Privacy Policy
Last updated: May 2026
What we collect
- Account data: name, email, organization, hashed password.
- Connected services: credentials you store in the Vault are encrypted at rest with AES-256-GCM. Only your organization can decrypt them.
- Workspace content: the brand kits, landing pages, ad creatives, leads, calls, and messages you create or import.
- Usage telemetry: request paths, latencies, and credit usage to operate the platform and bill correctly.
- Cookies: a session cookie (`aigency_session`), a CSRF cookie, and (when enabled) PostHog analytics. No third-party advertising cookies.
What we don't do
- We don't sell your data.
- We don't train AI models on your private workspace content.
- We don't share your data with advertising networks.
Sub-processors
We use the following sub-processors to deliver the service. Each one only receives the data needed for their function:
- Stripe (billing)
- OpenAI / Anthropic / Google / Groq (LLM inference — only the prompts you trigger)
- Resend / Twilio / Vapi (email / SMS / voice — only when you use those workers)
- Cloudflare / Vercel / your chosen hosting provider
PII handling
Free-form text sent to LLMs is automatically scanned and common identifiers (emails, phone numbers, SSNs, credit cards, addresses, IPs) are replaced with stable placeholders before transmission, when the strict-mode flag is enabled.
Your rights (GDPR / CCPA)
You may export or delete your organization's data at any time. Use the Delete my organization control on the Settings → Team page, or contact privacy@aigency.app. Deletion is permanent and irreversible; we will purge live data within 30 days and backups within 90 days.
Security
All passwords are hashed with bcrypt (cost 12). All vault secrets are encrypted at rest with AES-256-GCM. All inter-service traffic is TLS 1.2+. Audit logs are append-only with a SHA-256 hash chain so tampering is detectable.
Contact
Questions? privacy@aigency.app