Privacy Policy

🔍 Data-Collection Inventory
#
Where / When we collect data
Exactly what we collect
Why we collect it (lawful basis)
Where & how it’s stored / protected
Who else sees it & why
1
Contact / InstaAudit form (website)
• Name (required)
• Email (required)
• Instagram @handle (required)
• Free-text message
Public posts
• Prepare the Instagram audit you asked for (contract)
• Follow-up about next steps (legitimate interest)
• Supabase (EU region) PostgreSQL DB
• Encrypted at rest (AES-256)
• Access logged & limited to 2 staff
• Gemini—to draft parts of the audit (processor of the analyses)
2
Newsletter sign-up (“Neuron”)
• Email
• Send AI-news updates you opted into (consent)
• Relevance AI (EU end-point) mailing list, encrypted in transit & rest
Relevance AI – email delivery provider
3
Future paid plans / checkout
• Billing name & address
• Card details (tokenised)
• VAT / Tax ID (if needed)
• Process payment (contract)
• Meet tax obligations (legal duty)
• Stripe vault (PCI-DSS compliant)
• We only store Stripe tokens
• Stripe – payment processor
• Accountants (anonymised invoices)
4
Website analytics (all pages)
• IP-derived city/region
• Device & browser data
• Pages visited & dwell time
• Understand site performance & interest areas (legitimate interest)
• Vercel Web Analytics (EU servers)
• Data never leaves Vercel
— (aggregated, no personal sharing)
5
Embedded YouTube videos
• Google sets “VISITOR_INFO1_LIVE”, etc.
• Viewer IP & device-fingerprint
• Display video & count legitimate views (legitimate interest)
• Google’s own servers; we do not store this data
• Google/YouTube – host & analytics
6
Support emails / live chat
• Email address
• Whatever you write
• Solve your request (contract)
• Google Workspace mail (EU data region)
• TLS enforced
—
7
Cookie-consent choice
• Consent flag (“cookies-accepted”: true/false)
• Remember your preference (legal duty under GDPR/CCPA)
• First-party cookie, 12 months, HTTP-only
—

🛡️ How we protect all personal data
Measure
Detail
Encryption in transit
TLS 1.3 or better on every endpoint
Encryption at rest
AES-256 across Supabase, Vercel, Stripe
Access control
Role-based; MFA on every admin account
Back-ups
Daily encrypted snapshots, 30-day retention
Auditing & logging
Access logs retained 12 months, reviewed quarterly
Third-party agreements
Data-processing agreements (DPAs) in place with Vercel, Supabase, Resend, Stripe

🤝 Third-party processors (summary list)
Service
Role
Data they may process
Vercel
Hosting & analytics
IP metadata, page hits
Supabase
Database & auth
All form/app data
Gemini
Audit and Text generation for Social Audits
Scraped Public posts on social media and Bio, using apify actors so we can get the client feedback about his presence and what he can improve
Stripe
Payments
Billing & tokenised card details
Resend
Email delivery
Newsletter addresses
Google / YouTube
Video hosting & view counts
IP, cookies (see Cookie section)

Each processor is bound by contract not to sell or reuse your data and to keep industry-standard security.

👤 Your rights & how to use them
Right (GDPR, CCPA, etc.)
What it means
How to exercise
Access
Ask for a copy of the data we hold on you.
Email privacy@abdoai.com with subject “Data Access Request”.
Correction
Fix inaccurate or incomplete data.
Same email; tell us what needs changing.
Deletion / Erasure
Have your personal data deleted.
Email request; we erase within 30 days unless law requires retention.
Portability
Get your data in a machine-readable file.
We’ll supply CSV/JSON within 30 days.
Withdraw consent
Stop newsletters or analytics cookies.
Click “unsubscribe” link or clear cookies; or email us.
Opt-out of “sale” (CCPA)
We don’t sell data, but you can confirm.
Email us; we’ll confirm within 15 days.

🍪 Cookies & Tracking
Cookie type
Example cookie
Purpose
Lifespan
Consent needed?
Essential
vercel-defense
Load-balancing & security
Session
No
Preference
cookies-accepted
Stores banner choice
12 months
No (set after click)
Analytics
_vercel_analytics_session
Page-view counts
30 minutes
Yes – blocked until “Accept”
Third-party (YouTube)
VISITOR_INFO1_LIVE, YSC
Embedded video stats
Up to 6 months
Yes (YouTube sets after play)

We honour your choice via the cookie banner; nothing except essential cookies loads until you click Accept.

📬 Contact for privacy matters
 Email: privacy@abdoai.com


Need a shorter snippet?
We collect only what we need to deliver your AI audits, newsletter, and future SaaS tools; we never sell your data; you can email privacy@abdoai.com any time to see, fix, or delete your info.