Privacy Policy (DRAFT)

Effective: May 12, 2026 Last updated: May 12, 2026

DRAFT — NOT LEGAL ADVICE. Working draft for attorney review. Placeholders marked [BRACKETED]. The accuracy of this Privacy Policy depends on the Software actually behaving as described — any change to data flows requires a corresponding update here before the change ships. Drift between this Policy and the Software is the most common compliance hazard for privacy-by-design products.

Drafting assumptions:

Provider stores only: user id, email, polar_customer_id, created_at.

The Software has no telemetry, no analytics, no behavioral logging.

Polar.sh is merchant of record for billing.

AI/MCP features execute locally; Provider does not see AI data.

Repository visibility is checked from the user's device, not via Provider's servers.

Single Privacy Policy covering the Marketplace listing, the Software in use, and the marketing/account web properties.

URLs not yet determined. Domain selection and the URL structure for legal documents are open. The expectation is that legal documents will live under a subfolder of the main company page dedicated to the product, e.g., agenticbookmarks.com/legal/.... Every […URL] placeholder in this document will resolve to a path under that subfolder; the specific paths are not yet fixed. Cross-document references using these placeholders should remain consistent so that a single find-and-replace pass can populate them later.

In one paragraph

We are Super Mega Lab LLC ("Super Mega Lab", "we", "our"). This Privacy Policy describes how we handle personal data in connection with the Agentic Bookmarks VS Code extension, the bundled MCP server, our license verification service, and our website at https://supermegalab.com (together, the "Services"). We built the Services to handle as little personal data as possible: no telemetry, no analytics, no source code, no prompts, no AI interactions, no repository contents. The only personal data we hold about an end user is what's needed to verify a paid subscription and contact the user about it. If you have questions, email us at contact@supermegalab.com.

1. Who we are and how to contact us

Data controller: Super Mega Lab LLC, a Delaware limited liability company, with registered office at 16192 Coastal Highway, Lewes, Delaware 19958.

Privacy contact: contact@supermegalab.com

EU representative (Art. 27 GDPR): Not appointed; the Services are not directed to the EU at this time.

UK representative (Art. 27 UK GDPR): Not appointed; the Services are not directed to the UK at this time.

2. The data we do not collect

Because we are a privacy-first developer tool, we think the most important thing for you to know is what we do not receive. We do not receive, store, or have access to:

Source code, file contents, file paths, or file names from your development environment.
Repository names, remote URLs, branch names, commit hashes, commit messages, or other version control metadata.
Prompts, AI completions, model inputs or outputs, or assistant conversations. AI features in the Software run locally using your own AI provider; we never see your AI inputs or outputs.
Editor activity, keystrokes, command invocations, or feature-usage events. The Software contains no telemetry.
Diagnostics, error reports, crash dumps, or stack traces. The Software does not transmit these to us.
Repository visibility status. The Software determines whether a repository is public or private by querying the repository host (e.g., GitHub or GitLab) directly from your machine. We do not receive the answer.

3. The data we do collect

Beta Period note. The Software is launching in a Beta Period during which the license verification service described in this Section 3 is not yet running. During the Beta Period the Software does not contact a license verification service and we receive none of the data described in Sections 3.1, 3.2, or 3.3 below. Sections 3.4 (Support communications) and 3.5 (Website data) apply during the Beta Period only to the extent you interact with those channels. The remainder of Section 3 takes effect when the license verification service launches at the end of the Beta Period; we will announce the launch date at [POLICY URL] in advance.

3.1 Account data (license verification)

When you purchase a subscription through Polar.sh, we receive and store:

Data	Source	Why we have it
Internal user identifier	Generated by us	To uniquely associate your subscription with a license.
Email address	Provided by Polar.sh at purchase	To associate your subscription with you, send subscription/account communications, and provide support.
Polar customer identifier	Provided by Polar.sh	To reconcile entitlements with the billing system.
Account creation timestamp	Generated by us	Account lifecycle.

We do not receive your payment instrument data, billing address, or transaction history from Polar. Polar handles those as merchant of record under Polar's own privacy policy.

3.2 Connection metadata (transient)

When the Software contacts our license verification service to confirm a subscription or refresh an entitlement token, our hosting infrastructure processes connection metadata, including your IP address, in order to establish a TLS connection and protect the service against abuse. [STATE THE ACTUAL POLICY: e.g., "We do not retain IP addresses in a form linked to your account. Transient connection logs are kept by our hosting provider for [N] days for operational and security purposes and then deleted." — match what ops actually does.]

3.3 Entitlement tokens

When your subscription is verified, our service issues a short-lived signed entitlement token to the Software on your device. The token is verified locally by the Software to determine which features are available. We do not retain a copy of issued tokens.

3.4 Support communications

If you contact us for support — for example, by email, on GitHub Issues, or through any future support channel — we will receive whatever information you choose to send. We use that information only to respond to your request and to improve the Software. Please do not include source code, secrets, credentials, or other sensitive information in support requests.

3.5 Website data

If you visit https://supermegalab.com, our website may use:

Strictly necessary cookies required for the site to function (e.g., session/authentication cookies on account portal pages).
[LIST ANY ADDITIONAL COOKIES — analytics, marketing, etc. We recommend none, consistent with the Software's no-telemetry posture. If you do use analytics on the marketing site, list the provider, the purpose, and the legal basis. Display a cookie banner where required by Law.]

We do not use cross-site tracking or advertising cookies.

3.6 Marketing communications (if any)

[OPTION A — no marketing list:] We do not currently maintain a marketing email list. Communications we send to subscribers are limited to transactional account and security notices.

[OPTION B — opt-in newsletter:] If you sign up for our newsletter at [URL], we collect your email address and use it solely to send the newsletter. You may unsubscribe at any time using the link in any newsletter email or by contacting contact@supermegalab.com. The legal basis is consent (Art. 6(1)(a) GDPR).

4. How we use the data

We use the limited personal data described in Section 3 only to:

(a) verify your subscription and issue entitlement tokens; (b) associate your subscription with the right account; (c) send subscription, account, and security communications; (d) respond to support requests you initiate; (e) operate, secure, and protect the license verification service from abuse; (f) comply with applicable law and respond to lawful requests; and (g) [if Option B above: send the newsletter you have subscribed to.]

We do not use your data to:

train, fine-tune, or evaluate any artificial intelligence or machine learning model;
sell, share, rent, or trade your personal information;
build advertising profiles, behavioral analytics, or marketing segments;
profile you or make automated decisions with legal or similarly significant effects.

5. Legal bases (for users in the EEA, UK, and Switzerland)

We process the personal data described in Section 3 on the following legal bases under the GDPR / UK GDPR / FADP:

Processing	Legal basis
Verifying subscriptions, issuing tokens, account communications	Performance of a contract (Art. 6(1)(b) GDPR)
Operating and securing the license service; preventing abuse	Legitimate interests (Art. 6(1)(f) GDPR) — our interest in providing a reliable, secure service, balanced against the minimal nature of the data
Responding to support requests	Performance of a contract (or your prior request before a contract) — (Art. 6(1)(b) GDPR)
Complying with applicable law	Legal obligation (Art. 6(1)(c) GDPR)
Sending the newsletter [if applicable]	Consent (Art. 6(1)(a) GDPR)

6. Sharing the data

We share the limited personal data in Section 3 only with:

Recipient	Role	Data
Polar Software, Inc. ("Polar")	Merchant of record; subscription management. Polar acts as an independent controller of billing data, not as our processor.	Polar provides email and customer ID to us. We do not provide your data to Polar beyond what is needed for refund/cancellation requests.
Vercel (including Vercel Postgres for the database)	Hosts the license verification service and database; provides TLS termination	The data in Section 3.1; transient connection metadata in Section 3.2
Resend	Sends transactional account/subscription emails	Email address

The current list of sub-processors is maintained at [SUBPROCESSOR LIST URL].

We may also disclose personal data:

in response to valid legal process (e.g., a court order, subpoena, or other binding legal request), where required by law and after reviewing the request for legal validity;
to protect the rights, safety, or property of Super Mega Lab, our users, or others;
in connection with a corporate transaction (such as a merger, acquisition, or asset sale), in which case we will require the recipient to honor this Privacy Policy or notify affected users of any material change.

We do not sell your personal information.

7. International data transfers

We are based in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, we rely on the following transfer mechanisms, as applicable:

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), in the appropriate module;
The UK International Data Transfer Addendum for transfers from the United Kingdom; and
Equivalent safeguards for transfers from Switzerland under the FADP.

Copies of the relevant transfer mechanisms are available on request to contact@supermegalab.com.

8. How long we keep the data

Data	Retention
Account data (Section 3.1)	For the lifetime of your subscription, plus 90 days after termination, after which it is deleted from primary systems. Backups containing the data may persist for up to 6 months in accordance with our backup rotation, after which they are overwritten or destroyed.
Connection metadata (Section 3.2)	[N days, matching ops policy]
Entitlement tokens	Not retained server-side once issued. Tokens are short-lived and validated on the user's device.
Support communications	Up to 24 months after the request is closed, then deleted, except where law requires longer retention.
Marketing data (if applicable)	Until you unsubscribe, then promptly deleted from active systems.

We may retain data longer where required by law (for example, tax records) or where reasonably needed to resolve disputes or enforce our agreements.

9. Your rights

Depending on where you live, you may have rights with respect to your personal data, including the right to:

Access the personal data we hold about you;
Rectify inaccurate personal data;
Erase your personal data ("right to be forgotten");
Restrict or object to certain processing;
Portability — receive your data in a structured, machine-readable format;
Withdraw consent, where consent is the legal basis;
Lodge a complaint with your local data protection authority. In the EU, you may contact your national supervisory authority; in the UK, the Information Commissioner's Office (ICO).

For users in California, you also have rights under the CCPA/CPRA, including the right to know what personal information we collect, to delete it, to correct it, to limit the use of sensitive personal information, to opt out of "sales" and "sharing" (we do neither), and to be free from retaliation for exercising these rights.

To exercise any of these rights, email contact@supermegalab.com. Given the limited data we hold, we are usually able to respond within 30 days at no charge.

10. Children

The Services are intended for software developers and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact contact@supermegalab.com and we will delete it.

11. Security

We protect personal data using technical and organizational measures appropriate to its limited nature, including:

TLS 1.2 or higher for all network communication.
Encryption at rest for the user database and backups.
Least-privilege access controls for personnel; authentication with [SSO / MFA].
Signed entitlement tokens, verified locally by the Software, so that tampering with the network layer does not unlock paid features.
A documented incident response procedure consistent with our notification obligations.

A fuller description is published at [SECURITY OVERVIEW URL].

No system is perfectly secure. If we become aware of a security breach affecting your personal data, we will notify affected users without undue delay, and in any event consistent with applicable law.

12. AI and your data

The Services include AI-related features that operate locally on your device using your chosen AI provider. We do not operate, host, route, intercept, or log AI prompts, completions, or other AI interaction data. Your use of any AI provider is governed by your agreement with that provider.

We do not use any data we receive (including the limited account data in Section 3.1) to train, fine-tune, or evaluate any AI or machine learning model.

13. Open-source and source-available components

The public-repository portions of the Software are published in source form under PolyForm Shield 1.0.0 at [REPO URL]. You can inspect those components to verify our network behavior. The portions made available in source form do not contain telemetry; this is not only a contractual commitment but is verifiable by inspection. The proprietary core of the Software is distributed only as a compiled artifact bundled with the Marketplace release and is not published as source.

14. Polar.sh and the merchant of record relationship

Subscriptions are sold through Polar Software, Inc. acting as merchant of record. When you purchase a subscription:

Polar collects payment information, billing address, and tax information directly from you and processes that data as an independent controller under Polar's own privacy policy at https://polar.sh/legal.
We receive only your email and a Polar customer identifier from Polar, used as described in Section 3.1.
Refunds, cancellations, and tax matters are handled through Polar.

Please review Polar's privacy policy for information on how Polar handles your billing data.

15. Third-party integrations and platforms

The Software interacts with services on your device and on the Internet that you choose to enable, including:

Repository hosts (such as GitHub, GitLab, Bitbucket, or self-hosted Git servers) — to read repositories you direct the Software to read and to determine repository visibility. These interactions occur from your device under your existing relationship with that host.
Your AI provider, where you have configured one — see Section 12.
The VS Code Marketplace (or Open VSX) — for installation and updates. Distribution platforms have their own privacy practices.

We are not responsible for the privacy practices of third parties.

16. California "shine the light" and metrics disclosure

[Optional, if you have California users:] Under California Civil Code § 1798.83, California residents may request a list of third parties to which we have disclosed personal information for direct marketing purposes. We do not disclose personal information for third-party direct marketing purposes; nonetheless, requests may be sent to contact@supermegalab.com.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is published at [PRIVACY POLICY URL]. Material changes affecting your rights or our handling of personal data will be communicated through the Software, the Marketplace listing, or by email to the address associated with your subscription, with at least thirty (30) days notice before the change takes effect. The "Effective" and "Last updated" dates at the top reflect the current version.

18. How to contact us

For questions, requests, or complaints concerning this Privacy Policy or our handling of your personal data:

Email: contact@supermegalab.com
Postal: Super Mega Lab LLC, 16192 Coastal Highway, Lewes, Delaware 19958

Drafting Notes (REMOVE BEFORE PUBLICATION)

These notes flag items for the drafting attorney and the business.

Items requiring decision

Provider legal entity — name, formation, registered address.
Privacy email and postal contact in Section 18.
EU/UK Article 27 representatives in Section 1 — required if you offer the Services to EU/UK data subjects and you are established outside those regions. Common low-cost options: [EU-REP service names].
IP-address retention in Section 3.2 — fill in based on actual ops policy. The current draft leaves this as a placeholder; it must match reality.
Cookies / website analytics in Section 3.5 — recommendation: none, to match the Software's no-telemetry posture. If you do use any analytics on the marketing site, list the provider, purpose, and legal basis, and add a cookie banner where required.
Marketing list in Section 3.6 — pick Option A (no list) or Option B (opt-in newsletter). Default draft offers both.
Sub-processor list in Section 6 — fill hosting, email, ops providers and regions. Publish the live list at the URL.
Sub-processor list URL — same URL as referenced in the DPA.
Backup retention period in Section 8 — must match ops reality and the DPA.
Support communications retention in Section 8 — pick a real number that matches your support tooling's retention.
Children's age in Section 10 — 13 (US default) or 16 (GDPR default). Counsel can advise based on your geography mix.
Security overview URL in Section 11.
Source-available license and repo URL in Section 13.
California disclosures in Section 16 — keep if you have any California users; effectively zero cost to keep.
Privacy Policy URL in Section 17 — the canonical hosted location.

Items the business should validate

The list of "data we do not collect" in Section 2 must be verifiably true. This is the single most important promise in the Policy. Any future feature that touches one of these categories — even something benign like "send us your repo name so we can recommend a config" — would require an update to this Section before the feature ships, plus 30 days' notice under Section 17. Build a release-checklist gate around this.
No-telemetry as a hard product principle. Section 2 and Section 4 commit you to no telemetry, no analytics, no behavioral logging, no model training. These are the value propositions that distinguish the product. Removing or weakening them later is a material change and will damage trust. Decide before launch whether this is durable.
The IP-retention statement in Section 3.2 is the most likely place for accidental drift between policy and reality. The hosting provider may log IPs even if you don't intend to; confirm with ops what the actual retention is and write it in. If you don't know, don't guess — say "transient connection logs are kept by our hosting provider in accordance with that provider's standard practices for operational and security purposes" and link the hosting provider's policy.
Polar's role — confirm Polar's status as merchant of record in your target geographies and that Polar's privacy policy adequately covers billing-data handling. Section 14 commits you to Polar being merchant of record; if Polar is only a payment processor in some markets, this section needs a regional split.
Section 12 (AI) assumes the AI/MCP architecture stays local. If product ever wants to add a server-side AI feature, this section must change before shipping. Coordinate with the Provider-Specific Terms (which has a parallel commitment).

Companion documents referenced from this Policy

Provider-Specific Terms at [PROVIDER TERMS URL] — drafted as TERMS.md.
Data Protection Addendum at [DPA URL] — drafted as DPA.md.
Data Handling Statement at [DATA-HANDLING URL] — drafted as DATA-HANDLING.md.
Sub-processor list at [SUBPROCESSOR LIST URL].
Security overview at [SECURITY OVERVIEW URL].

Cross-document consistency check

Before publishing, run these promises through the four documents and confirm they say the same thing:

Promise	Privacy Policy	Provider-Specific Terms	DPA	Data Handling Statement
Categories of data NOT collected	§2	§6.1	Annex 1B "Data NOT Processed"	§1
What data IS collected	§3	§6.2	Annex 1B table	§2
Polar as MoR + independent controller	§14	§3.1	Annex 3 note	§3
Local AI / no Provider AI access	§12	§8	Annex 1B	§1
Sub-processors	§6	§9	Annex 3	§4
72-hour breach notice	§11 (implicit)	— (Standard Agreement)	§9	§7
Backup retention	§8	—	§13.2	§9
30-day notice of material changes	§17	§13	(DPA's own change clause)	§10

Any mismatch is a defect. Fix in all four before publishing.

Mechanics of publishing

Publish at [PRIVACY POLICY URL] — typically [licensor.com]/legal/privacy.
Link from: the Marketplace listing, the website footer, the Polar checkout (Polar will accept a link), the first-launch dialog (if you have one), and from the in-product "About" or settings panel.
Keep prior versions accessible at versioned URLs (e.g., /legal/privacy/2026-05-01) so users can see what was in effect at any time.
Maintain a changelog at the bottom of the canonical URL (or at a sibling URL) describing material changes.