Welcome to EmailPilot AI ("EmailPilot," "we," "us," or "our"). We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our website at app.emailpilot.ai and related services (collectively, the "Service").

By accessing or using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account or sign in via our authentication provider (Clerk), we collect:

• Full name (first name, last name)
• Email address
• Profile image / avatar URL
• Organization name and membership
• Role within your organization (e.g., admin, user)

1.2 Billing Information

If you subscribe to a paid plan, our payment processor (Stripe) collects payment method details, billing address, and transaction history. We do not store full credit card numbers on our servers.

1.3 Integration Data

When you connect third-party services, we access and process data from those platforms on your behalf:

Integration	Data Accessed
Klaviyo	Campaigns, flows, segments, lists, profiles (email, attributes), metrics, templates, images, events, performance reports
Shopify	Products, customer records (name, email, purchase history), orders, and order transaction data
Asana	Tasks, projects, workflow stages, assignees
Figma	Design files, comments, component metadata
Google Drive	Documents shared with the integration (read-only access)
Slack	Channel messages and threads within authorized channels

1.4 Shopify Customer Data

When you connect a Shopify store, we sync the following data to a secure data warehouse (Google BigQuery) to power analytics features such as RFM segmentation:

• Customer identifiers, email addresses, and names
• Order history (order IDs, dates, amounts, payment methods)
• Product catalog data (titles, variants, SKUs, pricing)
• Derived analytics: recency, frequency, and monetary (RFM) scores and persona classifications

1.5 Content You Provide

We collect content you submit through the Service, including brand guidelines, creative briefs, campaign copy, calendar configurations, approval workflows, and feedback.

1.6 Automatically Collected Information

When you access the Service, we automatically collect:

• IP address, browser type, device information, and operating system
• Pages viewed, features used, and interaction timestamps
• Referring URL and session duration

2. How We Use Your Information

We use the information we collect to:

• Operate the Service — authenticate users, manage organizations, and enable core features such as AI calendar generation, campaign creation, and performance analytics
• Process integration data — read from and write to your connected platforms (Klaviyo, Shopify, etc.) to execute the marketing workflows you initiate
• Generate AI-powered content — send campaign context, brand data, and performance metrics to AI language models to produce strategic recommendations, email copy, and calendar plans
• Provide analytics — compute audience segmentation (RFM analysis), campaign performance metrics, and trend reporting from your connected data sources
• Send branded events — track subscription lifecycle events (e.g., subscription started, payment succeeded, trial ending) in your Klaviyo account to power automated email flows
• Improve the Service — monitor system health, diagnose errors, and improve reliability
• Communicate with you — send transactional notifications, respond to support inquiries, and (with your consent) send product updates
• Ensure security — detect and prevent unauthorized access, fraud, and abuse
• Comply with legal obligations — meet applicable legal, regulatory, and contractual requirements

3. Third-Party Integrations & Data Sharing

We share data with third-party service providers strictly to operate and deliver the Service. We do not sell, rent, or trade your personal data.

Provider	Purpose	Data Shared
Clerk	User authentication & identity management	Email, name, profile image, organization membership
Stripe	Payment processing	Billing details, transaction amounts, subscription status
Klaviyo	Email marketing execution	Campaign content, audience segments, profile data, events (read & write via OAuth)
Shopify	E-commerce data sync	Customer, product, and order data (read via OAuth)
Google Cloud Platform	Infrastructure (hosting, database, secrets, analytics warehouse)	All Service data is stored and processed on GCP
Slack	Internal operational notifications	System health alerts only (no customer PII)

We may also disclose your information if required by law, subpoena, court order, or government request, or to protect the rights, safety, or property of EmailPilot, our users, or the public.

4. AI and Machine Learning Data Processing

EmailPilot uses third-party AI language model providers to power its core features. When you use AI-powered features (calendar generation, brief creation, campaign copy, MCP chat), the following data may be sent to these providers:

AI Provider	Data Sent	Purpose
Anthropic (Claude)	Campaign context, brand guidelines, performance metrics, creative briefs	Primary AI model for content generation and strategic recommendations
Google (Gemini)	Same as above (fallback)	Secondary AI model used when the primary is unavailable
OpenAI (GPT-4)	Same as above (fallback)	Tertiary AI model fallback
LangSmith	AI prompts, responses, token counts, cost data	AI usage monitoring, cost tracking, and quality assurance

5. Data Storage & Security

5.1 Infrastructure

All data is stored and processed on Google Cloud Platform (GCP) in the United States (us-central1 region). Our primary data stores are:

• Google Cloud Firestore — user accounts, client records, campaign data, OAuth tokens, and application state
• Google BigQuery — Shopify e-commerce data and derived analytics (RFM segmentation)
• GCP Secret Manager — all API keys, OAuth client credentials, and encryption keys

5.2 Security Measures

• Encryption at rest: All OAuth access and refresh tokens are encrypted with AES-256 before storage in Firestore
• Encryption in transit: All communication uses TLS/HTTPS
• Authentication: JWT-based authentication via Clerk with JWKS key validation and automatic rotation
• Authorization: Role-based access control (super_admin, admin, user, visitor) enforced at every API endpoint
• OAuth security: PKCE (Proof Key for Code Exchange) for all OAuth flows; state tokens for CSRF protection
• Secret management: No credentials stored in code or environment files in production; all managed via GCP Secret Manager
• Service isolation: Service-to-service communication authenticated via HMAC-compared internal service keys
• Input validation: All external input validated via Pydantic schemas at system boundaries
• Production safeguards: Test credentials are rejected in production environments at startup

While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute security of your data.

6. Data Retention & Deletion

6.1 Retention Periods

Data Type	Retention Period
Account information	Retained while your account is active; deleted upon account closure
OAuth tokens (Klaviyo, Shopify, etc.)	Active while integration is connected; marked as revoked on disconnect (retained for audit trail)
Campaign and calendar data	Retained while your account is active
Shopify daily snapshots (BigQuery)	30 days at daily granularity
Shopify weekly aggregates	31–90 days
Shopify monthly aggregates	91+ days
RFM summary analytics	Retained indefinitely for trend analysis (aggregated, non-PII)
Application logs	30 days (GCP Cloud Logging default)
AI usage logs (LangSmith)	Subject to LangSmith's retention policy

6.2 Brand / Account Deletion

When you request deletion of a brand or account, we perform a comprehensive hard delete that permanently removes:

• All Firestore documents associated with the brand (campaigns, calendars, goals, approvals, creative intelligence data, RAG documents, cache entries)
• All OAuth tokens and API keys from Firestore and GCP Secret Manager
• All Shopify data from BigQuery (products, customers, orders, RFM scores)
• All references to the brand from user and organization records

7. OAuth Integrations & Token Management

7.1 How OAuth Works

When you connect a third-party service (e.g., Klaviyo, Shopify, Asana, Figma), you are redirected to that provider's authorization page where you grant specific permissions. We never see or store your password for these services. Instead, we receive and securely store OAuth tokens that allow us to act on your behalf within the scopes you authorized.

7.2 Token Security

• All OAuth tokens are encrypted with AES-256 before storage
• Tokens are automatically refreshed before expiry
• A background health-check scheduler proactively verifies token validity every 6 hours

7.3 Disconnecting an Integration

You can disconnect any integration at any time from your Integration Settings page. When you disconnect:

1. We revoke the token at the provider's servers (e.g., Klaviyo's /oauth/revoke endpoint)
2. The local token is marked as revoked with a timestamp and reason for audit purposes
3. Your account is updated to reflect the disconnected state
4. The integration is removed from the provider's side (e.g., disappears from Klaviyo's integrations page)

7.4 Provider-Side Uninstalls

If you remove EmailPilot from within a provider's platform (e.g., from Klaviyo's integration settings), we detect this automatically when the token is next used or during our periodic health checks, and update your account status accordingly.

8. Cookies & Tracking Technologies

We use minimal cookies and tracking:

• Authentication cookies: Set by our authentication provider (Clerk) to maintain your login session. These are strictly necessary and cannot be disabled.
• No third-party tracking: We do not use Google Analytics, Facebook Pixel, Mixpanel, Amplitude, Segment, Hotjar, or any other third-party analytics or advertising tracking tools.
• No advertising cookies: We do not serve ads or use cookies for advertising purposes.

You may disable cookies in your browser settings, but this may prevent you from using the Service.

9. Legal Basis for Processing

Where required by applicable law (including the GDPR), we process personal data based on one or more of the following legal bases:

• Contractual necessity: Processing required to provide the Service you have subscribed to
• Consent: Where you have given explicit consent (e.g., connecting an OAuth integration, opting into marketing communications)
• Legitimate interests: Improving the Service, ensuring security, preventing fraud, and internal analytics — balanced against your rights and freedoms
• Legal compliance: Where processing is required by applicable law, regulation, or legal process

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request that we restrict processing of your data in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time where processing is based on consent, including disconnecting OAuth integrations

To exercise any of these rights, contact us at privacy@emailpilot.ai. We will respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

European Economic Area Residents (GDPR)

If you are located in the EEA, you have the rights described above and may lodge a complaint with your local data protection authority. Our legal bases for processing are described in Section 9.

11. International Data Transfers

EmailPilot is operated from the United States. All primary data storage and processing occurs on Google Cloud Platform in the us-central1 region.

If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

Our third-party service providers (Clerk, Stripe, Anthropic, Google, OpenAI, LangSmith, Klaviyo, Shopify) are headquartered in the United States and process data under their respective data processing agreements.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at privacy@emailpilot.ai.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email or an in-app notification for material changes

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

EmailPilot AI
Email: privacy@emailpilot.ai
General Support: support@emailpilot.ai