Privacy Policy

Last updated: January 2026

This Privacy Policy describes how Aibrify, Inc. ("Aibrify," "we," "us," or "our") collects, uses, and shares information when you use our Autopilot Marketing Platform ("AMP") and related services.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, phone number, company name, and password
  • Profile Information: Business industry, timezone, brand details, and logo
  • Payment Information: Billing address, payment method (processed securely by Stripe)
  • Content: Posts, images, videos, and other content you create or upload
  • Communications: Messages you send through our support channels

1.2 Information from Connected Accounts

When you connect social media or advertising accounts, we collect:

  • Account Credentials: OAuth tokens (encrypted) to access your accounts on your behalf
  • Profile Data: Username, profile picture, page/account names
  • Content Data: Posts, comments, reviews, and messages from connected platforms
  • Analytics Data: Engagement metrics, follower counts, and performance data
  • Ad Account Data: Campaign performance, spend data, and audience information

1.3 Automatically Collected Information

  • Usage Data: Features used, actions taken, and time spent on the platform
  • Device Information: Browser type, operating system, device type, IP address
  • Log Data: Access times, pages viewed, and referring URLs
  • Cookies: Session and persistent cookies for authentication and preferences

2. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve our services
  • Publish content to your connected social media accounts
  • Manage and optimize your advertising campaigns
  • Generate AI-powered content and recommendations
  • Aggregate and display analytics and insights
  • Process payments and manage subscriptions
  • Send service-related notifications and updates
  • Respond to support requests and communications
  • Detect and prevent fraud, abuse, and security issues
  • Comply with legal obligations

3. AI and Machine Learning Data Processing

This section describes how we use data in connection with artificial intelligence (AI) and machine learning (ML) technologies.

3.1 Use of AI Services

Our Service uses AI and ML technologies provided by third-party AI service providers, including but not limited to:

  • OpenAI (GPT models for text generation)
  • Anthropic (Claude models for text generation and analysis)
  • Other AI providers as we may add from time to time

When you use AI-powered features of our Service, including content generation, content optimization, and automated suggestions, your inputs (prompts, instructions, context information, and brand details you provide) may be transmitted to these third-party AI providers for processing.

3.2 Data Transmitted to AI Providers

When you use AI features, the following types of data may be processed by our AI providers:

  • Content Inputs: Text prompts, instructions, and requests you submit for content generation
  • Context Information: Business information, brand voice descriptions, industry details, and other context you provide to improve AI outputs
  • Content for Optimization: Existing content you submit for AI-powered editing, optimization, or analysis
  • Feedback Data: Your ratings, edits, and feedback on AI-generated content used to improve output quality

3.3 AI Provider Data Handling

Our third-party AI providers process data according to their own policies:

  • OpenAI: OpenAI's data usage policies are available at openai.com/policies. As a business customer, we use OpenAI's API services which, under OpenAI's current policies, means your data is not used to train OpenAI's models unless you opt in.
  • Anthropic: Anthropic's data policies are available at anthropic.com/privacy. We use Anthropic's commercial API services under terms that restrict use of your data for model training.

WE ENCOURAGE YOU TO REVIEW THE PRIVACY POLICIES OF THESE AI PROVIDERS. While we have contractual agreements with these providers regarding data handling, we cannot guarantee their compliance.

3.4 AI Model Improvement and Opt-Out

  • Aibrify's Use: Aibrify may use aggregated, anonymized, or de-identified data derived from your use of AI features to improve our Service, including training or fine-tuning AI models. This data is stripped of personally identifiable information before use.
  • Opt-Out Option: You may opt out of having your data used to improve Aibrify's AI features by sending a request to privacy@aibrify.com with the subject line "AI Training Opt-Out."
  • Third-Party Provider Training: We use commercial API agreements that restrict our AI providers from using your data to train their general-purpose models. However, data retention and processing by AI providers are governed by their respective policies.

3.5 Limitations

You should not include sensitive personal information, protected health information, financial account numbers, government-issued identification numbers, or other highly confidential information in your AI prompts or content inputs. While we implement appropriate security measures, AI features are not designed for processing such sensitive data.

4. Data Storage & Security

4.1 Data Storage

  • Data is stored in secure cloud infrastructure (AWS/GCP) in the United States
  • OAuth tokens are encrypted using AES-256 encryption
  • Passwords are hashed using industry-standard algorithms (bcrypt/Argon2)
  • Media files are stored in Cloudflare R2 with CDN distribution

4.2 Security Measures

  • HTTPS encryption for all data in transit
  • Two-factor authentication (2FA) available for all accounts
  • Regular security audits and penetration testing
  • SOC 2 Type II compliance (in progress)
  • Employee access controls and security training

5. Data Breach Notification

5.1 Definition

A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed in connection with the Service.

5.2 Detection and Response

Aibrify maintains security monitoring systems and procedures designed to detect and investigate potential Personal Data Breaches. Upon detection or notification of a potential breach, we will:

  • Promptly investigate the nature, scope, and cause of the incident
  • Take immediate steps to contain the breach and prevent further unauthorized access
  • Assess the types of data affected and the individuals potentially impacted
  • Evaluate the potential risks and harms to affected individuals

5.3 Notification to Affected Users

If we determine that a Personal Data Breach has occurred that is reasonably likely to result in a risk to the rights and freedoms of affected individuals, we will notify you without undue delay:

  • For EU/EEA Users: Within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33, where feasible
  • For US Users: In accordance with applicable state breach notification laws, which generally require notification within thirty (30) to sixty (60) days
  • For Other Jurisdictions: In accordance with applicable local data protection laws

5.4 Content of Notification

Breach notifications will include, to the extent known:

  • A description of the nature of the Personal Data Breach
  • The name and contact details of our privacy team
  • A description of the likely consequences of the breach
  • A description of the measures taken to address the breach
  • Recommendations for actions you can take to protect yourself

6. Information Sharing

We do not sell your personal information. We share information only in these circumstances:

  • With Your Consent: When you explicitly authorize sharing
  • Service Providers: Third parties who help us operate our services (hosting, payment processing, email delivery)
  • Social Media Platforms: To publish content and retrieve data as you've authorized
  • Legal Requirements: When required by law, legal process, or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Agency Clients: If you're managed by an agency using our platform, your data is accessible to that agency

7. Sub-Processors and Service Providers

This section provides detailed information about the third-party sub-processors and service providers who may process your personal data.

7.1 Infrastructure and Hosting

  • Amazon Web Services (AWS): Cloud infrastructure, data storage, computing - USA (primary)
  • Google Cloud Platform (GCP): Backup infrastructure, specific services - USA
  • Cloudflare: CDN, DDoS protection, R2 storage - Global
  • Vercel: Frontend hosting and deployment - USA, Global edge

7.2 Payment and Billing

  • Stripe, Inc.: Payment processing, subscription management - USA. Processes payment method details, billing address, transaction history.

7.3 AI and Content Services

  • OpenAI, LLC: AI content generation, text optimization - USA. Processes content prompts, context information, generated outputs.
  • Anthropic, PBC: AI content generation, analysis - USA. Processes content prompts, context information, generated outputs.

7.4 Communications

  • Resend: Transactional and marketing email delivery - USA. Processes email address, name, email content.
  • Chatwoot: Customer support chat - Self-hosted. Processes support conversations, name, email.

7.5 Analytics and Monitoring

  • Sentry: Error tracking and performance monitoring - USA. Processes error logs, device information, usage context.
  • Internal Analytics: Usage analytics - USA. Processes anonymized usage data, feature interactions.

7.6 Sub-Processor Agreements

We have entered into data processing agreements with each sub-processor that include:

  • Obligations to process personal data only on our documented instructions
  • Confidentiality obligations for personnel processing data
  • Appropriate technical and organizational security measures
  • Restrictions on engaging additional sub-processors without authorization
  • Obligations to assist us in responding to data subject requests
  • Obligations to delete or return data upon termination of services

8. Data Retention

  • Active Accounts: Data is retained while your account is active
  • Cancelled Accounts: Data is retained for 30 days after cancellation, then permanently deleted
  • Expired Trials: Trial data is retained for 30 days after expiration
  • Content: Published content may remain on third-party platforms even after account deletion
  • Backups: Backup data may be retained for up to 90 days
  • Legal Requirements: Some data may be retained longer if required by law

9. Your Rights & Choices

9.1 Access & Portability

You have the right to:

  • Access your personal data through your account dashboard
  • Export your data in machine-readable format (JSON/CSV)
  • Request a copy of all data we hold about you

9.2 Correction & Deletion

You can:

  • Update your account information at any time
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Disconnect any linked social media or advertising accounts

9.3 Marketing Communications

You can:

  • Opt out of marketing emails via unsubscribe links
  • Manage notification preferences in your account settings
  • Disable web push notifications through your browser

10. GDPR Rights (EU/EEA Users)

If you are in the European Union or European Economic Area, you have additional rights under GDPR:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation on how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at privacy@aibrify.com. We will respond within 30 days.

11. Automated Decision Making and Profiling (GDPR Article 22)

This section provides information about our use of automated decision-making and profiling, as required by GDPR.

11.1 How We Use Automated Processing

We use automated processing in the following ways:

  • Content Recommendations: Our AI systems analyze your content history, brand profile, and engagement data to suggest content ideas, optimal posting times, and content improvements. This profiling helps personalize your experience but does not produce legal effects.
  • Fraud Detection: We use automated systems to detect potentially fraudulent activity, abuse, or terms of service violations. Accounts may be temporarily suspended pending human review based on automated risk scoring.
  • Subscription and Billing: Automated systems process subscription renewals, failed payment retries, and usage-based billing calculations.
  • Content Moderation: AI systems may scan content for policy violations before publishing. Flagged content is typically subject to human review.
  • Analytics and Insights: Automated systems analyze your social media performance data to generate reports and recommendations.

11.2 Decisions with Significant Effects

We do NOT make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you, without human oversight, EXCEPT:

  • Where the decision is necessary for entering into or performing a contract with you (e.g., automated subscription processing)
  • Where the decision is authorized by law
  • Where you have given explicit consent

11.3 Your Rights

Under GDPR, you have the right to:

  • Obtain Information: Request meaningful information about the logic involved in automated decisions that significantly affect you
  • Express Your View: Contest automated decisions and express your point of view
  • Obtain Human Review: Request that a human being review any automated decision that significantly affects you
  • Opt Out: Object to automated decision-making and profiling in certain circumstances

To exercise any of these rights or to request human review of an automated decision, contact us at privacy@aibrify.com with the subject line "Automated Decision Review Request."

12. CCPA Rights (California Residents)

If you are a California resident, you have additional rights under CCPA:

  • Right to Know: Request information about data collection, use, and sharing
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To submit a CCPA request, contact us at privacy@aibrify.com or use the data export feature in your account settings.

13. Cookies & Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication and security
  • Preference Cookies: Remember your settings (theme, language)
  • Analytics Cookies: Internal usage analytics (no third-party trackers)

You can manage cookie preferences through your browser settings. Blocking essential cookies may prevent you from using the service.

14. Children's Privacy

AMP is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

15. International Data Transfers

Your data may be transferred to and processed in the United States. We use appropriate safeguards for international transfers, including Standard Contractual Clauses for EU data transfers.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

17. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us at:

Email: privacy@aibrify.com

For EU residents, you also have the right to lodge a complaint with your local data protection authority.