Skip to content

GrantHub orphan?We'll migrate you free.

Guide

Privacy

What we collect, what we don't.

The honest version of our privacy practices today, written for humans. When we cross the customer-volume threshold that legally requires a lawyer-written privacy policy, this page will be replaced with one. Until then: we collect the minimum, encrypt what matters twice, and never train AI on your workspace.

Last updated June 18, 2026.

What Bothy collects

When you visit the marketing site, we collect anonymous analytics (pages viewed, referrer, country, device class) using a privacy-respecting analytics tool. We do not use cookies for tracking. We do not sell or share this data with anyone.

When you join the waitlist, we collect your email and (optionally) your nonprofit's name. We use these to email you about Bothy. You can ask us to delete that record at any time by emailing hello@bothy.so.

If you sign up for the product, we collect your email, your organization's name, and whatever grants / funder / task data you choose to put into the workspace. That data belongs to you. It lives encrypted at rest in Supabase Postgres (AES-256 disk encryption inherited from the underlying infrastructure). If you bring your own AI key (Anthropic, OpenAI), that key is double- encrypted with our own AES-256-GCM envelope before it ever touches the database — bound to your user identity so a key extracted from one row can't be replayed against another. We do not look at any of your data except when you ask us to help with a support question.

What Bothy does not collect

We do not use third-party tracking cookies. We do not run social media tracking pixels. We do not sell, share, or rent any data about you to advertisers. We do not train AI models on your workspace data.

Where the data lives

Marketing-site analytics live in a privacy-respecting analytics tool. Product data lives in Supabase (Postgres + storage) in the United States, isolated per workspace by row-level security so no workspace can ever read another's rows. Payment data is handled by Stripe and we never see your card number.

Every change inside a workspace — grant moved, report submitted, note logged, member added — writes to an audit log with the actor, the action, the before-state, and the after-state. That log is your accountability paper trail (visible at the Activity tab of any workspace) and is retained for 90 days before being automatically pruned.

Soft-delete is the default for grants, tasks, reports, and funder-log entries. Hitting delete moves a row to a recycle state; an owner or admin can restore it from the Activity tab. True deletion happens only when the workspace itself is cancelled (90-day grace, then purge).

How we harden the app

All connections are HTTPS-only with HSTS preloaded (browsers refuse to fall back to HTTP for two years from first contact). The app refuses to render inside an iframe (clickjacking defense) and ships a Content Security Policy that pins script and connect sources to known-good origins. Public endpoints like waitlist signup and Stripe checkout are rate-limited per IP. Cron secrets are checked with constant-time comparison so timing attacks can't leak them character by character.

Live system status — including the database health check — is public at bothy.so/status. If something feels broken, that page tells you whether it's us.

How to reach us

Privacy questions, deletion requests, weird edge cases — email hello@bothy.so and a real person at Coach House will get back to you. We try to respond within 2 business days.

A note on this page. Bothy is built by Coach House, a small studio in Louisville KY. When our customer footprint crosses the threshold that legally warrants a lawyer-drafted privacy policy, this page will be replaced with one. Until then, the spirit holds: we collect as little as we can, we encrypt what matters, we don't sell it, we'll delete it when you ask, and you can email a real person about any of the above.