Legal

Privacy Policy

Last updated: 10 June 2026

We respect your privacy. This policy explains what we collect, why, and what rights you have. It aligns with NDPR (Nigeria), the Data Protection Act 2012 (Ghana) and 2019 (Kenya), POPIA (South Africa), and GDPR principles for users elsewhere.

1. Data controller

AI Kraft is operated by PegBit Studio. For privacy enquiries: privacy@aikraft.app.

2. What we collect

• Account data — email, name (if provided), authentication tokens. Collected when you sign up via email or Google.
• Workspace inputs — brand profiles, voice examples, product details, calendar entries, WhatsApp contacts you save, document intake answers.
• Generated content — posts, images, proposals, listings, and reports you create.
• Connected-account tokens — OAuth tokens for Facebook, Instagram, LinkedIn, X, TikTok and WhatsApp when you choose to connect them. Stored encrypted at rest (AES-256-GCM).
• Usage data — what you generate, when, and from which approximate region (for rate limiting, billing, and analytics).
• Payment data — handled by Flutterwave. We never see your card number; we receive a transaction reference and the amount charged.

3. Why we use it

• To provide and improve the Service.
• To bill you and apply credits.
• To send you transactional emails (invoice receipts, reminders you opt into).
• To prevent abuse, detect fraud, and enforce our Terms.
• To comply with legal obligations.

4. AI model providers

Generations are processed by third-party AI providers — currently Anthropic (Claude), OpenAI (GPT-4o), and Google (Gemini). We send them the minimum data needed to fulfil your request (the prompt assembled from your inputs). We have agreements with these providers under which they do not use your data to train their public models.

5. Sharing

We share data only with:

• Sub-processors running the Service: Supabase (auth + database), Vercel (hosting), Upstash (rate limiting), Resend (transactional email), Flutterwave (payments), and the AI providers above.
• Social platforms you have connected, when you instruct us to publish.
• Authorities, where compelled by valid legal process.

We do not sell your personal data. Ever.

6. Where data is stored

Primary databases and storage are hosted on Supabase in the EU (Frankfurt). Generated images live on Supabase Storage in the same region. Some sub-processors (Anthropic, OpenAI, Vercel edge cache) may process data in other regions including the US.

7. Retention

We keep account and content data for as long as your account is active. When you delete your account we remove your workspace data within 30 days, except where retention is required by law (e.g. invoicing records, kept for 7 years).

8. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a machine-readable format.
• Object to processing or withdraw consent for marketing communications.
• Lodge a complaint with your local data protection authority (NDPC in Nigeria, DPC in Ghana, ODPC in Kenya, Information Regulator in South Africa, your member-state DPA in the EU).

To exercise any of these rights, email privacy@aikraft.app.

9. Security

We encrypt OAuth tokens at rest, enforce HTTPS everywhere, use a strict Content Security Policy, rate-limit API endpoints, and require signed webhooks from payment providers. No system is perfectly secure — if we detect a breach affecting your data we will notify you and the relevant authority within 72 hours.

10. Cookies

We use cookies strictly necessary for authentication and session management. We do not use tracking or advertising cookies.

11. Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

12. Changes

We may update this Policy. Material changes will be announced in-app and by email at least 14 days before they take effect.