Privacy Policy
Effective date: 11 June 2026
This policy explains how Capasize, a B2B workforce-planning service founder-operated by Bader Aljeaan (“we”, “us”), handles personal data on capasize.com and in the Capasize platform. The short version: your workforce data stays in the EU, we never sell personal data, and you can exercise your rights by emailing us.
1. Our roles: controller and processor
For data about visitors to this site and about the people who sign up for and administer accounts — names, work email addresses, billing contacts — Capasize is the data controller.
For workforce data that customers upload to the platform — employee records, organisational structures, compensation inputs, planning data — Capasize is a data processor acting on the customer's documented instructions. If you are an employee whose data appears in a customer's plan, your employer is the controller; please direct requests to them, and we will assist them in responding.
2. Data we collect
- Account data — name, work email, organisation, role, and a password hash managed by Supabase Auth.
- Customer workforce data — the records your organisation uploads to run planning cycles.
- Usage data — server logs, IP address, browser type, request identifiers, timestamps, and the pages and features used, kept for security and reliability.
- Support communications — the emails you send to our support address.
- Billing contact details — used for invoicing; we do not store full card numbers.
3. Purposes and legal bases
- Providing and supporting the service, including trials — performance of a contract.
- Securing the service, preventing abuse, and sending operational service emails — our legitimate interests.
- Optional product updates — your consent, withdrawable at any time.
- Tax and accounting record-keeping — our legal obligations.
4. Data residency
All production data — databases, authentication records, and file storage — is hosted with Supabase in the eu-central-1 region (Frankfurt, Germany). Customer workforce data remains resident in the European Union by default. Backups and disaster-recovery copies follow the provider's EU storage and retention schedule.
5. Subprocessors
We use a deliberately short list of subprocessors and will update this policy before adding or replacing one.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | eu-central-1 (Frankfurt, Germany), EU |
| Vercel | Website and application hosting, content delivery network | Global edge network; EU origin |
| Render | EU compute for the API and board-pack generation, stateless | Frankfurt (EU); no customer data retained at rest |
6. Your rights
Under the GDPR and similar laws, you have the right to:
- access the personal data we hold about you;
- have inaccurate data rectified;
- have your data erased;
- restrict processing;
- receive your data in a portable format;
- object to processing based on legitimate interests;
- withdraw consent at any time, without affecting prior processing; and
- lodge a complaint with your supervisory authority.
To exercise any of these rights, email us from the address associated with your account. We respond within 30 days.
7. Retention
Account data is kept for the life of the account. Customer workforce data follows the customer's instructions and the cancellation schedule: a 30-day read-only grace period after cancellation, then permanent deletion 60 days after cancellation. Encrypted backups expire on a rolling 30-day schedule, and operational logs are kept for up to 12 months.
8. Security
Data is encrypted in transit and at rest. Every tenant is isolated with row-level security: each database query is scoped to the customer's organisation ID. Internal access follows least privilege, passwords are stored only as hashes by Supabase Auth, and production data is never used in development environments. No method of storage is perfectly secure, and we will notify affected users of any breach as required by law.
9. No sale of personal data
We do not sell or rent personal data, and we do not share it with advertisers or data brokers.
10. Cookies
capasize.com uses essential cookies only — those required for sign-in sessions and security. We do not set advertising or cross-site tracking cookies.
11. International transfers
Customer data is stored in the EU. Where a subprocessor processes limited technical data outside the EU — for example, content delivery on Vercel's global edge network — the transfer is protected by the European Commission's Standard Contractual Clauses.
12. Children
The service is for business use and is not directed at children under 16. We do not knowingly collect their data.
13. Changes
We will post updates to this policy here and, for material changes, email account owners at least 30 days before they take effect.
14. Contact
Privacy questions and data-subject requests: support@capasize.com