LEGAL

Privacy Policy

Effective date: February 20, 2026 · Last updated: February 20, 2026

1. Introduction

Outside The Box Development Inc., doing business as AtellierAI ("Atellier," "we," "us," or "our"), operates the Atellier platform, accessible at atellier.ai and app.atellier.ai (collectively, the "Platform"). This Privacy Policy describes how we collect, use, disclose, and otherwise process your personal information when you visit our website, use our Platform, or interact with us in connection with our services.

We are committed to protecting your privacy and handling your data transparently. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not access or use the Platform.

If you are a resident of the European Economic Area (EEA), United Kingdom (UK), or Canada, additional rights and provisions apply to you as described in Sections 12 and 13.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: When you create an account, we collect your name, email address, password (hashed and stored by our authentication provider, Clerk), and optionally your profile photo.
  • Workspace and team information: Organization name, team member email addresses, roles, and workspace settings you configure.
  • Brand profiles: Brand names, logos, voice guidelines, target audiences, competitor information, and other brand-specific data you input into the Platform.
  • Campaign briefs and outputs: Campaign objectives, messaging, creative direction, target platforms, language preferences, and all content generated by our AI agents (hooks, copy, creative concepts, scores, localizations).
  • Prompt Book entries: Saved outputs, custom prompts, and curated content you store for future agent context.
  • Billing information: Payment card details, billing address, and subscription preferences. Payment processing is handled by Stripe, Inc. We do not store your full credit card number on our servers.
  • Communications: Messages you send to us via email, support channels, or in-app feedback.
  • Blog and SEO content: Articles, keyword targets, SEO settings, and content calendars you create within the Platform.
  • Social media content: Posts, schedules, captions, and media you create or schedule through the Platform.
  • Email marketing content: Email sequences, templates, subscriber lists, and campaign configurations.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, campaign generation frequency, click patterns, session duration, and interaction with generated outputs.
  • Device information: Browser type and version, operating system, device type, screen resolution, and unique device identifiers.
  • Log data: IP address, access timestamps, referring URLs, and error logs.
  • Cookies and similar technologies: We use cookies, local storage, and similar technologies for authentication, preferences, analytics, and advertising. See Section 8 for details.

2.3 Information from Third-Party Integrations

When you connect third-party accounts to the Platform, we receive information from those services based on the permissions you grant:

  • Meta (Facebook/Instagram): Ad account information, page details, campaign performance data, audience insights, and publishing permissions. We access this data via the Meta Marketing API and Facebook Login.
  • Google Ads: Campaign data, ad performance metrics, account structure, and billing information associated with your Google Ads account.
  • Google Analytics 4: Website traffic data, user behavior metrics, conversion data, and audience demographics from your GA4 properties.
  • TikTok and TikTok Ads: Account profile information, content posting capabilities, ad campaign data, and performance metrics.
  • LinkedIn: Profile information, company page data, and content sharing capabilities.
  • Twitter/X: Profile information, posting capabilities, and engagement metrics.
  • Slack: Workspace identity, channel lists, and messaging capabilities for campaign notifications.
  • Google Search Console: Search performance data, indexing status, and keyword rankings.

We only access the data necessary to provide the features you use. You can revoke third-party access at any time through the Platform's Settings > Connections page or through the third party's own settings.

2.4 Information from AI Processing

Our AI agents process your brand profiles, campaign briefs, and Prompt Book entries to generate marketing outputs. This processing occurs via third-party AI providers (Anthropic for Claude, Google for Imagen and Veo). Your data is sent to these providers solely for the purpose of generating outputs and is subject to their respective data processing agreements. We do not permit these providers to use your data for training their models.

3. How We Use Your Information

We use your personal information to:

  • Provide the Platform: Operate the AI marketing pipeline, generate campaign outputs, manage your workspaces, and deliver the core product functionality.
  • Process payments: Manage subscriptions, process charges, and provide billing support through Stripe.
  • Improve outputs: Use your Prompt Book entries and saved preferences to personalize and improve AI agent outputs for your specific brand and campaigns.
  • Publish content: Post, schedule, and manage content on connected third-party platforms (Meta, LinkedIn, Twitter/X, TikTok) on your behalf.
  • Provide analytics: Aggregate and display performance data from connected advertising and analytics platforms.
  • Send notifications: Deliver campaign completion alerts, team activity updates, and Slack notifications.
  • Communicate with you: Respond to support inquiries, send product updates, and share relevant information about your account.
  • Ensure security: Detect fraud, prevent abuse, enforce our Terms of Service, and protect the integrity of the Platform.
  • Improve the Platform: Analyze usage patterns to fix bugs, develop new features, and optimize user experience. We use aggregated, de-identified data for product analytics.
  • Comply with legal obligations: Fulfill tax, accounting, and regulatory requirements.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA or UK, we process your personal information based on the following legal grounds:

  • Performance of a contract: Processing necessary to provide you with the Platform and fulfill our Terms of Service (account management, AI generation, billing, publishing).
  • Legitimate interests: Improving the Platform, preventing fraud, ensuring security, and conducting product analytics, where these interests are not overridden by your data protection rights.
  • Consent: Where you have given explicit consent, such as connecting third-party accounts, opting into marketing communications, or enabling non-essential cookies.
  • Legal obligation: Processing required to comply with applicable laws and regulations.

5. How We Share Your Information

We do not sell your personal information. We share your data only in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who process data on our behalf:

  • Convex, Inc. — Real-time database, serverless functions, and file storage (backend infrastructure).
  • Clerk, Inc. — Authentication, user management, and session handling.
  • Stripe, Inc. — Payment processing and subscription management.
  • Anthropic, PBC — AI text generation (Claude) for campaign hooks, copy, creative concepts, scoring, and localization.
  • Google LLC — AI image generation (Imagen 3), AI video generation (Veo 3), and web hosting.
  • Vercel, Inc. — Web application hosting and edge computing.

Each service provider is contractually bound to use your data only as necessary to provide their services to us and in accordance with applicable data protection laws.

5.2 Connected Third-Party Platforms

When you connect external accounts (Meta, Google Ads, LinkedIn, Twitter/X, TikTok, Slack, Google Analytics, Google Search Console), we transmit data to those platforms as necessary to provide the features you enable — such as publishing content, retrieving analytics, or managing ad campaigns. This sharing is initiated by you and governed by each platform's own privacy policy.

5.3 Workspace Members

If you are part of a workspace with other team members, workspace content (brand profiles, campaign packs, briefs, Prompt Book entries) is shared with other members of that workspace according to their role and permissions.

5.4 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before your information becomes subject to a different privacy policy.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Platform. When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, accounting, or audit purposes (typically up to 7 years for financial records).

Specific retention periods:

  • Account data: Retained while your account is active, deleted within 30 days of account deletion.
  • Campaign data and generated outputs: Retained while your account is active. You can delete individual campaigns at any time.
  • Billing records: Retained for 7 years after the end of the billing relationship for tax and legal compliance.
  • Server logs: Automatically purged after 90 days.
  • Third-party OAuth tokens: Encrypted at rest and deleted immediately when you disconnect the integration or delete your account.

7. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 encryption.
  • Authentication is managed by Clerk with support for multi-factor authentication (MFA).
  • Third-party OAuth tokens are encrypted before storage and refreshed automatically.
  • Payment information is processed by Stripe, a PCI DSS Level 1 certified provider. We never store full credit card numbers.
  • Access to production systems is restricted to authorized personnel with role-based access controls.
  • We conduct regular security reviews and monitor for unauthorized access.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

8.1 Strictly Necessary Cookies

Required for the Platform to function. These include authentication session cookies (set by Clerk), CSRF protection tokens, and OAuth state parameters. These cannot be disabled.

8.2 Analytics Cookies

We use Google Analytics (via Google Tag Manager) to understand how visitors interact with the Platform. This collects anonymized usage data including page views, session duration, and general location (country/city level). You can opt out using browser extensions or cookie settings.

8.3 Advertising Cookies

We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. This sets cookies to track conversions (such as sign-ups) from Google Ads clicks. No personal data is shared with Google for ad personalization without your consent.

8.4 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling strictly necessary cookies may prevent you from using the Platform.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct inaccurate or incomplete personal information.
  • Deletion: Request that we delete your personal information, subject to legal retention requirements.
  • Portability: Request a machine-readable copy of your data.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@atellier.ai. We will respond within 30 days (or sooner where required by law).

10. International Data Transfers

Atellier is based in Canada. Your data may be processed in Canada, the United States, and other countries where our service providers operate. When we transfer personal information outside of your jurisdiction, we ensure appropriate safeguards are in place:

  • Canada has been recognized by the European Commission as providing an adequate level of data protection.
  • For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU-U.S. Data Privacy Framework where applicable.
  • Our service providers are contractually required to protect your data in accordance with applicable data protection laws.

11. Children's Privacy

The Platform is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a child, please contact us at privacy@atellier.ai.

12. Canadian Privacy Rights (PIPEDA)

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA, you have the right to:

  • Know why your personal information is being collected and how it will be used.
  • Expect that your personal information will only be used for the purposes for which it was collected.
  • Access your personal information and challenge its accuracy.
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

Our Privacy Officer can be reached at privacy@atellier.ai.

13. Additional Rights for EEA and UK Residents

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including:

  • The right to lodge a complaint with your local data protection authority (supervisory authority).
  • The right to data portability in a structured, commonly-used, machine-readable format.
  • The right not to be subject to automated decision-making, including profiling, that produces legal or similarly significant effects. Our AI agents generate marketing content suggestions but do not make automated decisions with legal effects on you.

Data Controller: Outside The Box Development Inc., doing business as AtellierAI. Contact: privacy@atellier.ai.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

  • Right to know: You can request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to delete: You can request deletion of your personal information, subject to exceptions.
  • Right to correct: You can request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To make a request, email privacy@atellier.ai with the subject line "CCPA Request." We will verify your identity before fulfilling your request.

15. Third-Party Links and Services

The Platform may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform. This includes the platforms you connect (Meta, Google, LinkedIn, Twitter/X, TikTok, Slack), each of which has its own privacy policy governing your data on their platform.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect (for material changes).

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Outside The Box Development Inc.

d/b/a AtellierAI

Email: privacy@atellier.ai

Website: www.atellier.ai