Privacy Policy

Outperform AI (“we,” “us,” or “our”) operates Outperform AI (the “Service”), available at useoutperform.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information provided through OAuth authentication:

• Full name
• Email address
• Google account identifier
• Meta (Facebook) account identifier, if you connect a Meta Ads account
• Profile picture URL (if provided by the identity provider)

1.2 Advertising Account Data

When you connect your advertising accounts, we access and process data from those accounts to provide the Service. This includes:

• Google Ads data: campaigns, ad groups, keywords, ads, extensions, bidding strategies, budgets, targeting settings, quality scores, conversion tracking configuration, and performance metrics (impressions, clicks, cost, conversions, revenue).
• Meta Ads data: campaigns, ad sets, ads, creatives (text and image/video references), audience targeting configurations, placements, budgets, and performance metrics (impressions, reach, clicks, cost, conversions, ROAS).

1.3 OAuth Tokens

We store encrypted OAuth access tokens and refresh tokens to maintain your connection to Google Ads and Meta Ads on your behalf. These tokens are encrypted at rest using AES-256 encryption and are never exposed in logs or transmitted to third parties except as described in this policy.

1.4 Conversation Data

When you interact with the AI co-pilot, we store your chat messages and the AI-generated responses to provide a continuous conversation experience and improve the Service. Conversations may reference your advertising account data.

1.5 Usage Analytics

We collect information about how you interact with the Service, including:

• Pages visited and features used
• Session duration and frequency
• Browser type and device information
• IP address (used for approximate geolocation and security)
• Referring URLs

1.6 Email Delivery Data

If you opt in to receive daily performance briefs or other email notifications, we process your email address through our email delivery provider and collect data on email delivery status, opens, and clicks.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including AI-powered campaign analysis, daily briefs, campaign creation, and optimization recommendations.
• Authenticate your identity and maintain your session.
• Access your connected advertising accounts to read performance data and, with your explicit approval, execute campaign modifications.
• Generate AI-powered insights, recommendations, and reports based on your advertising data.
• Send you daily performance briefs and alert notifications (if opted in).
• Improve and develop the Service, including training and evaluating our analysis models.
• Detect, prevent, and address security issues and abuse.
• Comply with legal obligations.

3. Google API Services User Data Policy

Outperform AI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we:

• Only use Google user data to provide and improve the Service as described in this Privacy Policy.
• Do not transfer Google user data to third parties except (a) as necessary to provide or improve the Service, (b) as required by law, or (c) as part of a merger, acquisition, or sale of assets with prior notice.
• Do not use Google user data for serving advertisements.
• Do not allow humans to read Google user data unless (a) you have given affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

4. Meta Platform Terms Compliance

Our use of data received from the Meta (Facebook) Platform is subject to the Meta Platform Terms and Meta Developer Policies. We:

• Only use Meta data to provide the Service to you.
• Do not sell, license, or purchase Meta user data.
• Do not transfer Meta data to any data broker, advertising network, or other monetization service.
• Provide a clear mechanism for you to request deletion of all Meta data we store (see our Data Deletion Instructions).
• Delete all Meta data associated with your account within 30 days of receiving a deletion request or upon de-authorization of our app through Meta settings.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:

5.1 Sub-Processors

We use the following third-party service providers (sub-processors) to operate the Service. Each sub-processor only receives the minimum data necessary to perform its function:

• Anthropic (Claude API) — AI language model provider. Receives conversation messages and, where necessary, summaries of advertising data to generate analysis and recommendations. Anthropic’s data usage is governed by their usage policy. Data sent to Anthropic via the API is not used to train their models.
• Vercel — Frontend hosting. Processes standard HTTP request data (IP address, user agent, request path).
• DigitalOcean, Microsoft Azure — Backend hosting and database infrastructure. Stores all persistent application data including encrypted tokens and advertising account data.
• Resend — Email delivery. Receives email addresses and email content for daily performance briefs and transactional notifications.
• Exa — Website crawling service. Receives your company domain URL to retrieve publicly available website content for contextual analysis. Does not receive any advertising account data or personal information.

5.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your information becomes subject to a different privacy policy.

6. Data Retention

• Account information: Retained for the duration of your active account, plus 30 days after account deletion to allow for recovery.
• Advertising account data: Retained for the duration of your active account. Historical performance data may be retained in aggregated, anonymized form after account deletion for product improvement purposes.
• OAuth tokens: Retained until you disconnect the relevant advertising account or delete your account. Tokens are deleted immediately upon disconnection.
• Conversation data: Retained for the duration of your active account, plus 30 days after account deletion.
• Usage analytics: Retained for 24 months in identifiable form. After 24 months, data is aggregated and anonymized.
• Email delivery logs: Retained for 90 days.

When you request data deletion, we will delete or anonymize your personal data within 30 days. See our Data Deletion Instructions for details.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• AES-256 encryption for OAuth tokens at rest.
• TLS 1.2+ encryption for all data in transit.
• Database-level access controls and network isolation.
• Regular security reviews and dependency auditing.
• Minimal data access principles — team members only access personal data when required for support or security purposes.
• Logging of all write operations to advertising accounts for audit purposes.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

8. International Data Transfers

Your information may be transferred to, and processed in, countries other than the country in which you reside. Our servers and sub-processors are located in India, the United States, and the European Union.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that transfers of personal data to countries outside these regions are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Sub-processor agreements with data protection obligations.
• Adequacy decisions by the European Commission, where applicable.

9. Your Rights Under GDPR

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local legislation:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to Erasure: You may request that we delete your personal data, subject to legal retention requirements.
• Right to Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to Restriction of Processing: You may request that we restrict the processing of your personal data under certain circumstances.
• Right to Object: You may object to processing of your personal data based on legitimate interests, including profiling.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at mem0sethi@gmail.com. We will respond to your request within 30 days. If we need additional time, we will notify you of the extension and the reasons for the delay.

Legal basis for processing: We process your personal data based on (a) your consent (e.g., when you connect your advertising accounts), (b) the performance of our contract with you (i.e., providing the Service), (c) our legitimate interests (e.g., improving the Service, ensuring security), and (d) compliance with legal obligations.

Data Protection Officer: For data protection inquiries, please contact us at mem0sethi@gmail.com.

Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority.

10. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information we collect, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share (as defined by the CCPA/CPRA) your personal information. Therefore, there is no need to opt out. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link on our website.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at mem0sethi@gmail.com or visit our Data Deletion Instructions page.

We will verify your identity before processing your request. We may ask you to confirm your email address and the advertising accounts connected to your account.

11. Cookies and Tracking Technologies

We use the following cookies and similar technologies:

• Essential cookies: Required for authentication and session management. These cannot be disabled.
• Analytics cookies: Used to understand how you interact with the Service. You can opt out of analytics cookies through your browser settings or by contacting us.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or retargeting.

12. Children’s Data

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe we have collected information from a child under 18, please contact us at mem0sethi@gmail.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last updated” date and, for significant changes, by sending an email notification to the address associated with your account.

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: mem0sethi@gmail.com
• Mailing address: New Delhi, India
• Data deletion requests: See our Data Deletion Instructions page or email mem0sethi@gmail.com