This Privacy Policy explains how AdPilot AI ("AdPilot", "we", "us", or "our") collects, uses, shares, retains, and protects personal data when you visit our website, create an account, or use our advertising-generation platform (collectively, the "Service"). AdPilot is operated from India. This Policy is published in compliance with the Information Technology Act, 2000 and the rules made thereunder, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). It is also drafted to be compatible with the EU/UK General Data Protection Regulation ("GDPR") in anticipation of future international customers.
By using the Service you confirm that you have read this Policy and our Terms of Service, Cookie Policy, Acceptable Use Policy, and AI Usage Policy.
1. Who we are (Data Fiduciary / Controller)
For the purposes of the DPDP Act, AdPilot is the "Data Fiduciary" in respect of personal data you submit through the Service. For GDPR purposes, AdPilot acts as the "controller" in respect of account, billing, and operational data, and as a "processor" in respect of end-user content you upload or generate using the Service on behalf of your business.
2. Information we collect
2.1 Account information
- Name, email address, password hash or third-party identity (Google OAuth) identifier.
- Profile picture, organization name, brand kit fields, locale and timezone.
- Authentication metadata: sign-in timestamps, IP address, user agent, session tokens.
2.2 Uploaded content
- Product images, reference assets, brand assets, prompts, and instructions you submit.
- Metadata associated with such uploads (filename, MIME type, size, upload timestamp).
2.3 Generated content
- AI-generated copy, images, headlines, captions, hashtags and campaign artifacts.
- Generation logs (model used, prompt, latency, credits consumed, success/failure status).
2.4 Payment information
- Subscription plan, billing status, credit balance, invoice records, and tax identifiers.
- Transaction references issued by our payment processor.
- We do not store full card numbers, CVV, UPI PIN, or net-banking credentials. Such data is collected and processed directly by Razorpay (and, in future, Stripe) under their own privacy notices and PCI-DSS controls.
2.5 Cookies, analytics and log files
We use strictly necessary cookies for authentication and security, and may use first-party analytics to measure aggregate usage. Server logs capture IP address, request path, status code, user agent, and timestamps for security, debugging, and abuse prevention. See our Cookie Policy.
2.6 Communications
- Support requests, emails you send us, and the responses we provide.
- Transactional emails relating to your account, billing, and security.
3. How we use information
- To create and operate your account and authenticate you.
- To deliver AI generation, storage, library and campaign features.
- To process subscriptions, allocate credits, and issue invoices.
- To prevent abuse, fraud, chargebacks, and policy violations.
- To monitor performance, debug errors, and improve reliability and quality.
- To send service announcements, security notices, and (with consent) product updates.
- To comply with legal obligations and respond to lawful requests.
4. Lawful bases for processing
- Performance of contract — to provide the Service you have subscribed to.
- Consent — for optional cookies, marketing emails, and processing of any personal data you upload that requires consent under applicable law.
- Legitimate interests / legitimate uses — to secure our systems, prevent fraud, and improve the Service in ways consistent with your reasonable expectations.
- Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
5. Third-party processors and sub-processors
We engage carefully selected service providers to operate the Service. Each is bound by contractual and (where applicable) data-protection commitments.
- Supabase — managed Postgres database, authentication, and object storage.
- Cloudflare — edge hosting, DNS, DDoS protection, and TLS termination.
- Google — Google OAuth sign-in and Gemini generative models for image and text generation.
- Razorpay — payment processing and subscription billing for Indian customers.
- Stripe (future) — payment processing for international customers.
- Transactional email providers — for sending account, billing and security emails.
Prompts and uploaded content submitted to AI models may be transmitted to the relevant model provider solely to generate the requested output. We do not authorize model providers to use your content to train their foundation models where their terms allow us to opt out, and we configure our integrations accordingly.
6. Cross-border data transfers
Our service providers may process personal data outside India, including in the United States and the European Economic Area. Such transfers are made only to jurisdictions and recipients that we consider to provide an adequate level of protection, or under appropriate safeguards (such as standard contractual clauses) where required. By using the Service you acknowledge such cross-border processing as permitted under Section 16 of the DPDP Act.
7. Data retention
We retain personal data only for as long as necessary for the purposes described in this Policy, to comply with legal obligations (including Indian tax and accounting laws, which generally require retention of financial records for up to eight years), to resolve disputes and to enforce our agreements. See our Data Retention Policy for category-level retention periods.
8. Your rights
Subject to applicable law, you may have the right to:
- Access the personal data we hold about you and obtain a copy.
- Correct inaccurate or incomplete personal data.
- Request erasure of your personal data, subject to legal retention requirements.
- Withdraw consent where processing is based on consent.
- Object to or restrict certain processing.
- Request portability of certain data in a structured, commonly used format.
- Nominate another person to exercise your DPDP rights in case of death or incapacity.
- File a complaint with the Data Protection Board of India or, where applicable, your local supervisory authority.
You can exercise most of these rights directly from Settings → Account in the Service (export and deletion). For other requests, email privacy@adpilot.ai.
9. Children
The Service is intended for businesses and is not directed to children under 18. We do not knowingly process personal data of children. If we become aware that we have collected personal data of a child without verifiable parental consent, we will delete it promptly.
10. Security
We implement reasonable technical and organizational measures designed to protect personal data, including encryption in transit, encryption at rest by our cloud providers, role-based access control, row-level security on the database, audit logging, and rate-limiting. No system can be guaranteed to be 100% secure. See our Security Policy for details, including how to report vulnerabilities.
11. Automated decision-making and AI
We use AI models to generate marketing content from prompts and assets you provide. These models do not make decisions that produce legal effects concerning you. AI outputs may be inaccurate or unsuitable; see our AI Usage Policy and Responsible AI Policy.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email or through the Service. Continued use of the Service after the effective date of the updated Policy constitutes acceptance.
13. Contact us
Privacy queries: privacy@adpilot.ai.
Grievance Officer (India): see our Grievance Officer page.
Postal: AdPilot AI, [Registered office address], India.