Privacy Policy

Effective: May 15, 2026 · Last updated: May 15, 2026

This Privacy Policy explains how Autobyline ("we", "us", or "our") collects, uses, and protects personal data when you use our service at autobyline.io and app.autobyline.io (the "Service").

We are committed to handling personal data in compliance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

1.1 Information you provide

• Account information: email address, display name, OAuth identifier (Google).
• Tenant settings: company name, country (for trend localization), preferred article language.
• Content: prompts you submit, articles you generate, journalist configurations.
• Integration credentials: WordPress site URLs and Application Passwords you connect (stored encrypted).

1.2 Information collected automatically

• Usage data: API requests, feature usage, error logs (30-day retention).
• Technical data: IP address, browser type, OS, request timestamps (for security and abuse prevention).
• Cookies: session cookies for authentication. No third-party advertising cookies.

1.3 Information from third parties

• Polar.sh (payments): billing email, payment status, invoice records. Card data is processed by Polar.sh and Stripe; we never see or store full card numbers.
• Google OAuth: email, name, profile picture URL (when you sign in with Google).

2. How We Use Your Information

• Provide the Service (authenticate you, generate articles, publish to your sites).
• Process payments via Polar.sh (Merchant of Record).
• Send transactional emails (welcome, receipts, account notifications).
• Send marketing emails only with your explicit opt-in consent (you can withdraw anytime).
• Monitor abuse, fraud, and security threats.
• Comply with legal obligations (tax records, law enforcement requests).

3. Legal Bases (GDPR)

• Contract: processing necessary to provide the Service you signed up for.
• Legitimate interest: security, abuse prevention, service improvement.
• Consent: marketing emails, optional cookies.
• Legal obligation: tax records, regulatory compliance.

4. Data Sharing

We share personal data only with the following categories of third parties:

• Polar.sh — payment processing (Merchant of Record). Privacy policy.
• Supabase — managed PostgreSQL hosting (data stored in us-east-1, N. Virginia). Privacy policy.
• Cloudflare — edge hosting, R2 storage, KV cache. Privacy policy.
• Resend — transactional and marketing email delivery. Privacy policy.
• Google (OAuth) / Anthropic / Perplexity / Runware — AI model providers and OAuth (limited to your prompts and content; not used to train models per their enterprise terms).

We do not sell personal data. We do not share data for cross-context behavioral advertising.

5. International Data Transfers

Our primary infrastructure is in the United States (us-east-1). For EU residents, transfers rely on Standard Contractual Clauses (SCCs) and the Polar.sh Merchant of Record framework for payment data. You can request more information on our transfer safeguards at any time.

6. Data Retention

• Account data: retained while your account is active. Deleted within 30 days of account closure.
• Generated articles: retained while your account is active. Deleted on account closure or on your request.
• Payment records: retained 7 years for tax compliance (legal obligation).
• Error logs: 30 days.
• Marketing email subscribers: until you unsubscribe.

7. Your Rights

7.1 GDPR (EU/UK residents)

• Article 15 — Access: request a copy of personal data we hold about you.
• Article 16 — Rectification: correct inaccurate data.
• Article 17 — Erasure: request deletion ("right to be forgotten").
• Article 18 — Restriction: limit how we process your data.
• Article 20 — Portability: export your data in a machine-readable format.
• Article 21 — Object: object to processing based on legitimate interest.
• Article 7(3) — Withdraw consent: for marketing and optional cookies, anytime.
• Right to lodge a complaint with your national supervisory authority (e.g. CNIL for France, ICO for the UK, BfDI for Germany).

7.2 CCPA / CPRA (California residents)

• Right to know what personal information we collect.
• Right to delete personal information.
• Right to correct inaccurate information.
• Right to opt-out of "sale" / "sharing" — we do not sell or share for cross-context behavioral advertising.
• Right to non-discrimination for exercising your rights.

7.3 How to exercise your rights

Email privacy@autobyline.io from the email address associated with your account, or use the in-app GDPR request form in Settings → Account (rolling out v1.1). We respond within 30 days (60 days for complex requests, with notice).

8. Security

• HTTPS everywhere. TLS 1.2+ for all connections.
• API keys are hashed; OAuth tokens are scoped to least privilege.
• WordPress Application Passwords are encrypted at rest in our database.
• Row-Level Security on all tenant data — no cross-tenant access.
• Regular dependency audits and security patches.

No method of transmission or storage is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and the appropriate supervisory authorities within 72 hours as required by GDPR.

9. Children's Privacy (COPPA)

Autobyline is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@autobyline.io and we will delete the data.

10. Cookies

We use only essential cookies required for authentication and security. We do not use third-party advertising or tracking cookies. A cookie banner will be added in v1.1 to allow you to manage optional cookies (currently none in use).

11. Changes to This Policy

We will notify you of material changes by email (if you have an account) at least 30 days before they take effect, except for minor clarifications. The current version is always available at autobyline.io/privacy.

12. Contact

For privacy questions, data requests, or complaints:
Email: privacy@autobyline.io
General support: support@autobyline.io

This Privacy Policy is provided for transparency and to demonstrate our commitment to responsible data handling. It does not create a contract between you and Autobyline; contractual terms are in the Terms of Service.