Privacy Policy for Supa Schema
Effective Date: July 17, 2026
Last Updated: July 17, 2026
Document Reference: UK-GDPR / DSIT-COP-V2
1. Introduction & Scope
Supa Schema (“we,” “our,” or “the Developer”) provides a software application for macOS designed to generate clean Swift models from existing database architectures. We recognize our responsibilities under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the UK Government's Department for Science, Innovation and Technology (DSIT) Code of Practice for App Store Operators and App Developers (GOV.UK). This application is built entirely on a "Privacy by Design and Default" framework. This document serves as our transparent disclosure of how data, parameters, and localized files are isolated on your machine.
2. Statement of non-collection (UK GDPR Compliance
Under Article 4(2) of the UK GDPR, "processing" requires the handling of personal data. Under Apple’s Privacy Guidelines and the UK App Code of Practice, data that is processed solely on-device is not considered "collected" or transmitted. No Remote Transmission: Supa Schema does not operate any external collection servers, analytics endpoints, or remote logging trackers. No Third-Party SDKs: The application codebase is free of third-party advertising networks, analytics tracking tools, or behavioral measurement frameworks. No Tracking or Profiling: We do not track user behavior across other apps or websites, nor do we sell or distribute data to brokers.
3. Compliance with the UK Apps Code of Practice
Supa Schema actively adheres to the baseline privacy and security principles laid out in the UK Government's Code of Practice for App Store Operators and App Developers:
a. GOV.UK Data Minimization
We only request local hardware and path sandboxing permissions that are strictly necessary to fulfill the application’s primary function.
b. Functional Autonomy
The core file-generation capabilities of the application operate seamlessly without forcing the user to grant unnecessary privileges or share any personal identity details.
c. Graceful Uninstallation
Because all files are stored locally, a standard macOS application uninstallation completely removes the application binary. Local cache files can be instantly cleared using standard system management tools.
4. Detailed Breakdown of Local Data Handling
Your data stays entirely within your custody on your own Mac. Here is where configurations reside:
a. File Path Access & Exported Swift Files
To execute code generation, the app requires write access to an export folder of your choosing.
Scope: This sandbox access is confined exclusively to the local export path you select.
Custody: Generated .swift files are saved locally on your machine. No file names, schema definitions, or generated code strings are ever transmitted off-device.
Scope: This sandbox access is confined exclusively to the local export path you select.
Custody: Generated .swift files are saved locally on your machine. No file names, schema definitions, or generated code strings are ever transmitted off-device.
b. User Preferences & State
Application preferences such as user interface settings, lists file paths, tab spaces, prefixes - are stored entirely locally on your device. This configuration data is completely private to your specific macOS user account, per schema configuration and is permanently removed from your machine if you choose to delete the application.
c. Database Connection Parameters & Keychain Access
When configuring connection details for your Supabase database instance:
Sensitive Credentials: API Keys, Service Role Tokens, and database passwords are saved directly into your macOS account's hardware-encrypted System Keychain. Supa Schema requests them locally to run schema lookups and does not cache or store them in plain text.
Non-Sensitive Data: Connection metadata—such as port numbers, hostnames, and structural schema types (public vs. private layouts)—are stored inside local configurations in the app's sandboxed local directory. They are never processed or sent anywhere by the developer for telemetry or optimization purposes.
Sensitive Credentials: API Keys, Service Role Tokens, and database passwords are saved directly into your macOS account's hardware-encrypted System Keychain. Supa Schema requests them locally to run schema lookups and does not cache or store them in plain text.
Non-Sensitive Data: Connection metadata—such as port numbers, hostnames, and structural schema types (public vs. private layouts)—are stored inside local configurations in the app's sandboxed local directory. They are never processed or sent anywhere by the developer for telemetry or optimization purposes.
5. App Store Connect Privacy Declarations
For verification against Apple’s App Privacy Requirements, our definitions align as follows:
| Data Type Category | Operational Status | Justification / Context |
|---|---|---|
| Contact Info & Identifiers | Not Collected | The app requires no accounts, email registrations, tracking IDs, or user profiles. |
| Usage Data & Diagnostics | Not Collected | No interaction metrics, feature telemetry, performance charts, or crash logs are ever routed back to the developer. |
| Credentials & Finance | Not Collected | All sensitive connection details and encryption tasks are processed locally on-device via secure system subsystems. |
6. Security, Vulnerability Disclosure & Data Breaches
a. Vulnerability Reporting
In accordance with Principle 3 of the UK Code of Practice, we maintain a secure reporting mechanism for security researchers and users to declare potential system flaws. If you discover a vulnerability within Supa Schema's handling of local data or sandbox controls, please contact us immediately through our official repository channels.
b. Software Dependencies & Updates
We routinely monitor and update any internal frameworks or software dependencies to protect against known exploits or software regressions, ensuring the app continues to meet strict security baseline requirements.
c. Breach Protocol
Because Supa Schema stores no user data on central infrastructure, a server-side personal data breach is structurally impossible. In the event that a critical exploit is uncovered within the local macOS codebase, a security update will be pushed to the App Store immediately alongside documentation detailing the security mitigation steps.
7. Rights of the Data Subject (UK GDPR)
Because we do not store or transmit personal data, we do not maintain a database of your information. Consequently, rights under the UK GDPR relating to access (SARs), rectification, restriction, or erasure (the "Right to be Forgotten") are natively managed by you, the user, as you retain 100% custody and control of your local application files, settings, and Keychain tokens at all times.
8. Contact & Regulatory Oversight
For inquiries regarding our zero-collection architecture or compliance frameworks, please contact our support or repository issues page.
If you remain unsatisfied with our security disclosures, UK residents maintain the right to raise a formal inquiry or lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
If you remain unsatisfied with our security disclosures, UK residents maintain the right to raise a formal inquiry or lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.