Privacy Policy

Tartol ("we", "us", "our") operates the Tartol platform at tartol.com, including the web application, API, Chrome browser extension, and related services (collectively, the "Service"). This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Name and email address
Password (stored as a cryptographic hash, never in plaintext)
Timezone and avatar (if provided)

1.2 Billing Information

Payment processing is handled by Stripe, Inc. We do not store your full credit card number. Stripe collects and processes your payment details in accordance with Stripe's Privacy Policy. We store your Stripe customer ID, subscription status, plan type, and billing period for account management purposes.

1.3 Content You Provide

We store content you create or upload through the Service, including:

Brand information (names, logos, landing pages, brand guidelines)
Product details and images
Ad scripts and copy
AI-generated images, videos, and audio
Saved ads and board organizations
Campaign and task data

1.4 Usage Data

We automatically collect:

IP address and approximate geographic location (country level, derived from Cloudflare headers)
Browser type, device type, and operating system
Pages visited, features used, and actions taken within the Service
Timestamps of activity
Referral source and UTM parameters

1.5 Analytics and Session Data

We use PostHog (hosted in the EU) for product analytics. PostHog may record session replays of your interactions with the Service to help us improve usability. These recordings capture mouse movements, clicks, scrolls, and page content but do not capture passwords or payment information. You can opt out of session recording via your browser's Do Not Track setting.

1.6 Marketing Attribution

We collect advertising identifiers including Facebook Click ID (fbclid) and Google Click ID (gclid) when present in your referral URL. These are used to measure advertising effectiveness and are shared with Facebook (via Conversion API) and Google for attribution purposes.

1.7 Chrome Extension Data

If you install the Tartol Chrome Extension, it accesses data on Facebook Ad Library and Google Ads Transparency Center pages you visit. The extension reads ad information (creative content, advertiser details, ad text) from these pages and transmits it to our servers only when you explicitly choose to save an ad. The extension does not track your general browsing activity.

2. How We Use Your Information

We use your information to:

Provide, maintain, and improve the Service
Process payments and manage subscriptions
Generate AI content (images, copy, audio, video) based on your inputs
Run compliance checks on your ad scripts
Send transactional emails (verification, password resets, billing notifications, team invitations)
Analyze usage patterns to improve product features
Measure advertising effectiveness
Detect and prevent fraud or abuse
Enforce our Terms of Service

3. Third-Party Services

We share data with the following categories of third-party providers, each under their own privacy policies:

3.1 AI Processing Providers

Content you submit for AI generation (text prompts, images, product descriptions) is sent to one or more of the following providers for processing:

Anthropic (Claude) — ad copy, scripts, compliance checks
OpenAI (GPT models) — text generation, transcription
Google (Gemini) — image generation, multimodal analysis
ElevenLabs — text-to-speech audio generation
Perplexity — product and market research

These providers process your content to return results and may retain data per their respective policies. We do not send your account credentials or payment information to AI providers.

3.2 Infrastructure and Storage

Supabase — database hosting and authentication
Cloudflare — CDN, R2 object storage for media files, Pages hosting
Google Cloud — backend worker services

3.3 Payments

Stripe — payment processing and subscription management

3.4 Communications

Resend — transactional email delivery

3.5 Analytics and Marketing

PostHog (EU-hosted) — product analytics and session recording
Facebook Conversion API — advertising attribution for trial signups and purchases

3.6 Ad Data

ScrapeCreators — retrieves publicly available ad data from the Facebook Ad Library and Google Ads Transparency Center for the Brand Tracker feature

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account or workspace:

Your workspace is deactivated and your data is no longer accessible through the Service
Billing records are retained as required by tax and accounting regulations
Aggregated, anonymized analytics data may be retained indefinitely
Backup copies may persist for up to 90 days before full deletion

You may request complete deletion of your personal data by contacting us at the address below.

5. Data Security

We use industry-standard measures to protect your data, including:

Encryption in transit (TLS/HTTPS) and at rest
Hashed passwords (never stored in plaintext)
Server-side API keys (never exposed to client browsers)
Role-based access controls for team workspaces
Signed, expiring URLs for stored media

No system is 100% secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

6. Cookies and Tracking Technologies

We use cookies and similar technologies for:

Essential cookies — authentication tokens, session management
Analytics cookies — PostHog for product usage analytics
Marketing cookies — Facebook and Google advertising attribution

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service.

7. International Data Transfers

Your data may be processed in the United States, European Union, and other countries where our service providers operate. By using the Service, you consent to the transfer of your information to these locations. Where required, we rely on standard contractual clauses or equivalent safeguards for international transfers.

8. Your Rights

Depending on your location, you may have the following rights:

Access — request a copy of the personal data we hold about you
Correction — request correction of inaccurate data
Deletion — request deletion of your personal data
Portability — request a machine-readable export of your data
Objection — object to processing of your data for certain purposes
Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@tartol.com. We will respond within 30 days.

8.1 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell your personal information.

8.2 European Economic Area and UK Residents (GDPR)

If you are in the EEA or UK, our legal bases for processing are: performance of our contract with you (providing the Service), legitimate interests (improving the Service, fraud prevention), consent (marketing communications, analytics), and legal obligations (tax records). You have the right to lodge a complaint with your local data protection authority.

9. Children

The Service is not directed to anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through a notice in the Service. Continued use after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or requests:

Email: privacy@tartol.com
Website: tartol.com