Privacy Policy

Aweb Productions (“Aweb,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Aweb platform at awebapp.ai (the “Platform”).

This Privacy Policy applies to all users worldwide and addresses the specific requirements of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the UK Data Protection Act, and other applicable privacy legislation.

By using the Platform, you agree to the practices described in this Privacy Policy. This policy should be read alongside our Terms of Service.

We never sell your personal data. This is not a conditional statement. Aweb does not and will not sell, rent, or trade your personal information to third parties for their marketing purposes.

Account Information. When you create an account, we collect your name, email address, and authentication credentials. If you sign in through Google OAuth, we receive your name, email, and profile picture from Google.

Payment Information. Subscription payments are processed by Stripe. We do not store your complete credit card number, CVV, or bank account details. We receive and store a payment reference, billing email, subscription status, and transaction history from Stripe.

AI Interaction Data. When you use the Platform to generate content, we process:

• Your text prompts and generation parameters.
• Selected providers, models, and quality settings.
• Generated outputs (videos, images, audio, 3D models, code).
• Metadata about generations (timing, provider used, cost, quality scores).

This data is necessary to deliver the service, display your creations in Studio, and enable features like composition editing and social publishing.

Social Platform Data. When you connect social media accounts (TikTok, Instagram, YouTube, X, LinkedIn) or commerce platforms (Shopify, Etsy, Gumroad), we store:

• OAuth access tokens and refresh tokens, encrypted at rest using AES-256-GCM.
• Your platform username, display name, and avatar URL.
• Platform-specific identifiers (user IDs, channel IDs).

We access these accounts only to perform actions you explicitly authorize (publishing content, listing products). We do not read your private messages, follower lists, or unrelated account data.

Maestro Pipeline Data. If you use the Maestro autonomous pipeline, we process:

• Market opportunity data (trends, keywords, niches) discovered by the pipeline.
• Production decisions (provider selection, quality scores, review feedback).
• Listing and promotion records (platforms, captions, hashtags, performance metrics).
• Decision logs that record every autonomous action for transparency and auditability.

Usage Data. We automatically collect information about how you interact with the Platform, including pages visited, features used, session duration, browser type, operating system, IP address, and referring URLs.

Device and Technical Data. We collect device identifiers, screen resolution, language preference, and timezone to optimize your experience.

We use your information for the following purposes:

• Provide the Platform. Process your prompts, generate content, store your creations, manage your account, and deliver all Platform features.
• Autonomous Operations. Execute Maestro pipeline actions you authorize: discovering opportunities, producing content, listing products, and publishing to social media.
• Process Payments. Manage subscriptions, process charges, and maintain billing records through Stripe.
• Improve the Platform. Analyze usage patterns (in aggregate) to improve performance, fix bugs, develop new features, and optimize provider routing.
• Communicate. Send essential service communications (account verification, security alerts, billing notices). We may also send product updates, which you can opt out of at any time.
• Security and Fraud Prevention. Detect, prevent, and investigate security incidents, fraud, and Terms of Service violations.
• Legal Compliance. Comply with applicable laws, regulations, legal processes, and government requests.

AI Model Training. We do not use your prompts, inputs, or generated outputs to train AI models unless you explicitly opt in. Your creative work remains yours. If we ever introduce an opt-in program for training data contribution, it will require clear, affirmative consent and will be described in detail before you participate.

We share your information only in the following circumstances:

AI Providers. When you generate content, your prompts and parameters are transmitted to the selected AI provider (such as Anthropic, OpenAI, Runway, ElevenLabs, Kling, Luma, and others). Each provider processes this data under its own privacy policy. We select providers that commit to not using API-submitted data for training their models.

Infrastructure Providers. We use trusted infrastructure services to operate the Platform:

• Vercel — Application hosting and serverless functions (processes request data).
• Supabase — PostgreSQL database and authentication (stores account and application data).
• Cloudflare — CDN, R2 object storage, and DDoS protection (caches and delivers media content).
• Mux — Video processing, streaming, and delivery (processes and serves video content).
• Vercel Blob — File storage for generated assets (stores images, videos, audio).

Payment Processor. Stripe processes all subscription payments and receives the billing information necessary to complete transactions.

Connected Platforms. When you connect social media or commerce accounts, we transmit content, captions, and metadata to those platforms as directed by you. We only send data necessary to perform the authorized action (publishing a post, creating a listing).

Legal Requirements. We may disclose your information if required by law, regulation, legal process, or government request, or to protect the rights, safety, or property of Aweb, our users, or the public.

Business Transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership.

With Your Consent. We may share your information for other purposes with your explicit consent.

Where Your Data Is Stored. Your data is primarily stored in:

• Supabase PostgreSQL databases (AWS ap-south-1 region).
• Vercel Blob storage (distributed CDN).
• Cloudflare R2 object storage (distributed CDN).

Encryption. We implement industry-standard encryption:

• All data in transit is encrypted using TLS 1.3.
• OAuth tokens for connected platforms are encrypted at rest using AES-256-GCM with unique initialization vectors.
• Database connections use SSL/TLS encryption.
• Passwords are hashed using bcrypt.

Access Controls. Access to production databases and infrastructure is restricted to authorized personnel using role-based access controls, multi-factor authentication, and audit logging.

Incident Response. We maintain incident response procedures and will notify affected users and relevant authorities of data breaches in accordance with applicable law, within 72 hours of becoming aware of a qualifying breach (as required by GDPR Article 33).

Depending on your jurisdiction, you may have the following rights regarding your personal information:

GDPR Rights (EU/EEA/UK Users).

• Right of Access (Article 15) — Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16) — Request correction of inaccurate or incomplete data.
• Right to Erasure (Article 17) — Request deletion of your personal data (“right to be forgotten”).
• Right to Data Portability (Article 20) — Receive your data in a structured, machine-readable format.
• Right to Restriction (Article 18) — Request that we limit processing of your data.
• Right to Object (Article 21) — Object to processing based on legitimate interests.
• Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time.

Our legal basis for processing your data includes: performance of our contract with you (Article 6(1)(b)), our legitimate interests in operating and improving the Platform (Article 6(1)(f)), your consent where obtained (Article 6(1)(a)), and compliance with legal obligations (Article 6(1)(c)).

CCPA/CPRA Rights (California Residents).

• Right to Know — Request disclosure of what personal information we collect, use, and share.
• Right to Delete — Request deletion of your personal information.
• Right to Opt-Out of Sale — We do not sell personal information. No opt-out is necessary.
• Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information — Direct us to limit our use of sensitive personal information to what is necessary.

How to Exercise Your Rights. Contact us at privacy@awebapp.ai with your request. We will verify your identity and respond within 30 days (or 45 days for complex requests, with notice). You may also delete your account and associated data through your account settings.

As an AI creative platform, Aweb has specific privacy considerations that go beyond traditional data processing:

What Data Is Sent to AI Providers. When you generate content, the following is transmitted to the selected AI provider:

• Your text prompt and any configuration parameters (style, quality, resolution).
• Reference images or media you provide as inputs.
• No personally identifiable information is included in API requests to AI providers unless it is part of your prompt.

How AI Providers Handle Your Data. We use AI providers through their API services, which generally have stronger privacy protections than consumer-facing products. Specifically:

• Anthropic, OpenAI, and most other API providers state that API-submitted data is not used to train their models by default.
• Data retention policies vary by provider, but API data is typically retained for a limited period (30 days or less) for abuse monitoring before deletion.
• We prioritize providers that offer clear data processing agreements and GDPR compliance.

EU AI Act Compliance. Under the EU AI Act (Regulation 2024/1689), Aweb qualifies as a deployer of general-purpose AI systems. We comply by:

• Maintaining transparency about which AI systems are used to generate content.
• Providing AI disclosure metadata with generated outputs.
• Enabling users to apply appropriate disclosure labels when publishing AI-generated content.
• Maintaining records of AI system usage for audit purposes.

Opt-Out of AI Training. Your prompts and outputs are not used for AI model training. If we ever introduce a voluntary training data contribution program, it will require separate, explicit, opt-in consent and will be clearly described before participation.

Essential Cookies. We use strictly necessary cookies for:

• Authentication and session management (NextAuth session cookies).
• OAuth state management (temporary cookies during social platform connection).
• Theme preference (localStorage, not a cookie).
• CSRF protection.

Analytics. We may use privacy-respecting analytics to understand aggregate usage patterns. We do not use Google Analytics or other tracking tools that create cross-site profiles.

No Advertising Cookies. Aweb does not serve advertisements. We do not use advertising cookies, tracking pixels, or any form of cross-site tracking for advertising purposes.

Do Not Track. We honor Do Not Track (DNT) browser signals. When we detect a DNT header, we disable any non-essential analytics collection.

The Platform is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@awebapp.ai.

Aweb operates globally, and your data may be processed in countries other than your country of residence, including the United States. When we transfer data from the EU/EEA/UK to countries that have not received an adequacy decision from the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with our infrastructure providers that incorporate appropriate safeguards.
• Where applicable, the EU-U.S. Data Privacy Framework.

You can request a copy of the safeguards we use for international transfers by contacting us at privacy@awebapp.ai.

We retain your data for as long as necessary to provide the Platform and fulfill the purposes described in this policy:

• Account data — Retained while your account is active. Deleted within 30 days of account deletion request.
• Generated content — Retained while your account is active. You may delete individual creations at any time.
• OAuth tokens — Retained while the platform connection is active. Deleted immediately upon disconnection.
• Pipeline decision logs — Retained for 12 months for transparency and debugging, then anonymized or deleted.
• Usage analytics — Retained in aggregate form indefinitely. Individual session data is deleted after 90 days.
• Payment records — Retained as required by applicable tax and financial regulations (typically 7 years).

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will: (a) update the “Last Updated” date at the top of this page; (b) notify you via email or through the Platform at least 30 days before the changes take effect; and (c) provide a clear description of what changed.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes take effect constitutes your acceptance of the updated policy.

For privacy-related inquiries, data requests, or complaints:

Aweb Productions
Privacy Team
Email: privacy@awebapp.ai
General: hello@awebapp.ai

If you are in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

If you are a California resident and wish to exercise your CCPA rights, you may also contact us at privacy@awebapp.ai with the subject line “CCPA Request.”