Privacy Policy

When you create an account, we store your email address and a hashed password (managed by Supabase Auth). If you sign in with Google, we receive your name, email, and profile picture from Google. Nothing else.

When you connect a social media platform, we request read-only access to your public posts and profile metadata (username, follower count, avatar). We store post-level data (captions, hashtags, engagement metrics) for the duration of the analysis. OAuth access tokens are stored server-side and never exposed to your browser.

Your data is used exclusively to run analyses and generate content recommendations. Specifically:

• Post data is sent to our analysis engine (Claude AI and a Python NLP service) to score hooks, hashtags, engagement patterns, and content quality.
• Analysis reports are stored in your account so you can review them later and track score changes over time.
• Generated content (hooks, captions, scripts) is saved to your history for retrieval.
• Usage events (analysis runs, content generations) are logged for plan limit enforcement and your activity feed.

We do not sell, rent, or share your data with third parties for advertising or marketing purposes.

We use the following services to operate CloutAI:

• Supabase: Authentication and database hosting (PostgreSQL with row-level security).
• Anthropic (Claude): AI analysis and content generation. Post captions and metadata are sent to Claude's API for processing. Anthropic does not use API inputs to train models.
• Stripe: Payment processing. We never see or store your full card number.
• Resend: Transactional email delivery (analysis notifications, weekly digests).
• Vercel: Application hosting and serverless functions.
• Sentry: Error monitoring. No personal data is included in error reports.

When you connect TikTok, Instagram, YouTube, or Facebook, we access your data through their official APIs using OAuth. You can disconnect any platform at any time from Settings, which stops all future data access. We do not scrape private accounts. All analysis uses data you've authorized or that is publicly available.

Competitor tracking uses publicly available profile data only. We cannot access private accounts, direct messages, or any data not visible on the public profile.

Your analysis reports and generated content are retained for as long as your account exists. If you delete your account (Settings → Delete account), all data is permanently removed: connected accounts, posts, reports, generated content, and usage history. This action is irreversible.

OAuth tokens are deleted immediately when you disconnect a platform.

All data is transmitted over HTTPS. Database access is protected by row-level security. You can only access your own data. OAuth tokens are stored server-side and never returned to the browser. Our API routes validate every request with authentication checks and input validation before processing.

Internal services (our Python analysis service) authenticate via shared secrets and are not publicly accessible.

We use strictly necessary cookies for authentication session management (Supabase auth cookies). We use localStorage for UI preferences (notification read timestamps). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

You can:

• Access your data. All reports, generated content, and account information are visible in your dashboard.
• Export your data. Use the CSV export on the Reports page or PDF export on individual reports.
• Delete your data. Delete your entire account from Settings. This is permanent.
• Disconnect platforms. Revoke our access at any time from Settings.

If you have questions about your data, email hi@cloutai.co.uk.

If we make material changes, we'll notify you by email. Continued use of CloutAI after changes constitutes acceptance.