Privacy Policy

1.1 Account & Workspace Data

• Identity & profile: name, email, password hash (bcrypt), avatar, language preference, organization name and role.
• Workspace content: campaigns, creator lists, briefs, contracts, scripts, AI chat history, notes and any other content you create on the Platform.
• Billing metadata: subscription tier, plan status, invoice history. We do not store full credit card numbers — see Section 4.

1.2 Connected Third-Party Data (with your consent)

• Google Workspace / Gmail: when you connect your Google account via OAuth 2.0, we request only the minimum scopes required for outreach and reply tracking (e.g. gmail.send, gmail.readonly). OAuth refresh tokens are encrypted at rest. You can revoke access at any time from your Google Account or from inside the Platform.
• Social platform data: publicly available creator profiles, posts and engagement metrics from TikTok, Instagram, YouTube and similar platforms, gathered through official APIs and licensed third-party data providers.

1.3 Automatically Collected Data

• Usage telemetry: pages visited, features used, request timing and aggregated performance metrics — used to debug issues and improve the product.
• Device & log data: IP address, browser, OS, referrer, server logs and error reports.
• Cookies: strictly necessary cookies for authentication and session management. See our Cookie Policy.

• Provide, maintain, secure and improve the Platform and its features.
• Power AI features such as creator discovery, contract drafting, script generation, auto-reply and campaign insights.
• Send transactional emails (account, billing, system alerts) via our email provider.
• Process payments and manage subscriptions through Stripe.
• Detect, prevent and respond to fraud, abuse and security incidents.
• Comply with legal obligations.

We believe in being explicit about which subprocessors handle your data, because transparency is the foundation of trust.

3.1 Database & Storage — Supabase

• All structured data (accounts, campaigns, creators, messages, contracts) is stored in a managed Supabase PostgreSQL database hosted on AWS infrastructure.
• Files and media (uploaded briefs, generated assets, avatars) are stored in Supabase Storage with signed-URL access control.
• All data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2+.

3.2 Multi-Tenant Isolation — Row Level Security

• Every business table is keyed by an organization ID and a user ID, and is protected by PostgreSQL Row Level Security (RLS) policies.
• The database physically refuses to return rows that do not belong to the requesting user's organization, even if application code has a bug. Tenants cannot read or write each other's data.
• Privileged backend functions run with SECURITY DEFINER and a locked search_path to prevent schema-hijacking attacks.

3.3 Authentication — Supabase Auth

• Passwords are hashed using bcrypt; we never see or store your plaintext password.
• Sessions use rotating JWT access tokens and HTTP-only refresh-token cookies.
• OAuth login via Google is supported.

3.4 Payments — Stripe

• All payments and subscriptions are processed by Stripe, a PCI-DSS Level 1 certified provider.
• Card numbers, CVVs and bank credentials are entered directly into Stripe's hosted elements and never touch our servers. We only store an opaque customer/subscription ID.
• Webhooks from Stripe are signature-verified before being accepted by our backend.

3.5 Email — Outbound & Security

• Transactional and marketing emails sent on our behalf go through a reputable transactional email provider with SPF, DKIM and DMARC enforced on every send.
• Outreach emails sent through your own Google Workspace account remain governed by Google's security posture (2FA, advanced threat protection, retention rules, etc.). We act only as an authorized client of your Gmail API.

3.6 AI Processing — Anthropic Claude

• AI features are powered by Anthropic's Claude models via the official API.
• No training on your data. Per Anthropic's commercial API terms, prompts and completions sent through the API are not used to train, fine-tune or improve their models. We contractually rely on this guarantee and pass it through to you.
• We do not operate, train or fine-tune any of our own AI models on customer data. Your workspace content stays yours.
• We send only the minimum context needed for each task, never share data between organizations, and discard inference inputs after the request completes (aside from the records you explicitly save in your workspace, such as chat history).

3.7 Hosting & Background Jobs

• The application runs on hardened cloud infrastructure behind a reverse proxy with TLS termination, rate limiting and DDoS protection.
• Background jobs (email sends, image processing, AI tasks) run in an isolated worker process and inherit the same RLS and access-control rules as the application.

• In transit: all traffic is served exclusively over HTTPS with HSTS enabled.
• At rest: database, storage and backups are encrypted with AES-256.
• Secrets management: API keys and OAuth tokens are stored in encrypted environment variables and database columns; access is least-privilege and audit-logged.
• Access control: only authorized engineers can access production systems, via SSO with mandatory 2FA.
• Backups: automated daily backups with point-in-time recovery.
• Incident response: we maintain an internal incident-response process and will notify affected users of any confirmed breach without undue delay, as required by applicable law.

No system can be guaranteed 100% secure, but we follow industry best practices and continuously improve our security posture.

• Subprocessors: Supabase (database, auth, storage), Stripe (payments), Anthropic (AI), Google (OAuth & Gmail API), and our email and hosting providers — all bound by data-protection agreements.
• Within your org: workspace members can see workspace content according to their assigned role.
• With creators: when you initiate outreach, the relevant message content is shared with the recipient (just like sending an email normally would).
• Legal requirements: when required by valid legal process, or to protect our rights and the safety of users.
• Business transfers: in connection with a merger, acquisition or asset sale, with continuity of these privacy commitments.

We do not sell personal information to third parties.

We retain your data for as long as your account is active and for a reasonable period afterwards in order to comply with legal obligations, resolve disputes and enforce our agreements. When you delete your account, your personal data and workspace content are deleted or anonymized within 30 days, except where retention is required by law (e.g. tax records for invoicing).

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent for optional integrations at any time.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us using the details in Section 11.

Our infrastructure and subprocessors operate primarily in the United States and the European Union. When data is transferred across borders, we rely on legally recognized transfer mechanisms (such as the EU Standard Contractual Clauses) to ensure your data continues to receive an adequate level of protection.

The Platform is intended for business use and is not directed at individuals under 18. We do not knowingly collect personal information from children. If you believe we have, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or by email, and the "Last updated" date at the top will always reflect the latest revision. Continued use of the Platform after an update constitutes acceptance of the revised policy.

Questions, requests or concerns about this Privacy Policy or our data practices? Reach out via the contact information in our Terms of Service, or through the support channel inside the Platform. We aim to respond to all privacy requests within 30 days.