Privacy Policy

Last updated: May 18, 2026

This Privacy Policy describes how AdLit ("AdLit", "we", "us", or "our") collects, uses, stores, and shares information when you use adlit.ai and the AdLit dashboard at app.adlit.ai (together, the "Service").

1. Information we collect

We collect three categories of data:

• Account information. Name, email address, and a hashed authentication identifier from our auth provider (Supabase). If you sign in with Google, we also receive your profile name and avatar URL. We never see or store your password.
• Billing information. Stripe processes all payments. We store a Stripe customer ID and subscription metadata (plan, status, billing period) but never see card numbers — Stripe handles those directly under PCI DSS.
• Content you submit. The prompts, audio, images, and video you upload to generate ads, plus the videos AdLit produces from them. These are stored in AWS S3 (region: eu-north-1).
• Usage and diagnostics. Logged HTTP request metadata (path, status, timestamp, user-agent, user ID), Sentry crash reports, and aggregate product analytics via PostHog.

2. How we use your information

• Provide, operate, and improve the Service.
• Process payments, send receipts, and manage subscriptions through Stripe.
• Send transactional emails (account confirmation, password reset, billing notices) through Resend.
• Detect and prevent abuse, fraud, and security incidents.
• Comply with legal obligations and respond to lawful requests.

We do not sell your personal information to third parties. We do not use your uploaded content to train external generative models.

3. Service providers (subprocessors)

We share data with the following processors strictly to operate the Service:

• Supabase — authentication and identity management.
• Stripe — payment processing and subscription billing.
• Amazon Web Services (AWS) — S3 object storage for uploaded and generated media (EU North 1 region).
• Fal.ai — AI video generation pipelines.
• HeyGen — talking-actor avatar generation (Type 1 flow).
• OpenAI — prompt enhancement for gesture generation (Type 4 flow).
• ElevenLabs — text-to-speech for lip-sync flows.
• Resend — transactional email delivery.
• PostHog — product analytics (aggregate, non-PII event data).
• Sentry — error monitoring and crash diagnostics.
• Vercel — web application hosting for app.adlit.ai and adlit.ai.

4. Your rights (GDPR, UK GDPR, CCPA)

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct or update inaccurate personal data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing activities.
• Withdraw consent for processing where consent is the legal basis.

To exercise any of these rights, email contact@adlit.ai. We will respond within 30 days.

5. Data retention

Account and billing records are retained for the life of your account plus the period required by applicable tax and accounting law (typically 7 years). Generated media and uploaded inputs are retained while your account is active and for 30 days after account deletion, after which they are permanently removed from S3. Logs and diagnostic data are retained for 90 days.

6. Cookies and tracking

We use first-party cookies set by Supabase to maintain your signed-in session, and PostHog cookies for product analytics. We do not use third-party advertising cookies. You can clear cookies in your browser settings; signing out will invalidate your session cookie.

7. Children

AdLit is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have collected such data, contact us and we will delete it.

8. International transfers

Some subprocessors are located in the United States. Where data is transferred from the EU/UK to the US, we rely on the appropriate transfer mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework, or equivalent).

9. Security

We use industry-standard safeguards: HTTPS everywhere, encryption at rest for stored media, signed presigned URLs for S3 uploads, httpOnly cookies for session tokens, and least-privilege IAM policies for backend systems. No system can be guaranteed perfectly secure; report suspected vulnerabilities to contact@adlit.ai.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date above reflects the latest revision. Material changes will be announced by email or in-app notice before they take effect.

11. Contact

Questions or complaints about this policy can be sent to contact@adlit.ai.