Privacy Policy

1. Who We Are

Sycado ("Sycado," "we," "our," or "us") operates the AI marketing automation platform available at sycado.polsia.app and any associated domains. Sycado is a product of Polsia, Inc.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, or services (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you disagree with any part of this policy, please discontinue use of the Service.

2. Information We Collect

Information You Provide

• Account data: Name, email address, password (hashed), and company name when you register.
• Billing data: Payment card details processed by our payment processor (Stripe). We do not store raw card numbers — Stripe handles PCI compliance.
• Content you create: Campaign briefs, target audience data, uploaded assets, brand guidelines, and any text, images, or instructions you submit to the platform.
• Communications: Messages you send us via support, email, or in-app chat.
• Integration credentials: OAuth tokens for connected services (Google Ads, Facebook, LinkedIn, etc.) when you authorize connections. These are encrypted at rest.

Information Collected Automatically

• Usage data: Pages visited, features used, campaign results, clicks, session duration, and error logs.
• Device data: IP address (anonymized after processing), browser type, operating system, and device identifiers.
• Analytics: Aggregate usage metrics to understand platform performance and improve features.

Information from Third Parties

• Data from connected advertising platforms (Google Ads, Meta, LinkedIn) when you authorize integrations — used solely to operate your campaigns.
• Public data from sources you direct us to research (websites, social profiles) as part of AI-driven research tasks.

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Service — including running AI marketing agents, distributing content, generating campaigns, and delivering analytics.
• Process payments — billing for subscriptions and handling upgrades, downgrades, and cancellations.
• Communicate with you — transactional emails (receipts, security alerts), product updates, and marketing (which you can opt out of).
• Improve the platform — analyzing usage patterns and errors to improve AI quality and platform performance. We use aggregated, de-identified data for this purpose.
• Security and fraud prevention — detecting abuse, spam, and unauthorized use.
• Legal compliance — fulfilling obligations under applicable laws and responding to lawful requests from authorities.

We do not sell your personal data to third parties. Period.

4. AI Processing & Generated Content

How AI Processes Your Data

Sycado uses large language models (LLMs) and AI systems (including Anthropic Claude and OpenAI models) to generate marketing content, analyze data, run agents, and automate campaigns. When you submit content briefs, brand guidelines, or other inputs, these are sent to AI providers as part of processing your requests.

AI Provider Data Practices

Our primary AI providers (Anthropic, OpenAI) process your inputs to generate outputs. We have agreements with these providers that restrict their use of your data. They do not use your prompts or outputs to train their public models unless you separately opt in to their programs. For specifics, refer to Anthropic's Privacy Policy and OpenAI's Privacy Policy.

Your AI-Generated Content

You own the content generated through your use of Sycado. AI-generated outputs — blog posts, ad copy, social posts, campaign strategies — belong to you, subject to the Terms of Service. We do not claim ownership over your generated content.

Training Opt-Out

We do not use your specific prompts, brand data, or generated content to fine-tune or train AI models without your explicit written consent. Aggregate, fully de-identified usage statistics (e.g., "users run X campaigns per week") may be used internally to improve platform quality.

5. Data Sharing

We share your information only in these circumstances:

• Service providers: Trusted vendors that help us operate (Stripe for payments, Neon/PostgreSQL for data storage, Render for hosting, Anthropic/OpenAI for AI, Cloudflare R2 for storage, Postmark for email). These providers are contractually bound to protect your data and use it only as directed.
• Connected platforms: When you authorize integrations (Google Ads, Meta, LinkedIn, etc.), we share data with those platforms as necessary to run your campaigns. This is always under your direction and control.
• Business transfers: If Sycado is acquired or merges with another company, your data may transfer as part of the transaction. We'll notify you before this happens.
• Legal requirements: If required by law, subpoena, or court order, we may disclose data to authorities. We'll notify you unless legally prohibited.
• Protection of rights: We may share data to prevent fraud, enforce our Terms of Service, or protect the rights and safety of users and the public.

We do not sell, rent, or trade your personal data with third parties for their own marketing purposes.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained while your account is active. Deleted within 90 days of account closure upon request.
• Billing records: Retained for 7 years to comply with tax and financial regulations.
• Campaign content and AI outputs: Retained while your account is active. Exported or deleted upon account closure.
• Usage logs: Retained for up to 12 months for debugging and analytics, then aggregated or deleted.
• OAuth tokens: Deleted immediately when you disconnect an integration, or upon account closure.

You can request deletion of your data at any time by emailing privacy@sycado.com.

7. Security

We take security seriously and implement industry-standard protections:

• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Encryption at rest: Sensitive data including OAuth tokens and credentials are encrypted using AES-256-GCM.
• Access controls: Database access is restricted to authorized systems and personnel. Production access requires multi-factor authentication.
• Password hashing: Passwords are hashed with bcrypt. We never store plain-text passwords.
• Monitoring: We monitor systems for anomalous activity and potential security incidents.

No system is 100% secure. If you discover a vulnerability, please contact us at security@sycado.com before disclosing it publicly.

If a data breach occurs that affects your personal information, we will notify you within 72 hours of discovery as required by applicable law.

8. Cookies & Tracking

We use cookies and similar technologies to:

• Essential cookies: Keep you logged in and maintain session state. Required for the platform to function.
• Analytics cookies: Understand how users interact with the platform to improve it. We use anonymized, aggregate data.
• Preference cookies: Remember your settings and preferences.

We do not use third-party advertising trackers or cross-site behavioral tracking cookies. You can disable cookies in your browser settings, though this may affect platform functionality.

We may use pixel tracking in emails to measure open rates. You can opt out of marketing emails at any time.

9. Your Rights

Depending on your location, you may have rights including:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten").
• Portability: Request a machine-readable export of your data.
• Opt-out of marketing: Unsubscribe from marketing emails at any time using the link in any email, or by emailing us.
• Object to processing: Object to certain uses of your data.

To exercise any of these rights, email privacy@sycado.com. We'll respond within 30 days. Identity verification may be required before we process certain requests.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. For CCPA requests, email privacy@sycado.com.

European Residents (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your data under lawful bases including contract performance (to provide the Service), legitimate interests (to improve the platform, prevent fraud), and consent (for marketing). You have rights under the GDPR as described above. To contact our data controller, email privacy@sycado.com.

10. Children's Privacy

Sycado is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we discover we have collected data from a child under 16, we will delete it promptly. If you believe we have collected data from a minor, contact us at privacy@sycado.com.

11. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Email registered users at the address on file.
• Display an in-app notification for significant changes.

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

Questions, requests, or concerns about this Privacy Policy? Reach us:

• Email: privacy@sycado.com
• Support: sycado.polsia.app/help
• General inquiries: hello@sycado.com

We aim to respond to all privacy-related inquiries within 5 business days.