Privacy Policy

1.1 Who We Are

Pylot ("Company," "we," "us," or "our") is an AI-powered social media management platform that helps businesses create, schedule, and publish content across multiple social media platforms. This Privacy Policy applies to all users of the Pylot website, applications, and services (collectively, the "Service").

1.2 Scope of This Policy

This Privacy Policy describes:

• What personal information we collect and why
• How we use your information
• When and with whom we share your information
• How we protect your information
• Your rights and choices regarding your information

1.3 Agreement

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

1.4 Applicability

This policy applies to users worldwide. If you are located in the European Economic Area (EEA), United Kingdom, or California, you have additional rights described in the "Your Privacy Rights" section below.

2.1 Information You Provide

When you create an account or use our Service, you may provide:

• Account Information: Name, email address, password
• Profile Information: Profile picture, preferences, settings
• Business Information: Business name, industry/niche, website URL, locations, contact details
• Payment Information: Credit card details, billing address (processed by Stripe)
• Content: Posts, captions, images, videos, and other media you create or upload
• Communications: Messages you send to us for support or feedback

2.2 Information from Connected Platforms

When you connect social media accounts, we receive:

• Profile Data: Name, username, profile picture, account ID from connected platforms
• Page/Account Access: List of pages or accounts you manage
• Publishing Permissions: Authorization to post on your behalf
• Analytics Data: Engagement metrics (likes, comments, shares, reach, impressions) for posts published through Pylot
• Historical Posts: If you opt to import existing posts for brand voice analysis

2.3 Information from Your Website

If you provide your business website for brand analysis, we may:

• Crawl publicly accessible pages using Firecrawl to extract brand information
• Analyze content to identify your brand voice, tone, services, and messaging
• Extract publicly visible business information (hours, locations, contact info)

2.4 Automatically Collected Information

When you use our Service, we automatically collect:

• Usage Data: Features used, actions taken, time spent, pages visited
• Device Information: Browser type, operating system, device type
• Log Data: IP address, access times, referring URLs
• Performance Data: Error logs, crash reports for service improvement

2.5 Information We Generate

Through your use of the Service, we generate:

• Brand Voice Profiles: AI-analyzed communication style, tone attributes, content pillars
• AI-Generated Content: Suggested posts, captions, and images created for you
• Analytics Insights: Aggregated performance metrics and trend analysis

3.1 Providing the Service

• Create and maintain your account
• Authenticate you and provide access to the platform
• Publish content to your connected social media accounts
• Schedule posts according to your preferences
• Display analytics and engagement metrics
• Store and manage your media assets

3.2 AI Content Generation

• Analyze your brand information to generate personalized content suggestions
• Create platform-specific post variations optimized for each social network
• Generate AI images based on your prompts and brand context
• Develop and maintain your brand voice profile for consistent messaging

3.3 Billing and Payments

• Process subscription payments through Stripe
• Manage billing cycles, upgrades, and cancellations
• Send invoices and payment confirmations
• Handle refund requests

3.4 Communication

• Send service-related notifications (account updates, publishing confirmations)
• Respond to your support inquiries
• Notify you of important changes to the Service or policies
• Send optional product updates and tips (you can opt out)

3.5 Improvement and Analytics

• Analyze usage patterns to improve features and user experience
• Identify and fix bugs and technical issues
• Develop new features based on user needs
• Generate aggregated, anonymized statistics

3.6 Security and Compliance

• Detect and prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service and policies
• Comply with legal obligations and respond to lawful requests
• Protect the rights and safety of our users and third parties

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases to process your personal data under the General Data Protection Regulation (GDPR):

4.1 Contract Performance

Processing necessary to fulfill our contract with you, including:

• Creating and managing your account
• Providing the core features of the Service
• Processing payments for subscriptions
• Publishing content to your connected social accounts

4.2 Legitimate Interests

Processing based on our legitimate business interests (balanced against your rights), including:

• Improving and developing the Service
• Analyzing usage patterns and trends
• Detecting and preventing fraud and abuse
• Marketing our Service to existing customers
• Ensuring network and information security

4.3 Consent

Processing based on your explicit consent, including:

• Connecting social media accounts via OAuth
• Importing historical posts for brand voice analysis
• Crawling your website for brand information
• Receiving optional marketing communications

You may withdraw consent at any time by disconnecting accounts, adjusting settings, or contacting us.

4.4 Legal Obligations

Processing necessary to comply with legal requirements, including:

• Maintaining records for tax and accounting purposes
• Responding to lawful requests from authorities
• Complying with data protection laws

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers

We share data with trusted third-party service providers who assist in operating our Service:

• OpenAI: Content generation and brand voice analysis. Your content and prompts are sent to generate AI suggestions. Per our agreement, API data is not used to train OpenAI's models.
• Replicate: AI image generation. Prompts and context are sent to generate images.
• Firecrawl: Website crawling for brand analysis. Your website URL and publicly accessible content.
• Stripe: Payment processing. Payment details and billing information.
• Amplitude: Product analytics. Anonymized usage data and events.
• Vercel: Hosting and media storage. Application data and uploaded media assets.
• Neon: Database hosting. All stored account and content data.

5.3 Social Media Platforms

When you connect accounts and publish content, we share:

• Post content (text, images, videos) to be published
• Scheduling information for timed posts
• Authentication tokens to verify your authorization

5.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Government or regulatory requests
• Protection of our legal rights or defense against claims
• Prevention of fraud, security threats, or illegal activity

5.5 Business Transfers

If Pylot is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

5.6 With Your Consent

We may share information for other purposes with your explicit consent.

6.1 Meta (Facebook & Instagram)

When you connect Facebook or Instagram, we request these permissions:

• public_profile - Your public profile information
• pages_show_list - List of Pages you manage
• pages_read_engagement - Read engagement metrics
• pages_read_user_content - Read posts on your Pages
• read_insights - Analytics and insights data
• pages_manage_posts - Create and manage posts
• instagram_basic - Basic Instagram account info
• instagram_content_publish - Publish to Instagram
• instagram_manage_insights - Instagram analytics
• business_management - Business account access
• publish_video - Video/Reels publishing

6.2 LinkedIn

LinkedIn integration allows us to:

• Access your LinkedIn profile information
• Post content to your personal profile or company pages
• Read engagement metrics on posts

6.3 X (Twitter)

X integration allows us to:

• Access your X profile information
• Post tweets on your behalf
• Read engagement data on your posts

6.4 Bluesky

Bluesky integration allows us to:

• Access your Bluesky profile
• Post content to your account
• Read your posts and engagement

6.5 TikTok

TikTok integration allows us to:

• Upload videos to your TikTok account
• Add captions and metadata to videos
• Access basic account information

6.6 Revoking Platform Access

You can revoke Pylot's access to any connected platform at any time:

• Within Pylot: Disconnect accounts from your Settings page
• On the Platform: Remove Pylot from your connected apps in each platform's settings

Revoking access will stop new content publishing but won't delete content already posted to those platforms.

7.1 How We Use AI

Pylot uses artificial intelligence to:

• Generate Content: Create social media posts, captions, and suggestions tailored to your brand
• Analyze Brand Voice: Process your existing content or website to identify tone, style, and communication patterns
• Generate Images: Create AI images based on your prompts and brand context
• Provide Insights: Analyze engagement data to generate actionable recommendations

7.2 Data Sent to AI Providers

When using AI features, we may send:

• Your business profile information (name, industry, tone preferences)
• Your brand voice profile and content guidelines
• Prompts and instructions you provide
• Existing content for analysis (with your consent)

7.3 AI Training

OpenAI: We use OpenAI's API services. Per our agreement with OpenAI, content submitted through their API is not used to train their general models.

Pylot's Systems: Your data may be used to improve your personalized experience within Pylot, such as refining your brand voice profile and content recommendations for your account.

7.4 No Automated Decisions with Legal Effects

We do not use automated processing, including AI, to make decisions that produce legal effects or similarly significantly affect you without human involvement. All AI-generated content is a suggestion that requires your review and approval before publishing.

7.5 Your Rights Regarding AI

Under GDPR, you have the right to:

• Not be subject to decisions based solely on automated processing
• Obtain human intervention for significant decisions
• Express your point of view and contest automated decisions

Contact us at support@getpylot.com to exercise these rights.

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and enable certain functionality.

8.2 Essential Cookies

We use strictly necessary cookies that are essential for the Service to function:

• Authentication Cookie: Stores a secure session token (JWT) in an HTTP-only cookie to keep you logged in
• Security: Our authentication cookies use industry-standard encryption, are HTTP-only (not accessible via JavaScript), and transmitted only over HTTPS

These essential cookies do not require consent under GDPR as they are strictly necessary to provide the Service you requested.

8.3 Analytics

We use Amplitude for product analytics to understand how users interact with our Service:

• Pages visited and features used
• Actions taken within the application
• Session duration and navigation patterns
• Error occurrences for debugging

Analytics data is used to improve the product experience and is not shared with third parties for advertising.

8.4 No Advertising Cookies

We do not use advertising cookies, retargeting pixels, or share your data with ad networks.

8.5 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using the Service. For instructions on managing cookies, consult your browser's help documentation.

9.1 Retention Periods

We retain different types of data for different periods:

• Account Data: Retained while your account is active and for 30 days after deletion request
• Content & Posts: Retained while your account is active; deleted upon account deletion
• Analytics Data: Aggregated data retained for up to 24 months; individual session data for 12 months
• Payment Records: Retained for 7 years for tax and legal compliance
• Support Communications: Retained for 3 years after resolution
• OAuth Tokens: Retained while connected; deleted when you disconnect an account

9.2 Criteria for Retention

We determine retention periods based on:

• Whether the data is needed to provide the Service
• Legal, regulatory, and compliance requirements
• Legitimate business purposes (analytics, security)
• Your requests for data deletion

9.3 After Deletion

When you delete your account or request data deletion:

• Personal data is marked for deletion and removed within 30 days
• Backup copies may take up to 90 days to be fully purged
• Anonymized or aggregated data may be retained indefinitely
• Content published to third-party platforms remains on those platforms

10.1 Security Measures

We implement multiple layers of security to protect your data:

• Encryption in Transit: All data transmitted between you and our servers uses TLS/HTTPS encryption
• Encryption at Rest: Sensitive data including social media credentials is encrypted in our database
• Password Security: Passwords are hashed using bcrypt with appropriate salt rounds
• Access Controls: Strict access controls limit who can access personal data
• Secure Sessions: HTTP-only, secure cookies with JWT tokens and automatic expiration
• Infrastructure Security: Hosted on secure, SOC 2 compliant platforms (Vercel, Neon)

10.2 OAuth Token Security

Social media credentials are handled securely:

• Access tokens are encrypted before storage
• Tokens are automatically refreshed when expired
• We never store your social media passwords—only OAuth tokens
• Tokens can be revoked at any time by disconnecting accounts

10.3 Employee Access

Access to personal data is limited to employees who need it for legitimate business purposes. We maintain access logs and regularly review permissions.

10.4 Security Incidents

In the event of a data breach affecting your personal data, we will:

• Notify you as required by applicable law (within 72 hours for GDPR)
• Notify relevant supervisory authorities as required
• Take immediate steps to contain and remediate the breach
• Provide information about steps you can take to protect yourself

10.5 Your Role in Security

You can help keep your account secure by:

• Using a strong, unique password
• Not sharing your login credentials
• Logging out of shared devices
• Reporting suspicious activity to us immediately

11.1 Rights for All Users

Regardless of where you're located, you can:

• Access: Request a copy of the personal data we hold about you
• Correct: Update or correct inaccurate personal data
• Delete: Request deletion of your personal data and account
• Disconnect: Revoke access to connected social media accounts
• Export: Request your data in a portable format

11.2 Additional Rights for EEA/UK Residents (GDPR)

If you're in the European Economic Area or United Kingdom, you also have the right to:

• Restrict Processing: Limit how we use your data in certain circumstances
• Object: Object to processing based on legitimate interests or direct marketing
• Data Portability: Receive your data in a structured, machine-readable format
• Withdraw Consent: Withdraw consent at any time for consent-based processing
• Lodge a Complaint: File a complaint with your local data protection authority

11.3 Additional Rights for California Residents (CCPA/CPRA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt out of the sale or sharing of your personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: You won't be discriminated against for exercising these rights
• Right to Limit Use of Sensitive Information: Limit use of sensitive personal information

California Shine the Light: California residents may request information about disclosure of personal information to third parties for direct marketing. Contact us for this information.

11.4 Exercising Your Rights

To exercise any of these rights:

• Email: support@getpylot.com
• Data Deletion: Visit /data-deletion
• In-App: Use account settings to update information or disconnect accounts

We will respond to requests within 30 days (GDPR) or 45 days (CCPA), with possible extensions as permitted by law. We may need to verify your identity before processing requests.

12.1 Where Your Data Is Processed

Pylot is based in the United States, and your data may be processed in:

• United States: Primary data processing and storage
• Various Locations: Through our third-party service providers (see Section 5)

12.2 Safeguards for International Transfers

When transferring data outside the EEA/UK, we use appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where applicable
• Contracts with service providers requiring equivalent data protection

12.3 Your Consent

By using the Service, you acknowledge and consent to the transfer of your data to the United States and other countries which may have different data protection laws than your country of residence.

13.1 Age Requirement

Pylot is intended for users who are at least 18 years of age. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use the Service or provide any personal information.

13.2 If We Discover Children's Data

If we learn that we have collected personal information from a child under 18, we will:

• Delete the information as quickly as possible
• Terminate the associated account
• Take steps to prevent future collection from children

13.3 Reporting Children's Data

If you believe we have collected information from a child under 18, please contact us immediately at support@getpylot.com.

14.1 How We Make Changes

We may update this Privacy Policy periodically to reflect:

• Changes to our data practices
• New features or services
• Legal or regulatory requirements
• Industry best practices

14.2 Notification of Changes

When we make changes:

• We will update the "Effective Date" at the top of this page
• For material changes, we will notify you via email or prominent notice within the Service
• We may ask for your consent to material changes where required by law

14.3 Your Continued Use

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, please stop using the Service and delete your account.

14.4 Previous Versions

You may request previous versions of this Privacy Policy by contacting us.

15.1 General Inquiries

For questions or concerns about this Privacy Policy or our data practices:

• Email: support@getpylot.com
• Website: https://getpylot.com

15.2 Data Protection Requests

For data access, correction, deletion, or other privacy rights requests:

• Email: support@getpylot.com with subject "Privacy Request"
• Data Deletion: Data Deletion Instructions

15.3 Response Time

We aim to respond to all privacy inquiries within:

• General inquiries: 5 business days
• GDPR requests: 30 days (extendable by 60 days for complex requests)
• CCPA requests: 45 days (extendable by 45 days)

15.4 Complaints

If you're not satisfied with our response, you have the right to lodge a complaint with:

• EEA/UK: Your local data protection supervisory authority
• California: California Privacy Protection Agency