// Legal

Privacy Policy

Last updated: May 10, 2026

What this is

Cabinet (operated by Cabinet Inc., reachable at hello@getcabinet.io) is an AI decision tool for solo founders. This policy explains what data we collect when you use Cabinet, how we use it, who we share it with, and what choices you have. Plain English. No dark patterns.

Data we collect

Account info. When you sign up, we store your email address, your display name (if you set one), and a password hash handled by Supabase Auth. We do not store your password in plain text and we cannot recover it.

Decision content. When you convene a council, we store the question you asked, any context you provided, the URL you optionally pasted, the council's outputs (Frame, advisor responses, dissent, synthesis, execution tiers), and metadata like duration and search count. This is so you can re-open past councils.

Integration tokens. If you connect Google, we store OAuth access and refresh tokens for your Google account in our database, encrypted at rest. We use them only to perform the actions you initiate (creating Drive files, Gmail drafts, etc.). You can disconnect at any time in Settings, which deletes the tokens.

Billing info. Stripe handles your payment method. We never see your card number. We store your Stripe customer ID and subscription status so we can show your billing tab.

Operational logs. Standard server logs (IP, user agent, request paths, response codes, timestamps) for security and debugging. Logs are retained for 30 days and not used for analytics or sold to anyone.

How we use it

We use your data to provide the Cabinet service: run councils, create artifacts in your Google Workspace when you ask, charge your subscription, and let you view your past sessions. We do not train AI models on your decision content. We do not sell your data to anyone, ever.

Google API access (Limited Use)

Cabinet's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

The scopes we request, and what we use each one for:

  • gmail.compose: create draft emails when you click "Save to Gmail Drafts" on an email artifact. We never read your inbox, never send mail on your behalf, and never see messages other than the drafts we create.
  • drive.file: create files (Docs, Sheets, Slides, folders) on your behalf. This scope only gives Cabinet access to files Cabinet creates. We cannot see, list, modify, or delete files we did not create.
  • documents, spreadsheets, presentations: edit the Docs, Sheets, and Slides files Cabinet creates so we can populate them with your council output.
  • userinfo.email, userinfo.profile: display your Google account email and name in the Integrations tab so you can confirm which account is connected.

We do not transfer Google user data to any third party other than the processors listed below as necessary to operate Cabinet, and we do not use Google user data for serving ads.

Third-party processors

Cabinet uses the following processors to operate. Each receives only the data necessary for its function:

  • Supabase (US): authentication, database, file storage.
  • Vercel (US): hosting and edge delivery.
  • Anthropic (US): AI inference. The Claude API receives the question, context, and conversation state for each council run. Anthropic does not train on API inputs by default.
  • Tavily (US): live web search and URL extraction for the autofill and advisor research tools.
  • Stripe (US): payment processing. Receives your email and payment method.
  • Resend (US): transactional email delivery (login links, billing receipts).
  • Google: only when you explicitly connect Google Workspace.

Your rights

You can view and edit your name and avatar in Settings. You can disconnect Google at any time in Integrations, which deletes the stored OAuth tokens. You can soft-delete past councils from the sidebar. You can email hello@getcabinet.io to request a full export of your data, full account deletion, or to ask any question about how we handle your data. We respond within 7 days.

If you are in the EU/UK, you have rights under GDPR including access, rectification, deletion, restriction, portability, and objection. Contact us at the same address to exercise any of them.

Security

All data is encrypted in transit (TLS) and at rest. Database access is restricted by Row Level Security so users can only access their own data. OAuth tokens are stored separately from your decision content. We have no plans to be careless about this.

Children

Cabinet is not intended for anyone under 18. We do not knowingly collect data from children.

Changes to this policy

When we update this policy materially, we will notify you by email before the change takes effect. The current version always lives at this URL with a "last updated" date at the top.

Contact

Questions, requests, complaints: hello@getcabinet.io.