Privacy Policy

Account information you provide directly: name, email address, password (stored as a hash), profile photo.

Business profile information you provide during onboarding: company name, logo, business category, services offered, phone, email, website, brand colors and location.

Social-account information when you connect Facebook Pages or Instagram Business accounts: account name, page/business IDs, OAuth access tokens (stored encrypted) and read-only insights metadata.

Content you create or that is generated for you: prompts you submit, AI-generated captions and images, scheduling preferences, post history.

Billing information processed by our payment partner Razorpay: payment method tokens, billing address, transaction history. We do not store full card numbers on our servers.

Technical information collected automatically: IP address, device and browser characteristics, log timestamps, and usage events necessary to operate the Service and detect abuse.

To provide and operate the Service: authenticate you, store and serve your content, generate AI outputs, schedule and publish posts to connected accounts, send transactional emails.

To bill you: process subscription payments through Razorpay, send invoices and respond to billing queries.

To improve the Service: aggregate, anonymised analysis of how features are used. We do not use the contents of your private business profile to train third-party foundation models.

To communicate with you: respond to support requests; send service announcements, security alerts and (where permitted) product news. You can opt out of marketing emails at any time.

To comply with law and protect rights: respond to lawful requests, enforce our Terms, and protect the safety of users and the public.

We share data with the following categories of service providers strictly to operate the Service. Each is contractually bound to use the data only for our purposes.

AI providers (OpenAI): your prompts and the business profile data needed to generate content are sent to OpenAI's APIs. OpenAI's API data is not used to train their models by default.

Social-media platforms (Meta — Facebook & Instagram): we send approved posts and read insights you have authorised. Your interactions on those platforms remain governed by Meta's own privacy notices.

Payments (Razorpay): payment details and transaction metadata.

Cloud infrastructure: MongoDB Atlas (database), Cloudflare R2 or AWS S3 (file storage), Upstash or self-hosted Redis (queue), Vercel and/or DigitalOcean (hosting).

We do not sell your personal data.

We use a small number of strictly necessary cookies to keep you signed in (NextAuth session cookie). We do not use third-party advertising or cross-site tracking cookies on the application. Marketing pages may use privacy-respecting analytics cookies, which you can refuse via your browser settings.

We keep your account data while your account is active and for up to 90 days after deletion to allow recovery and resolve disputes.

Generated images and post history are retained while your subscription is active. After cancellation they are retained for 30 days and then deleted, unless a longer period is required by law (for example, tax records for invoices).

We protect data using industry-standard measures: encryption in transit (HTTPS/TLS), encryption at rest for OAuth tokens and passwords (hashed with bcrypt), role-based access controls, audit logging and least-privilege production access.

No system is perfectly secure. In the event of a personal-data breach that materially affects you, we will notify you and the Data Protection Board of India in accordance with applicable law.

Some service providers (notably OpenAI) process data in the United States or other regions. Where we transfer personal data outside India we rely on contractual safeguards equivalent to those required by applicable law.

Under the Digital Personal Data Protection Act, 2023, you have the right to access, correct, complete, update and erase your personal data, to withdraw consent, to grievance redressal, and to nominate someone to exercise these rights on your behalf in the event of death or incapacity.

To exercise any right, contact us at support@promexa.ai. We will respond within 30 days. If you are unsatisfied with our response you may complain to the Data Protection Board of India.

The Service is not directed to persons under 18. We do not knowingly collect data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-product notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any privacy queries, complaints or to exercise your rights, please contact:

Grievance Officer, Promexa AI — support@promexa.ai.