers, we will update the Subprocessors page and (for material changes) provide notice to existing users.

Output ownership. As between you and Goodspeed, you own the application code, designs, assets, and other outputs generated for you, subject to (a) the rights of the AI provider as to their underlying models and (b) third-party rights in any open-source components the Service incorporates. See Section 5 of the Terms of Service for the full ownership terms.

Hallucination and accuracy. AI outputs may be inaccurate, incomplete, or unsuitable for your purpose. The Service is a productivity tool, not a substitute for human review of generated code and content. You are responsible for reviewing what the Service generates before relying on or shipping it.

6. How We Share Information

We share information only as described below. We do not sell your personal information in the everyday sense, and we have not "sold" or "shared" personal information for cross-context behavioral advertising under California, Virginia, Colorado, Connecticut, Utah, or Texas law in the preceding twelve months.

6.1 Service Providers (Subprocessors)

We share information with vendors that help us operate the Service. The current list is published at /subprocessors. Each subprocessor is contractually bound to use the information only to provide their service to us, to maintain reasonable security, and to comply with applicable law.

6.2 Compliance and Safety

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Comply with a subpoena, court order, or other lawful request from a government authority.
  • Enforce our Terms of Service or Acceptable Use Policy.
  • Detect, prevent, or address fraud, security, or technical issues.
  • Protect the rights, property, or safety of Goodspeed, our users, or others.

We narrowly tailor any disclosure to what is required and, where legally permitted, we attempt to notify affected users before disclosure.

6.3 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice and, where required by law, obtain consent before any material change in how your information is handled.

6.4 With Your Direction

We share information when you explicitly direct us to, for example when you connect a GitHub account or publish a generated app to a public URL.

7. International Transfers

Goodspeed is based in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States, where data protection laws differ from those in your home country.

For EU/UK users: We rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, where applicable, as the lawful mechanism for transferring personal data outside the EU/UK. Stripe, Supabase, Cloudflare, Vercel, Anthropic, OpenAI, and other relevant subprocessors have committed to SCCs (or are otherwise certified under recognized transfer mechanisms).

8. Cookies and Similar Technologies

We use a small number of cookies and similar technologies:

CategoryPurposeExampleOpt-out
Strictly necessaryAuthentication, security (CSRF protection, CSP nonces)session cookie, admin_session_v2Cannot opt out without breaking the Service
FunctionalSaving your preferencesdark-mode settingBrowser settings
AnalyticsUnderstanding aggregate usagePostHogBrowser settings; we honor Global Privacy Control (GPC) signals

We do not use third-party advertising cookies. We do not engage in cross-context behavioral advertising. We do not use re-targeting pixels.

If your browser sends a Global Privacy Control (GPC) signal, we treat it as an opt-out of any "sale" or "share" of personal information, even though we do not sell or share for behavioral advertising.

9. Data Retention

We retain information only as long as we need it for the purposes described in this Policy, including:

  • Account information: for the lifetime of your account plus up to 90 days after deletion to handle reversals, disputes, and abuse investigations.
  • Project content: for the lifetime of your account; you may delete individual projects at any time, in which case we delete the project content within 30 days (subject to backup-cycle retention).
  • Payment records: for at least 7 years after the relevant transaction, to satisfy US tax and accounting requirements.
  • Logs and telemetry: typically 90 days for application logs and up to 13 months for security and audit logs.
  • Backups: rolling backups may persist for up to 35 days after deletion; we do not selectively delete from backups, but we will not restore deleted data from backup except under legal compulsion.

When you delete your account, we delete or de-identify your information on the schedules above, except for the narrow categories we are required to retain (payment records, certain compliance records).

10. Security

We implement administrative, technical, and physical safeguards designed to protect your information, including: TLS encryption in transit, encryption at rest for sensitive credentials (AES-256-GCM), HMAC-signed session tokens with timing-safe verification, role-based access controls, per-tenant row-level security in our database, magic-byte verification and EXIF stripping on uploaded files, rate limiting, structured audit logging of administrative actions, and continuous secret scanning. No system is perfectly secure; we do not guarantee that your information will be protected against every possible threat.

If we become aware of a personal data breach affecting you, we will notify you and any required regulator within the timelines required by applicable law (under GDPR, generally within 72 hours of becoming aware).

11. Your Rights

11.1 Rights Under US State Laws

Depending on the state in which you reside, you may have the following rights:

  • Right to know / access. What personal information we have collected about you and how we have used and shared it.
  • Right to correct. Inaccurate personal information.
  • Right to delete. Personal information we have collected, subject to certain exceptions (we may retain information necessary for fraud prevention, legal compliance, etc.).
  • Right to data portability. Receive your information in a portable format.
  • Right to opt out of "sale" or "sharing." We do not sell or share for behavioral advertising; this right is moot in practice, but we honor it.
  • Right to opt out of certain profiling. We do not engage in automated decision-making that produces legal effects on you.
  • Right to non-discrimination. We will not deny you service or charge different prices because you exercised a right.

These rights are granted by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA); the Virginia Consumer Data Protection Act (VCDPA); the Colorado Privacy Act (CPA); the Connecticut Data Privacy Act (CTDPA); the Utah Consumer Privacy Act (UCPA); the Texas Data Privacy and Security Act (TDPSA); and any other state law that may apply to you.

11.2 Rights Under GDPR / UK GDPR

If you are in the EU, UK, or another jurisdiction with GDPR-style protections, you also have:

  • Right of access (Art. 15): confirm whether we process your data and obtain a copy.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17, "right to be forgotten"): request deletion.
  • Right to restriction of processing (Art. 18): limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a machine-readable format.
  • Right to object (Art. 21): to processing based on legitimate interests, and to direct marketing.
  • Right not to be subject to automated decision-making (Art. 22): we do not engage in such processing.
  • Right to withdraw consent at any time for processing based on consent.
  • Right to lodge a complaint with your local supervisory authority.

11.3 How to Exercise Your Rights

Email privacy@goodspeed.app with the request. Tell us which right you wish to exercise. We will verify your identity before acting on the request, typically by confirming control of the email address associated with your account. We will respond within the time period required by applicable law (generally 45 days under US state laws, 30 days under GDPR; both extendable in certain cases).

You may also use authorized agents under California law; we will require the agent to provide proof of authorization.

We will not discriminate against you for exercising any right.

12. Children

The Service is not intended for or directed to anyone under the age of 18. We do not knowingly collect information from children. If you are a parent or guardian and believe your child has provided information to us, contact us at privacy@goodspeed.app and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date at the top will reflect the most recent revision. For material changes, we will provide additional notice (e.g., an in-product banner or email to active users) at least 30 days before the change takes effect, except where a shorter period is required by law or by urgent security need.

14. Contact

Questions, requests, or complaints about this Policy: privacy@goodspeed.app

For general support: support@goodspeed.app

Postal address: Goodspeed Apps LLC, address available on request

Ready to build?

Score your first idea free. No card required.

Get started freeBack to Goodspeed