Privacy Policy

Addi, Inc. -- Privacy Policy Effective Date: February 12, 2026 Last Updated: February 12, 2026 1. Introduction and Scope Addi, Inc. ("Addi," "we," "us," or "our"), a Delaware corporation located in Kansas City, Missouri, provides this Privacy Policy to describe how we collect, use, disclose, and protect information when you use the Addi platform, website, and related services (collectively, the "Services"). This Privacy Policy applies to all users of the Services. Addi is an AI-powered platform that helps small businesses create and launch professional audio, video, and display advertisements. The platform builds brand profiles using publicly available data, generates on-brand ads, and connects to advertising platforms including Spotify, TikTok, YouTube, and others to manage, publish, and monitor advertising campaigns. By accessing or using the Services, you acknowledge that you have read and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services. We do not sell your Personal Information to third parties. We share data only with service providers who process it on our behalf to deliver the Services, as described in this Policy. 1.1 Data Controller and Processor Roles For purposes of data protection law, Addi is the data controller for information we collect directly from you (such as account data and usage data). When we process data on your behalf -- such as brand materials you provide, ad content we generate at your direction, or audience data from your connected Advertising Platform accounts -- Addi acts as a data processor on your instructions. 2. Information We Collect 2.1 Information You Provide Directly - Account Information: Name, email address, business name, phone number. Purpose: Account creation, authentication, communication. - Billing Information: Payment method details, billing address, transaction history. Purpose: Subscription processing, invoicing (processed by third-party payment processor; not stored on our servers). - Brand Information: Business name, website, industry, logos, images, colors, brand voice, target audience descriptions, campaign goals. Purpose: Building brand profiles, generating advertisements. - Ad Content and Inputs: Text, images, audio, video, scripts, prompts, creative briefs you submit. Purpose: AI content generation, ad creation. - Communications: Support tickets, feedback, survey responses. Purpose: Customer support, service improvement. 2.2 Information from Connected Advertising Platforms When you connect your Advertising Platform accounts (e.g., Spotify Ad Studio, TikTok Ads Manager, YouTube/Google Ads, Meta Ads Manager) to the Services, we may collect: - Campaign Data: Campaign names, settings, budgets, schedules, ad creative assets, bid strategies. Purpose: Campaign management, optimization. - Audience Data: Audience segment definitions, demographic information, interest categories, custom audience parameters. Purpose: Ad targeting, audience insights. - Performance Analytics: Impressions, clicks, conversions, engagement rates, cost-per-action metrics, reach. Purpose: Performance reporting, optimization. - Customer Lists: Hashed email addresses or phone numbers uploaded to ad platforms for custom audiences. Purpose: Audience targeting as directed by you. - Account Metadata: Ad account IDs, account status, connected pages/profiles. Purpose: Service delivery, platform integration. Important: We access Advertising Platform Data solely to provide the Services on your behalf and as your data processor. We do not use your Advertising Platform Data for our own marketing or advertising, to serve other customers, or to contact individuals in your audience segments. We do not sell your Advertising Platform Data. 2.3 Information from Third-Party Data Sources Our brand profiling features compile publicly available and API-sourced information about your business from the following sources: - Yelp (Yelp Fusion API): Business descriptions, ratings, review excerpts, categories, hours. Purpose: Brand profile enrichment. - Google Maps (Autocomplete API): Business name and address identification. Purpose: Brand identification and verification. - Brandfetch: Logos, colors, fonts, social media links. Purpose: Brand visual identity. - Infegy: Social media sentiment, brand perception analytics. Purpose: Market intelligence for ad relevance. This information pertains to businesses, not individuals, and is used solely to build and refine brand profiles for ad creation. Addi does not guarantee the accuracy, completeness, or timeliness of third-party data. You may review and edit your brand profile within the Services. 2.4 Information Collected Automatically - Usage Data: Features used, actions taken, pages viewed, session duration, ad creation history. Purpose: Product improvement, analytics. - Device and Technical Data: Device type, operating system, browser type/version, screen resolution. Purpose: Service optimization, troubleshooting. - Log Data: IP addresses, access times, referring URLs, error logs, timestamps. Purpose: Security, fraud prevention, diagnostics. - Inferences: Brand sentiment, target audience characteristics, brand positioning. Purpose: Brand profiling, ad recommendations. 2.5 Cookies and Similar Technologies We use cookies and similar technologies for the following purposes: - Essential: Authentication, security, core service functionality. Cannot be disabled. Lifespan: Session or up to 1 year. - Analytics: Understanding how users interact with the Services (e.g., PostHog). Lifespan: Up to 2 years. - Preference: Remembering your settings and preferences. Lifespan: Up to 1 year. - Marketing: Measuring effectiveness of Addi's own advertising campaigns and tracking ad performance. Lifespan: Up to 1 year. We do not serve third-party advertisements within the Services. For users in the EEA and UK: Analytics, preference, and marketing cookies are placed only after you provide consent through our cookie consent manager. You may withdraw consent at any time. Do Not Track: We do not currently respond to Do Not Track browser signals, as there is no accepted industry standard for doing so. 3. How We Use Your Information 3.1 Service Delivery and Operations - Providing, operating, and maintaining the Services, including AI-powered ad generation, brand profiling, and Advertising Platform integrations - Processing your subscriptions and payments - Authenticating your account and managing access via WorkOS - Providing customer support and responding to inquiries 3.2 AI Content Generation - Processing your Inputs (prompts, brand data, creative briefs) through AI foundation models to generate advertising content ("Outputs") - We submit your Inputs to third-party AI model providers solely for the purpose of generating Outputs - We maintain contractual agreements with these providers prohibiting them from using your data to train their models 3.3 Product Improvement - Analyzing usage patterns to improve the Services and develop new features - Generating aggregated, de-identified analytics and benchmarks - With your opt-in consent only: using de-identified Content to improve Addi's AI models and recommendation systems 3.4 Security and Compliance - Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues - Enforcing our Terms of Service and Acceptable Use Policy - Complying with legal obligations, including responding to lawful requests from public authorities 3.5 Communications - Sending transactional communications (e.g., subscription confirmations, billing notices, security alerts) - With your consent: sending product updates, feature announcements, and marketing communications. You may opt out at any time. 4. How We Share Your Information We do not sell your Personal Information. We share information only in the following circumstances: 4.1 Service Providers and Sub-Processors We share information with trusted third-party service providers who perform services on our behalf: - Cloud Infrastructure: DigitalOcean. Data Shared: All data (encrypted at rest and in transit). - Authentication: WorkOS. Data Shared: Account credentials, authentication tokens. - Payment Processing: Stripe, Square. Data Shared: Billing information only. - AI Model Providers: OpenAI, OpenRouter, Cerebras. Data Shared: Input content for generation purposes only. - Brand Data Sources: Yelp, Google Maps, Brandfetch, Infegy. Data Shared: Business identifiers (name, address, URL). - Product Analytics: PostHog. Data Shared: De-identified usage data. - Email / Communications: Mailgun. Data Shared: Email addresses, communication content. All service providers are bound by data processing agreements that restrict their use of your data to the purposes specified by Addi and require appropriate security measures. Sub-Processor Changes: We will provide at least 30 days' notice before adding new service providers that process your Personal Information in materially different ways. Notice will be provided via email or through the Services. Our current sub-processor list is maintained at https://addi.com/subprocessors. If you object, you may terminate your account in accordance with our Terms of Service. 4.2 Advertising Platforms When you use the Services to create and publish advertisements, we transmit ad content and campaign configurations to your connected Advertising Platforms on your behalf and at your direction. This includes ad creative assets, targeting parameters, budgets, and schedules. 4.3 Legal Requirements and Safety We may disclose your information if required by law or in good faith belief that disclosure is necessary to: (a) comply with a legal obligation, court order, or lawful request by public authorities; (b) protect and defend the rights or property of Addi; (c) prevent fraud or address security or technical issues; (d) protect the personal safety of users or the public. 4.4 Business Transfers In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Services before your Personal Information becomes subject to a different privacy policy. You will have the opportunity to delete your account and data before such transfer takes effect. 4.5 Aggregated Data We may share aggregated, de-identified data that cannot reasonably be used to identify you for research, analytics, or other business purposes. 4.6 With Your Consent We may share your information with third parties when you have given us explicit consent to do so. 5. Advertising Platform Data This section provides additional detail about how we handle data from your connected Advertising Platform accounts. 5.1 Data Processor Role When processing Advertising Platform Data (campaign data, audience data, performance analytics, customer lists), Addi acts as a data processor on your behalf. We process this data solely in accordance with your instructions and as necessary to provide the Services. 5.2 Limitations on Use We do not use your Advertising Platform Data to: - Serve other customers or build advertising profiles for our own purposes - Train AI models (unless you opt in to anonymized, aggregated model improvement) - Contact individuals in your audience segments or customer lists - Combine your Advertising Platform Data with data from other Addi customers 5.3 Platform-Specific Compliance We comply with the data use policies of each integrated Advertising Platform, including: - Google API Services User Data Policy, including Limited Use requirements - Meta Platform Terms and Developer Data Use Policy - TikTok Developer Terms and data handling requirements - Spotify Developer Terms and API usage policies 5.4 Data Deletion Upon your request, or upon disconnecting an Advertising Platform account, we will delete the associated Advertising Platform Data from our active systems within 30 days, except as required to comply with legal obligations or our data retention policy. 5.5 Customer Lists If you upload or connect customer lists (e.g., email lists for custom audience targeting), you represent and warrant that you have obtained all necessary consents and have a lawful basis for sharing this data with Addi and the relevant Advertising Platforms. Addi processes customer lists solely to facilitate audience targeting at your direction. 6. AI and Automated Processing 6.1 AI Content Generation The Services use artificial intelligence, including third-party foundation models, to generate advertising content based on your Inputs. When you submit Inputs, they are processed by our AI systems (and, where necessary, transmitted to third-party AI model providers) to produce Outputs. 6.2 Third-Party AI Providers We use third-party foundation model providers to power AI features. We maintain data processing agreements with these providers that: (a) prohibit them from using your Inputs or Outputs to train their models; (b) require them to delete your data after processing; and (c) impose confidentiality obligations. 6.3 AI Model Improvement By default, we do not use your Content (Inputs, Outputs, or Advertising Platform Data) to train or improve AI models. If you choose to opt in through your account settings, we may use de-identified, aggregated versions of your Content to improve the Services. You may opt out at any time, and opting out applies prospectively. 6.4 Automated Decision-Making The Services use automated processing to generate ad content and provide recommendations (e.g., ad format suggestions, creative approaches based on your industry and audience). These automated processes assist you but do not make final decisions without your review and approval. You maintain full control over what content is created and published. 6.5 Human Review Addi may use human reviewers to examine content for: safety and trust investigations, quality assurance, legal compliance, and customer support. Reviewers are bound by confidentiality agreements, and access is limited to authorized personnel on a need-to-know basis. 7. Data Retention We retain your information only for as long as necessary to fulfill the purposes described in this Policy, or as required by law: - Account Information: Duration of account + 30 days after deletion. - Billing and Transaction Records: 7 years (tax and legal compliance). - Brand Information and Ad Content (Inputs/Outputs): Duration of account + 90 days (exportable during this period). - Advertising Platform Data: Duration of platform connection + 30 days after disconnection. - Usage and Log Data: 24 months from collection. - Cached Data (brand profiles, session data): 24 hours (automatically cleared). - Customer Support Records: Account duration + 90 days. - Flagged Content (violations): Up to 1 year for investigation. - Cookie Data: See cookie-specific durations in Section 2.5. - Aggregated / De-Identified Data: Retained indefinitely (cannot identify you). You may request deletion of your data at any time through account settings or by contacting [email protected]. We will process deletion requests within 30 days, except where retention is required by law. 8. Data Security We implement industry-standard technical and organizational measures to protect your information, including: - Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit for all data - Authentication: Secure authentication via WorkOS with support for multi-factor authentication (MFA) - Access Controls: Role-based access controls limiting employee access to personal data on a need-to-know basis - Infrastructure: Hosted on DigitalOcean with commercially reasonable security practices - Monitoring: Security monitoring, intrusion detection, and automated alerting - Vendor Security: Security assessments and data processing agreements with all sub-processors - Breach Notification: Documented incident response procedures with commitment to notify affected users within 72 hours of discovering a data breach No method of transmission or storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials. To report security vulnerabilities: Contact [email protected]. 9. Your Privacy Rights 9.1 Rights for All Users Regardless of your location, you may: - Access your personal information through your account settings or by contacting us - Correct inaccurate or incomplete account information through your account settings - Delete your account and associated data by contacting [email protected] - Export your data in a machine-readable format - Opt out of marketing communications via the unsubscribe link in any marketing email - Opt out of having your aggregated data used for AI model improvement - Manage cookies through our cookie preference center or your browser settings To exercise these rights, contact [email protected] or use the privacy controls in your account settings. We will not discriminate against you for exercising your rights. 9.2 California Residents -- CCPA/CPRA If you are a California resident, you have the following additional rights: - Right to Know: Request disclosure of what Personal Information we collect, use, and share. - Right to Delete: Request deletion of your Personal Information. - Right to Correct: Request correction of inaccurate Personal Information. - Right to Opt-Out: Opt out of the "sale" or "sharing" of Personal Information (we do not sell your data). - Right to Limit: Limit use of sensitive Personal Information. - Right to Non-Discrimination: Not be discriminated against for exercising your rights. Categories of Personal Information Collected (Prior 12 Months): A. Identifiers (name, email, IP address) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. B. Personal info per Cal. Civ. Code ss1798.80(e) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. C. Protected classification characteristics -- Collected: No, Sold: No, Shared for Behavioral Ads: No. D. Commercial information (transactions, subscriptions) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. E. Biometric information -- Collected: No, Sold: No, Shared for Behavioral Ads: No. F. Internet or network activity (usage data) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. G. Geolocation data (IP-derived, approximate) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. H. Sensory data (audio/video you upload) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. I. Professional information (job title, business) -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. J. Education information -- Collected: No, Sold: No, Shared for Behavioral Ads: No. K. Inferences drawn from above -- Collected: Yes, Sold: No, Shared for Behavioral Ads: No. Global Privacy Control (GPC): We honor Global Privacy Control signals from your browser. Authorized Agents: Authorized agents may submit requests on your behalf with (a) signed written authorization from the consumer, or (b) a valid power of attorney. We may contact the consumer directly to verify the request. To exercise your rights: Contact [email protected] or call 1-844-780-ADDI. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). 9.3 EEA, UK, and Switzerland -- GDPR If you are located in the European Economic Area, United Kingdom, or Switzerland, the following applies: Legal Bases for Processing: - Account creation and service delivery: Performance of contract (Art. 6(1)(b)) - Payment processing: Performance of contract (Art. 6(1)(b)) - AI content generation: Performance of contract (Art. 6(1)(b)) - Advertising Platform integrations: Performance of contract (Art. 6(1)(b)) - Security and fraud prevention: Legitimate interests (Art. 6(1)(f)) - Usage analytics and product improvement: Legitimate interests (Art. 6(1)(f)) - Marketing communications: Consent (Art. 6(1)(a)) - AI model improvement (opt-in): Consent (Art. 6(1)(a)) - Legal compliance: Legal obligation (Art. 6(1)(c)) Your GDPR Rights: - Right of Access (Art. 15): Request a copy of your personal data - Right to Rectification (Art. 16): Correct inaccurate personal data - Right to Erasure (Art. 17): Request deletion ("right to be forgotten") - Right to Restriction (Art. 18): Request restriction of processing - Right to Data Portability (Art. 20): Receive data in a structured, machine-readable format - Right to Object (Art. 21): Object to processing based on legitimate interests - Withdraw Consent: At any time, without affecting lawfulness of prior processing - Lodge a Complaint: File a complaint with your local supervisory authority To exercise your rights: Contact [email protected]. We will respond within 30 days. Right to Object (detail): To exercise the right to object to processing based on legitimate interests, contact [email protected] describing the specific processing activity and grounds for objection. We will cease the relevant processing unless we demonstrate compelling legitimate grounds that override your interests. Data Controller: Addi, Inc., 117 W. 20th Street, Suite 202, Kansas City, MO 64108 Data Protection Contact: [email protected] EU Representative: If the nature and volume of our processing of EU personal data requires appointment of an EU representative under GDPR Article 27, we will appoint one and update this section. For EU data subject inquiries, contact [email protected]. 9.4 Other U.S. State Privacy Rights Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and port personal information, and to opt out of targeted advertising and profiling. Universal Opt-Out Signals: We honor universal opt-out preference signals, including Global Privacy Control (GPC), as required by applicable state laws including the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Montana Consumer Data Privacy Act, and Oregon Consumer Privacy Act. When we detect a recognized universal opt-out signal, we will treat it as a valid request to opt out of the sale or sharing of personal information and targeted advertising for that browser or device. To exercise your rights: Contact [email protected] or call 1-844-780-ADDI. Appeals Process: If we decline your request, you have the right to appeal. Send appeals to [email protected] with "Privacy Rights Appeal" in the subject line. We will respond within 60 days. 10. International Data Transfers Addi is based in the United States, and your information is processed and stored in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. For EEA/UK/Swiss users, we rely on the following mechanisms for lawful international data transfers: - EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework (if and when Addi is certified) - Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with sub-processors Data Processing Addendum: Enterprise customers may request a DPA incorporating Standard Contractual Clauses by contacting [email protected]. 11. Children's Privacy The Services are designed for business users and are not directed at children under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact [email protected]. Advertising Directed at Children: If you use the Services to create advertisements directed at children or for products and services intended for children, you are solely responsible for compliance with the Children's Online Privacy Protection Act (COPPA), applicable Advertising Platform policies regarding ads to minors, and all other applicable child protection laws. See Section 7 of our Terms of Service for additional obligations regarding advertising compliance, including the requirement to review all AI-generated content before publication. 12. Third-Party Links The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information. 13. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes by posting the updated Policy on our website and sending notice to the email address associated with your account. The "Last Updated" date at the top indicates when it was last revised. Your continued use of the Services after the effective date constitutes acceptance. 14. Contact Us If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Addi, Inc. 117 W. 20th Street, Suite 202 Kansas City, MO 64108 Privacy and data rights requests: [email protected] Security issues: [email protected]