Privacy Policy

1. Introduction

KRISAI LLC, a Texas limited liability company doing business as krisAi AdCraft ("we", "our", or "us") operates the platform available at https://krisai.co. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered software platform. By accessing or using krisAi AdCraft, you agree to this policy.

2. Information We Collect

2.1 Account & Profile Information

• Name, email address, and password (hashed)
• Business name, vertical (Attorney, Real Estate, or B2B), and role
• Profile photo (if provided via Google OAuth)
• Brand Voice settings: tone keywords, mission statement, personas, and USPs

2.2 Ad Campaign & Creative Data

• Campaign briefs, ad copy, headlines, descriptions, and calls-to-action you generate
• AI-generated images, audio voiceovers, and carousel slides stored in our Supabase storage
• Campaign performance metrics retrieved from connected ad platforms

2.3 Third-Party Platform Credentials

When you connect Meta, Google Ads, or LinkedIn, we store OAuth access tokens and refresh tokens, encrypted at rest using AES-256-GCM. We use these solely to manage campaigns on your behalf.

2.4 Lead & CRM Data

• Prospect names, emails, phone numbers, and company details you import or enter
• Lead scores, sequence enrollment status, and activity history

2.5 Automatically Collected Data

• IP address, browser type, operating system, and referring URLs
• Session identifiers and authentication tokens (JWT, Supabase session)
• API usage logs (request timestamps, endpoint, response status — no request bodies)

2.6 SMS Consent Data

When a prospect submits an SMS opt-in form on behalf of one of our clients (via krisai.co/sms-opt-in/attorneys, /real-estate, or /b2b), we collect and store:

• First name, last name, and mobile phone number
• Email address (if voluntarily provided)
• Consent timestamp (date and time of form submission)
• IP address of the submitting device
• Opt-in method (e.g., "landing_page") and vertical (attorneys, real estate, or B2B)
• Business name on whose behalf consent was collected

No SMS messages are sent to a prospect until the consent checkbox has been explicitly checked and the form submitted. See Section 10 for full details on how SMS consent data is used and how to opt out.

3. How We Use Your Information

• Provide the service — generate AI ad copy and images, manage campaigns, store creatives
• Authentication — verify your identity via email/password or Google OAuth (NextAuth.js)
• AI generation — your brief and brand voice are sent to Anthropic (Claude), OpenAI (DALL·E / TTS), and fal.ai (FLUX) to produce ad content; see Section 5 for details
• Campaign management — push and monitor ads on Meta, Google Ads, and LinkedIn using your authorized credentials
• Booking & scheduling — create and cancel Google Calendar events for consultations and appointments booked through the platform on your behalf
• Billing & notifications — transactional emails about your account and usage
• Security & abuse prevention — detect fraudulent activity and enforce rate limits
• Product improvement — aggregated, anonymized analytics to improve platform features

4. Google OAuth & API Scopes

When you sign in with Google or connect Google Ads, we request only the scopes necessary for the features you use:

KRISAI LLC's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party AI Services

To generate ad content, we send portions of your input (brief, brand voice, vertical) to the following processors:

• Anthropic (Claude Opus) — ad copy, video scripts, carousel text. Privacy Policy
• OpenAI (TTS-1-HD) — voiceover synthesis. Privacy Policy
• fal.ai (FLUX.1) — primary image generation. Privacy Policy

We do not send personally identifiable information (PII) such as your name, email, or lead data to these services. Only your creative brief and brand voice inputs are transmitted.

6. Data Storage & Security

• User data is stored in a PostgreSQL database hosted on Supabase (AWS us-east-1)
• Generated images and audio are stored in Supabase Storage (public CDN for browser delivery)
• OAuth tokens and sensitive credentials are encrypted at rest with AES-256-GCM
• All data in transit is protected via TLS 1.2+
• Access to the database is restricted to application servers via Supabase Row-Level Security (RLS)
• We do not store credit card numbers — billing is handled by our payment processor

7. Data Retention

• Account data is retained while your account is active
• Generated creatives (images, audio) are retained in storage until you delete them
• OAuth tokens are deleted when you disconnect a platform integration
• Upon account deletion, all personal data is permanently removed within 30 days
• Anonymized usage logs may be retained for up to 12 months for analytics

8. Data Sharing & Disclosure

We do not sell your personal data. We share data only in these circumstances:

• Service providers — Supabase (database/storage), Vercel (hosting), Inngest (background jobs), Anthropic/OpenAI/fal.ai (AI generation), ad platform APIs (Meta, Google, LinkedIn)
• Legal requirements — if required by law, court order, or government request
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to you
• Your consent — in any other case, only with your explicit permission

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — update inaccurate or incomplete information via your Settings page
• Deletion — request deletion of your account and associated data
• Portability — receive your data in a machine-readable format
• Withdraw consent — disconnect platform integrations at any time via the Integrations page
• Opt-out — unsubscribe from marketing emails at any time

To exercise any of these rights, email us at privacy@krisai.co. We will respond within 30 days.

10. SMS Communications

KRISAI LLC (d/b/a krisAi AdCraft) operates SMS outreach on behalf of its clients (law firms, real estate agencies, and B2B companies) using Twilio as the messaging carrier. This section explains how we handle SMS consent, message delivery, and opt-out requests in compliance with the Telephone Consumer Protection Act (TCPA) and CTIA guidelines.

10.1 How We Obtain Consent

We obtain express written consent before sending any automated SMS messages. Consent is collected exclusively through our dedicated opt-in web forms, where the prospect:

• Voluntarily provides their mobile phone number
• Reads the full TCPA disclosure specific to their vertical (legal, real estate, or B2B)
• Actively checks a consent checkbox — pre-checked boxes are never used
• Submits the form, at which point the consent timestamp and IP address are recorded

Consent is not a condition of any purchase or service. Each opt-in page covers a single, specific use case — attorneys, real estate, or B2B — and messages are limited to that use case only.

10.2 Types of Messages Sent

All messages are transactional and appointment-related (Customer Care category). No promotional or unsolicited marketing messages are sent. Depending on the vertical opted into, messages are limited to:

• Attorneys: Attorney introduction, consultation scheduling, and appointment reminders
• Real Estate: Agent introduction, showing confirmations, and appointment reminders
• B2B: Business introduction, demo scheduling, and appointment reminders

Message frequency: up to 5 messages per inquiry. Standard message and data rates may apply.

10.3 How to Opt Out

You may opt out of SMS messages at any time by replying STOP to any message you receive. Upon receiving a STOP request, we will send one final confirmation message and immediately cease all further SMS communications to that number. Opt-out requests are honoured within one business day. You will not receive further messages unless you opt in again through a new form submission.

To receive help or contact information, reply HELP to any message. You may also contact us at privacy@krisai.co.

10.4 Data Use & Sharing

SMS consent records (name, phone number, consent timestamp, IP address, and opt-in method) are stored securely in our database and used solely to:

• Deliver the messages you consented to receive
• Maintain an auditable consent log for TCPA compliance purposes
• Process opt-out requests and suppress future messages

We do not sell, rent, or share SMS consent data with third parties for their own marketing purposes. Consent records are shared only with the specific client (law firm, real estate agency, or B2B company) on whose behalf the opt-in was collected, and with Twilio solely for message delivery.

10.5 Carrier Disclosure

SMS messages are delivered via Twilio's A2P 10DLC messaging infrastructure. Carriers are not liable for delayed or undelivered messages. Message and data rates set by your mobile carrier may apply.

11. Cookies & Tracking

We use only essential cookies required to operate the service:

• Session cookies — NextAuth.js and Supabase session tokens to keep you signed in
• Preference cookies — your accent theme preference stored in localStorage

We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies.

12. Children's Privacy

KRISAI LLC (d/b/a krisAi AdCraft) operates a business platform not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@krisai.co and we will delete it promptly.

13. International Data Transfers

Our servers are located in the United States (AWS us-east-1 via Supabase, Vercel iad1). If you access krisAi AdCraft from outside the United States, your data will be transferred to and processed in the US. By using the platform, you consent to this transfer.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice in the dashboard. The "Last updated" date at the top will always reflect the most recent revision. Continued use of the platform after changes constitutes acceptance.

15. Contact Us

If you have questions, requests, or concerns about this Privacy Policy, please contact: