Privacy Policy

Last updated: March 31, 2026

1. Introduction

Potion ("we", "our", or "us") is a project management platform operated by Raghav Bajoria. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform at potionlabs.ai (the "Service").

By using Potion, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Organization and department information
  • Profile preferences

2.2 Project and Task Data

Data you create while using Potion, including:

  • Projects, tasks, subtasks, and their metadata
  • Ideas, documents, and notes
  • Activity logs and traces
  • Comments and team communications

2.3 Gmail Data (Optional)

If you choose to connect your Gmail account, we access the following data with your explicit consent through Google OAuth:

  • Email messages: Subject lines, sender/recipient addresses, message body content, and attachments metadata for emails you interact with through Potion
  • Email metadata: Thread IDs, labels, read/unread status, and timestamps
  • Send capability: Ability to send emails and replies on your behalf when you explicitly compose and send through Potion

We only access Gmail data necessary to provide email management features within Potion. We do not scan your emails for advertising purposes.

2.4 Usage Data

We automatically collect:

  • Browser type and version
  • Pages visited within the Service
  • Timestamps of access

3. How We Use Your Information

  • Provide the Service: Manage your projects, tasks, emails, and workspace
  • AI Features: Generate task suggestions, email summaries, and insights using OpenAI and Anthropic APIs (see Section 5 for details)
  • Email Integration: Display, organize, and manage your Gmail messages within Potion; send emails on your behalf when you explicitly request it
  • Authentication: Verify your identity and manage access permissions
  • Improvements: Understand usage patterns to improve the Service
  • Communication: Send service-related notifications

4. Gmail Data: Limited Use Disclosure

Potion's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Gmail data to provide and improve the email management features you explicitly use
  • We do not sell your Gmail data to third parties
  • We do not use Gmail data for advertising or market research
  • We do not allow humans to read your email content, except where you provide explicit consent, it is necessary for security purposes (e.g., investigating abuse), or it is required by law
  • Gmail data is only transferred to third parties (AI providers) when necessary to provide features you request (e.g., email summaries), and these transfers comply with the Limited Use policy

5. Third-Party Services

We use the following third-party services to operate Potion:

  • Vercel: Application hosting (servers located in Mumbai, India)
  • Supabase (PostgreSQL): Stores your account, project, and task data (hosted in Singapore)
  • OpenAI: Processes text for AI features such as task parsing and idea embeddings. Your data is sent to OpenAI's API for processing but is not used to train their models
  • Anthropic: Powers the Brew AI Chat feature. Conversation data is sent to Anthropic's API for processing but is not used to train their models
  • Amazon S3 / Cloudflare R2: Stores uploaded files and attachments
  • Razorpay: Processes subscription payments (we do not store your payment card details)
  • Google APIs: Gmail integration for email management

Each third-party service processes data in accordance with their own privacy policies. We only share the minimum data necessary for each service to function.

6. Data Storage and Security

  • Application servers are hosted in Mumbai, India via Vercel. Database is hosted in Singapore via Supabase (AWS ap-southeast-1)
  • Gmail OAuth tokens are encrypted using AES-256-GCM before storage
  • Passwords are hashed with bcrypt and never stored in plaintext
  • All connections to the Service use HTTPS/TLS encryption in transit
  • Access to your organization's data is restricted by role-based access controls (RBAC)

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

  • Account data: Retained as long as your account is active
  • Project and task data: Retained as long as your organization's account is active. Deleted projects are soft-deleted and can be restored
  • Gmail data: Email metadata and cached content are retained while your Gmail connection is active. When you disconnect Gmail, your stored email data is removed
  • AI processing data: Not retained by Potion after processing. Third-party AI providers may retain data per their own policies

8. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Revoke Gmail access: Disconnect your Gmail account at any time from Settings, or revoke access from your Google Account permissions
  • Data portability: Request your data in a machine-readable format

To exercise any of these rights, contact us at raghavbajoria123@gmail.com.

9. Children's Privacy

Potion is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: raghavbajoria123@gmail.com

Operator: Raghav Bajoria, India