Privacy Policy

Last updated: February 5, 2026

SRED Platform (“we”, “our”, “us”) operates the SR&ED tax credit automation platform. This Privacy Policy explains how we collect, use, and protect information when you use our service.

1. Information We Collect

When you use our platform we may collect:

  • Account information — name, email address, and organization details provided during sign-up.
  • Integration data — when you connect third-party services (GitHub, Google Drive, Notion, Linear, etc.) we receive OAuth tokens and metadata needed to sync content you select. We store access tokens securely and never share them with other parties.
  • Workspace content — pages, documents, commits, issues, and other items you explicitly choose to sync are imported as evidence for your SR&ED claim. We only access content you authorize.
  • Usage data — basic analytics such as pages visited and features used, collected to improve the product.

2. How We Use Your Information

  • To provide and maintain the SR&ED evidence capture and claim generation service.
  • To sync, extract, and embed content from connected integrations for vector search and AI-assisted drafting.
  • To communicate with you about your account, updates, and support.
  • To improve the platform based on aggregated, anonymized usage patterns.

3. Third-Party Integrations

We integrate with third-party services such as GitHub, Google (Drive), and Notion using their official OAuth flows. When you connect an integration:

  • We request only the minimum permissions necessary for each integration. For Google Drive, access is limited to supported files you explicitly select and connect to the Service.
  • Most integrations are read-only. For GitHub, if you enable PR comments, Shreddit may post or update one pull request comment in connected repositories. We do not modify source code, force push branches, or change repository settings.
  • For supported evidence sources, we may extract and store text content needed to generate SR&ED evidence, summaries, and claim drafts.
  • You can disconnect any integration at any time from the Integrations page, which revokes our access and deletes stored tokens.

4. Data Storage and Security

  • Data is stored in Supabase (PostgreSQL) with row-level security policies enforcing organization-level isolation.
  • Large evidence content is stored in Google Cloud Storage with encryption at rest.
  • OAuth credentials are stored encrypted in the database and are never exposed to the client.
  • All communication occurs over HTTPS/TLS.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account or disconnect an integration, associated data (tokens, evidence, embeddings) is removed. Backups may retain data for up to 30 days after deletion.

6. Your Rights

You may:

  • Access, export, or delete your data by contacting us.
  • Disconnect integrations at any time to stop data syncing.
  • Request account deletion, which removes all stored data.

7. Cookies

We use essential cookies for authentication and short-lived cookies for OAuth state verification. We do not use third-party tracking cookies.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

9. Contact

If you have questions about this Privacy Policy, please contact us at abdellaalioncan@gmail.com.