Privacy Policy — Farzad AI

Farzad AI ("we," "us," or "our") operates the farzad.ai platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Full name
Email address
Password (stored only as a cryptographic hash; we never store or have access to your plaintext password)
Brand or channel name
Selected subscription plan

1.2 Content You Provide

Through your use of the Service, you may provide:

Scripts, articles, and other written content
Knowledge base documents and notes
Brand voice samples and style preferences
YouTube video links and channel information
X (Twitter) account connections and content
Topic ideas, concepts, and research prompts

1.3 Automatically Collected Information

When you access our Service, we automatically collect:

Device information: browser type, operating system, and user agent string
IP address: used for security, rate limiting, and session management
Usage data: pages visited, features used, content generation history, and timestamps
Session data: authentication tokens and session identifiers

1.4 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store your credit card numbers, bank account details, or other payment credentials on our servers. We receive from Stripe only your subscription status, plan type, billing period, and customer identifier.

2. How We Use Your Information

We use the information we collect to:

Provide the Service: generate scripts, articles, and content using AI models trained on your voice and brand preferences
Authenticate and secure your account: verify your identity, manage sessions, and prevent unauthorized access
Process payments: manage subscriptions, billing, and plan changes through Stripe
Communicate with you: send transactional emails (welcome, password reset, billing alerts, team invitations) and product updates
Improve the Service: analyze usage patterns, diagnose errors, and optimize performance
Enforce our policies: detect abuse, enforce rate limits, and comply with legal obligations

3. AI Processing of Your Data

Our core Service uses artificial intelligence to generate content in your voice. To do this, we send certain data to third-party AI providers for processing:

Anthropic (Claude): script and article generation, voice analysis, content review
OpenAI: public chatbot functionality and fallback content generation
Google (Gemini): knowledge base embeddings and enhanced reasoning
xAI (Grok): fact-checking and content verification

The data sent to these providers may include your written content, knowledge base entries, YouTube transcripts, and brand voice profiles. Each provider processes this data according to their own privacy policies and data processing agreements. We select providers that do not use your data to train their models under our API agreements.

4. Third-Party Services

We use the following third-party services to operate the platform:

Supabase: database hosting and authentication infrastructure
Stripe: payment processing and subscription management
Resend: transactional email delivery
Sentry: error tracking and application monitoring
Upstash: rate limiting and caching infrastructure
Vercel: application hosting and content delivery
YouTube Data API: video metadata and transcript retrieval (when you connect your channel)
X (Twitter) API: trending topics and activity analysis (when you connect your account)
NewsAPI / NewsData.io: news aggregation for the opportunity feed
Originality.ai: AI-generated content detection for quality assurance

Each third-party service has its own privacy policy governing how it handles your data. We encourage you to review their respective policies.

5. Cookies and Session Management

We use the following cookies:

auth_token: a secure, HTTP-only authentication cookie that expires after 7 days. This cookie contains a JSON Web Token (JWT) with your user ID, email, role, and tenant ID. It is essential for the Service to function.
OAuth state cookies: temporary cookies used during X (Twitter) account connection, deleted immediately after the authorization flow completes.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Sentry may use session replay technology to capture anonymized interaction data when errors occur, solely for debugging purposes.

6. Data Retention

Account data: retained for as long as your account is active. Upon account deletion, your personal data is removed within 30 days.
Content you create: scripts, articles, and knowledge base items are retained until you delete them or close your account.
Session records: active sessions expire after 7 days. Revoked or expired sessions are purged after 14 days.
Usage and activity logs: retained for up to 12 months for security auditing, billing verification, and service improvement, then automatically purged.
Email logs: retained for up to 12 months for deliverability monitoring and compliance.
Payment records: retained as required by applicable tax and financial regulations.

7. Data Security

We implement industry-standard security measures to protect your information:

Passwords are hashed using bcrypt with a cost factor of 12 before storage
All data in transit is encrypted using TLS/HTTPS
Authentication tokens are signed with secure secrets and transmitted via HTTP-only cookies
CSRF protection is enforced on all state-changing API endpoints
Rate limiting is applied across authentication, API, and content generation endpoints to prevent abuse
Sensitive fields (passwords, tokens, financial data) are automatically redacted from error logs
Session management includes device tracking, IP monitoring, and the ability to revoke sessions

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: request a copy of the personal data we hold about you
Correction: update or correct inaccurate personal data
Deletion: request deletion of your account and associated personal data
Portability: receive your data in a structured, machine-readable format
Restriction: request that we limit processing of your data under certain circumstances
Objection: object to processing of your data for specific purposes

To exercise any of these rights, contact us through the support chat inside the app. We will respond within 30 days.

9. Multi-Tenant Architecture

Farzad AI operates on a multi-tenant architecture where each account (tenant) has its own isolated workspace. Your content, brand data, knowledge base, and generated materials are logically separated from other tenants. Team members you invite to your workspace can access your tenant's data based on their assigned role (owner, admin, or staff).

10. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us through the support chat inside the app.

11. International Data Transfers

Your data may be processed in countries other than your own, including the United States, where our service providers operate. By using the Service, you consent to the transfer of your information to these countries. We ensure that appropriate safeguards are in place with our service providers to protect your data in accordance with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: