Caddi
Sign inSign up

Privacy Policy

Last updated April 27, 2026

Caddi is operated by Ethan Rogers (the “Operator”). We take your data and your clients’ data seriously. This page explains what we collect, why, how long we keep it, and what you can do about it.

What we collect

When you create an agency account, we collect:

  • Your email and password hash (or magic-link identifier).
  • Your agency name, slug, and the names of teammates you invite.
  • Records of what you do in Caddi — deploys triggered, env vars changed, branches promoted — stored in an audit log.

When your agency’s end clients use the customer portal, we store the messages they send, the form submissions you’ve scoped to them, and the assets you’ve attached. The data your end clients share belongs to your agency; Caddi is the processor.

Form submissions captured by Caddi form endpoints include whatever fields the form posted, plus the submitter’s IP address and user-agent for spam mitigation.

How we use it

We use this data only to operate Caddi — running the dashboard, sending you transactional emails, defending the form endpoints from abuse, and answering support requests. We don’t sell data and we don’t share it with advertisers.

Subprocessors

Caddi runs on Vercel (hosting), Supabase (database, auth, storage), Cloudflare (R2 object storage and DNS), Resend (transactional email), Sentry (error tracking), Axiom (logs), Better Stack (uptime), Inngest (background jobs), and Stripe (billing). Each sees only the data needed to perform its function.

Security

All connections use TLS. Provider tokens you connect (GitHub, Vercel, Cloudflare) are encrypted at rest. We require 2FA for agency owners. Row-Level Security is enforced on every table; we publish an audit script in our CI to prove cross-tenant reads return no rows.

Retention

Audit logs are kept for two years. Form submissions are kept until you delete them — you can configure per-form retention. If you cancel your agency account, we delete your data within 30 days unless you’ve exported it first.

Your rights

You can export every piece of data we hold on your agency at any time from Settings → Data export. You can request deletion by emailing [email protected]. We honor GDPR access, rectification, and erasure requests.

Cookies

We use first-party cookies for authentication. We use Plausible for marketing-site analytics, which is cookie-free. No third-party tracking cookies on the marketing site or the app.

Changes

We’ll update this page when our practices change and notify agency owners by email for material changes.

Contact

Questions? Email [email protected].