1. Introduction

Ainvented ("we," "our," or "us") provides AI-powered services including conversational agents, workflow automation, creative design tools, analytics, and API integrations (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access our website at ainvented.com and use our Services.

By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use our Services.

This policy applies when Ainvented acts as the controller of your personal data — i.e., when we determine the purposes and means of processing your information. It does not apply to data we process on behalf of our enterprise customers under separate data processing agreements.

2. Information We Collect

2.1 Information You Provide Directly
  • Account Information: Name, email address, and password when you register. If you sign in with Google SSO, we receive your Google profile name, email, and profile picture. We do not receive or store your Google password.
  • Payment Information: When you purchase credits or subscriptions, payment details are processed securely through Stripe. We do not store credit card numbers, CVVs, or full payment credentials on our servers. We retain only transaction references for billing records.
  • Content You Create: Messages sent to AI agents, workflows you build, images you upload or generate in the Creative Studio, files you share (PDFs, documents), and any other content you input into our Services.
  • Third-Party Connector Credentials: When you connect external services (LinkedIn, Instagram, X, Facebook, Threads, Gmail, SMTP/IMAP servers), we store OAuth access tokens or server credentials to perform actions on your behalf. These tokens are encrypted at rest and never exposed in API responses. We never store your third-party passwords for OAuth-based services.
  • Communications: Emails or messages you send to our support team, feedback you provide, and any information you share when contacting us.
2.2 Information Collected Automatically
  • Usage Data: API call counts, token consumption, feature usage, and workflow execution logs for billing, analytics, and service improvement.
  • Device & Browser Information: Browser type, operating system, screen resolution, and IP address for session management and security.
  • Cookies & Session Tokens: We use essential HTTP-only session cookies for authentication (JWT tokens). We use Google reCAPTCHA for spam protection during registration and login. We do not use advertising or tracking cookies.
  • Error Logs: Application errors, performance metrics, and diagnostic information to maintain and improve service reliability.
2.3 Information from Third Parties
  • Google Sign-In: If you authenticate via Google SSO, Google provides us your name, email address, and profile picture. We do not access your Google Drive, Calendar, Contacts, or any other Google service beyond what you explicitly authorize.
  • Connected Platforms: When you connect social media or email accounts, we receive the authorization tokens and basic profile information (username, account ID) needed to perform the actions you configure (publishing posts, sending/receiving emails).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain our Services: Process your requests, execute workflows, generate AI responses, publish content to connected platforms, and deliver email functionality.
  • Account management: Create and manage your account, authenticate your identity, and maintain your session across devices.
  • Billing and transactions: Process payments, track usage, apply credits, manage subscriptions, and send billing notifications.
  • Security and fraud prevention: Detect, investigate, and prevent unauthorized access, abuse, and violations of our terms of service.
  • Service improvement: Analyze aggregated usage patterns to improve features, fix bugs, and develop new capabilities.
  • Communications: Send service-related messages (account verification, password resets, security alerts, billing receipts) and respond to your support requests.
  • Legal compliance: Fulfill legal obligations, respond to lawful requests from authorities, and enforce our terms.

4. AI Processing & Model Training

  • AI Conversations: Messages you send to AI agents are processed by our AI infrastructure to generate responses. Conversation history is maintained per session to provide context-aware interactions.
  • Generated Content: Images, text, and other outputs generated by our AI tools are stored in your account. You may delete generated content at any time.
  • We do not use your personal conversations, uploaded files, or generated content to train or fine-tune AI models. Your data remains yours.
  • Workflow Execution: When workflows are executed (including via API or cron triggers), input data, intermediate results, and outputs are processed transiently and stored only as configured by you (e.g., webhook logs, execution history).

5. How We Share Your Information

5.1 Third-Party Service Providers

We share data with trusted service providers who process data on our behalf:

  • Cloud Infrastructure: DigitalOcean (hosting, database, storage)
  • Payment Processing: Stripe (payment transactions, subscription management)
  • Email Delivery: Nodemailer/SMTP (transactional emails, verification)
  • AI Processing: Third-party AI model providers for generating responses and images
5.2 User-Directed Sharing

When you connect third-party platforms, your content is shared with those platforms as you direct:

  • Publishing posts to LinkedIn, Instagram, X, Facebook, or Threads
  • Sending or receiving emails via Gmail, SMTP, or IMAP
  • Executing webhooks or external API calls configured in your workflows
5.3 Legal Requirements

We may disclose your information when required by law, regulation, legal process, or governmental request, including to:

  • Comply with a subpoena, court order, or similar legal obligation
  • Protect the rights, property, or safety of Ainvented, our users, or the public
  • Investigate potential violations of our terms of service
5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change.

5.5 No Sale of Personal Data

Ainvented does not sell your personal data to third parties for advertising, marketing, or any other commercial purpose.

6. Data Retention

  • Account Data: Retained for as long as your account is active. Upon account deletion, your personal data is removed within 30 days, except where retention is required by law (e.g., billing records).
  • Conversation History: AI chat sessions are retained while your account is active. You may delete individual sessions at any time.
  • Generated Content: Creative Studio projects, images, and variations are retained until you delete them or close your account.
  • Usage & Billing Records: Transaction records and usage metrics are retained for up to 7 years for tax and regulatory compliance.
  • Connector Tokens: OAuth tokens are retained while the connector is active. When you disconnect a service or delete a connector, tokens are immediately removed.

7. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in Transit: All data is transmitted over HTTPS (TLS 1.2+).
  • Password Security: User passwords are hashed using bcrypt with salt rounds. We never store plaintext passwords.
  • Token & Credential Protection: OAuth tokens, API keys, and connector credentials are stored encrypted and are masked in all API responses (displayed as ****xxxx).
  • Session Security: Authentication uses HTTP-only, secure JWT cookies with CSRF protection.
  • Access Controls: Database access is restricted to authorized services. Cross-user data access is prevented by project-level authorization checks.
  • Infrastructure Security: Our infrastructure is hosted on DigitalOcean with managed database encryption, automated backups, and network isolation.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

8.1 Universal Rights
  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate information via your account settings or by contacting us.
  • Deletion: Request deletion of your account and associated data. Some data may be retained as required by law.
  • Revoke Third-Party Access: Disconnect connected services (social media, email) at any time from your connector settings. Tokens are immediately deleted.
  • Data Portability: Request your data in a machine-readable format.
  • Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Opt Out of Communications: Unsubscribe from marketing emails using the link provided in each email. Service-related communications (security alerts, billing) cannot be opted out of while your account is active.
8.2 Exercising Your Rights

To exercise any of these rights, contact us at privacy@ainvented.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

9. International Data Transfers

Ainvented is operated from servers located in multiple regions. Your data may be transferred to and processed in countries other than your country of residence, including the United States.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Adequacy Decisions: Where available, we rely on determinations by relevant authorities that the destination country provides adequate data protection.
  • Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions, we use EU-approved standard contractual clauses.
  • Consent: Where required, we obtain your explicit consent for cross-border data transfers.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@ainvented.com and we will take steps to delete such information.

11. Regional Privacy Disclosures

11.1 Canada (PIPEDA)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation apply to our collection, use, and disclosure of your personal information.

  • Consent: We collect, use, and disclose your personal information with your knowledge and consent. Consent may be express (e.g., agreeing to this policy, connecting a third-party account) or implied (e.g., providing information voluntarily in the course of using our Services). You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice.
  • Purpose Limitation: We collect personal information only for the purposes identified in this policy and will not use or disclose it for other purposes without your further consent.
  • Access & Correction: You have the right to access the personal information we hold about you and to request corrections if it is inaccurate or incomplete. Contact us at privacy@ainvented.com.
  • Cross-Border Transfers: Your personal information may be transferred to and stored in the United States or other jurisdictions where our service providers operate. These jurisdictions may have different data protection laws than Canada. By using our Services, you consent to such transfers.
  • Complaints: If you have a concern about our privacy practices, you may contact us at privacy@ainvented.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.
  • Accountability: Ainvented is responsible for personal information in its possession or custody, including information transferred to third parties for processing. We use contractual and other means to ensure third parties provide comparable protection.
11.2 European Economic Area, United Kingdom & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, the following applies:

  • Legal Bases: We process your data based on: (a) performance of our contract with you (providing the Services), (b) our legitimate interests (security, fraud prevention, service improvement), (c) your consent (connecting third-party accounts, marketing), or (d) legal obligations.
  • Additional Rights: You have the right to object to processing based on legitimate interests, restrict processing in certain circumstances, and lodge a complaint with your local supervisory authority.
  • Transfer Mechanisms: We use Standard Contractual Clauses (SCCs) for international data transfers where required.
11.3 California (CCPA/CPRA)

If you are a California resident:

  • You have the right to know what personal information we collect, use, and disclose.
  • You have the right to request deletion of your personal information.
  • You have the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal data for cross-context behavioral advertising.
  • We will not discriminate against you for exercising your privacy rights.
11.4 Brazil (LGPD)

If you are located in Brazil, under the Lei Geral de Proteção de Dados (LGPD), you have the right to: confirm processing, access, correct, anonymize or erase data, request portability, refuse consent, and request review of automated decisions. Complaints may be filed with the ANPD (Autoridade Nacional de Proteção de Dados).

12. Cookies & Tracking Technologies

  • Essential Cookies: Session authentication (JWT tokens), CSRF protection. These are required for the Services to function and cannot be disabled.
  • Google reCAPTCHA: Used during registration and login to prevent automated abuse. Subject to Google's Privacy Policy.
  • No Advertising Cookies: We do not use cookies for advertising, retargeting, or cross-site tracking.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by posting the updated policy on our website with a new effective date and, where appropriate, by sending you an email notification.

Your continued use of our Services after the updated policy is posted constitutes your acceptance of the changes.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Ainvented™ — AI agents, workflows, analytics, and creative tools.