Privacy Policy

Last updated: April 15, 2026 · Effective: April 15, 2026

1. Introduction

This Privacy Policy describes how phas3 ("phas3," "we," "us," or "our") collects, uses, discloses, and protects information when you use our website at phas3.ai, our web and mobile applications, and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy.

phas3 is an AI-powered marketing platform that connects to third-party services (including advertising networks and e-commerce platforms) on your behalf, analyzes your marketing performance, and may take actions on your connected accounts when you authorize it to do so. Because of this scope, we handle sensitive business data, and this policy explains exactly how.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: name, email address, password (stored as a cryptographic hash — we never see your plaintext password).
  • Business profile: business name, industry, website URL, monthly marketing budget range, geographic location, and any other business details you enter during onboarding or in Settings.
  • Payment information: processed through Stripe, Inc. We do not store full card numbers or CVV codes on our servers — only the last four digits, card brand, expiration, and a Stripe customer identifier needed to manage your subscription.
  • Communications: the contents of support requests, bug reports, feedback, and chat conversations you have with our AI.
  • Preferences: notification settings, autopilot thresholds, theme preferences, and other product settings.

2.2 Information From Connected Integrations

When you connect a third-party service through OAuth, we receive access tokens and data from that service on your behalf. The specific data varies by integration:

  • Meta Ads (Facebook & Instagram): ad account IDs, campaign names, ad set and ad metadata, daily and lifetime performance metrics (spend, impressions, clicks, conversions, CTR, CPC, CPL), ad creative content, page and Pixel data, audience targeting configurations, and historical data dating back to the earliest date your account has records.
  • Google Ads: customer IDs, campaign and ad group structure, keyword performance, ad copy, budget and bidding settings, conversion data, and historical performance metrics.
  • TikTok Ads: advertiser IDs, campaign and ad metadata, performance metrics, creative assets, and historical performance data.
  • Shopify: shop domain, order data (order totals, line items, product IDs, customer counts, refunds), product catalog information, and webhook events related to orders and fulfillment.
  • Square: merchant ID, order history, catalog items, transaction summaries, refund data, and customer counts (new vs. returning).

We store OAuth access tokens and refresh tokens in encrypted form (AES-256-GCM) and use them only to perform the actions you authorize. We do not store, sell, or share these tokens with any third party except as strictly required to deliver the Service (for example, making an authenticated API call back to the platform that issued the token).

Deletion on disconnect: when you disconnect an integration from Settings (or revoke access from the upstream platform), we immediately and permanently delete all data we received from that integration — including access and refresh tokens, campaign snapshots, ad snapshots, creative metadata, order and transaction data, webhook records, and any derived metrics or insights tied to that connection. This deletion is irreversible and happens at the moment of disconnection, not on a schedule. Residual copies may remain in encrypted database backups for up to 30 days (see Section 7) before those backups expire and are overwritten.

2.3 Information We Collect Automatically

  • Usage data: pages and screens you view, features you interact with, timestamps, and interactions with the AI chat.
  • Device and connection data: IP address, browser type and version, operating system, device identifiers, language preferences, referring URL, and general location (city or region level, derived from IP).
  • Cookies and similar technologies: we use first-party cookies for authentication and session management, and third-party analytics cookies (Vercel Analytics, Google Analytics, Meta Pixel) to understand aggregate product usage and measure marketing performance. See Section 8 for details.
  • Error and performance data: stack traces, error messages, and performance metrics used to diagnose and improve the Service.

2.4 Information From Website Audits

When you request a website audit, our system crawls the public pages of the URL you provide and fetches publicly available performance data from Google PageSpeed Insights. We store the crawl results (HTML content summaries, page metadata, links, and structured data) and the PageSpeed scores in our database. We only crawl URLs you explicitly provide or that are publicly linked from those URLs; we do not crawl the broader internet.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide the Service: authenticate you, sync data from your connected integrations, generate AI-powered recommendations and briefings, run website audits, and execute actions you authorize (including autopilot actions on ad accounts).
  • To generate AI outputs: we send a subset of your business data — including campaign names, ad performance metrics, product names, website content, and questions you ask in chat — to OpenAI's API to generate responses, briefings, and analyses. See Section 4 for details on our AI usage.
  • To process payments: Stripe handles all payment processing. We use payment data to manage your subscription, process renewals, issue refunds where applicable, and detect fraud.
  • To communicate with you: respond to support requests, send critical service notifications (billing, security, integration errors), send optional weekly digest emails if you opt in, and notify you of significant events in your marketing accounts.
  • To improve the Service: analyze aggregate, de-identified usage patterns to improve product features, fix bugs, and enhance AI output quality. We do not use your business data or chat contents to train publicly available AI models.
  • To comply with legal obligations: respond to valid legal requests, enforce our Terms of Service, prevent fraud, and protect the rights and safety of our users and third parties.

4. AI and Automated Processing

phas3 is fundamentally an AI product. The following information is important to understand:

  • Third-party AI provider: we use OpenAI, LLC to power our AI features. Your chat messages, business data, campaign names, product names, website content, and other information are transmitted to OpenAI's API to generate responses. OpenAI's data handling practices are described in their privacy policy at openai.com/policies/privacy-policy. We have a business agreement with OpenAI under which they do not use API inputs or outputs to train their models by default.
  • Automated decision-making: when you enable Autopilot, our AI may take automated actions on your connected ad accounts (including pausing campaigns, adjusting daily budgets, and reallocating spend between campaigns) based on thresholds you configure. These actions are logged and you can review them at any time. You may disable Autopilot entirely from Settings.
  • AI output accuracy: AI-generated recommendations, briefings, and analyses are probabilistic outputs and may contain errors, omissions, or hallucinated information. You should verify any AI output before acting on it, especially for decisions involving significant spend or strategic direction.
  • No training on your data: we do not use your conversations, business data, or integration data to train, fine-tune, or benchmark any AI model, whether our own, OpenAI's, or any third party's.

5. How We Share Information

We do not sell your personal information. We share information only in the circumstances listed below.

5.1 Service Providers (Sub-Processors)

We use the following categories of service providers to operate the Service. Each has access only to the data needed to perform its specific function, and each is contractually bound to protect your information:

  • Supabase, Inc. — database hosting, authentication infrastructure
  • Vercel, Inc. — application hosting, edge compute, analytics
  • OpenAI, LLC — AI inference (chat responses, briefings, analyses)
  • Stripe, Inc. — payment processing, subscription management
  • Resend, Inc. — transactional and digest email delivery
  • Google LLC — PageSpeed Insights API for website performance data, Google Analytics for aggregate usage data
  • Meta Platforms, Inc. — Meta Pixel for conversion tracking on our marketing pages (only if you visit our public website)
  • Browserless.io — website crawling infrastructure used during audits

5.2 Advertising Platforms You Connect

When you connect a platform (e.g., Meta Ads) and authorize an action, we send that action to the platform's API. This necessarily involves transmitting your instructions (and, as applicable, your data) to that platform. We do not initiate data transfers to platforms you have not connected.

5.3 Legal Disclosures

We may disclose information if we believe in good faith that doing so is necessary to: (a) comply with a law, regulation, subpoena, court order, or other legal process; (b) enforce our Terms of Service; (c) prevent fraud, abuse, or harm to our users, the Service, or third parties; or (d) protect our legal rights.

5.4 Business Transfers

If phas3 is involved in a merger, acquisition, reorganization, financing, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control via email or a prominent notice on the Service, and any successor will be bound by this Privacy Policy or a substantially similar one unless you consent to different terms.

5.5 With Your Consent

We will share information in any other circumstance only with your explicit, prior consent.

6. Data Security

We take information security seriously and implement technical and organizational measures designed to protect your data, including:

  • Encryption in transit using TLS 1.2 or higher for all traffic between your browser or device and our servers.
  • Encryption at rest for sensitive credentials (OAuth access and refresh tokens are encrypted using AES-256-GCM with keys stored separately from the encrypted data).
  • Row-Level Security (RLS) policies in our database that enforce strict separation between the data of different users, so that one user cannot access another user's information.
  • Rate limiting, input validation, and prompt-injection defenses on all API endpoints and AI interactions.
  • Principle-of-least-privilege access controls for employees and contractors who may need limited access to systems for support or debugging.
  • Regular dependency and security updates, error monitoring, and incident response procedures.

No system is perfectly secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

7. Data Retention and Deletion

We retain information for as long as your account is active and for a reasonable period thereafter, depending on the category:

  • Account and business profile: retained while your account is active, and for up to 90 days after account deletion to allow for recovery in case of accidental deletion.
  • Integration data and campaign snapshots: retained only while the corresponding integration is connected. The moment you disconnect an integration — or the upstream platform revokes access — we immediately and permanently delete all data we received from that integration, including historical campaign snapshots, ad snapshots, creative metadata, order data, transaction data, webhook events, and any derived metrics or insights tied to that connection. This deletion is irreversible and not subject to a grace period.
  • OAuth tokens: deleted immediately when you disconnect an integration or when the refresh token is revoked by the upstream platform.
  • Chat history: retained while your account is active. You can delete individual threads at any time from within the app.
  • Billing records: retained for at least seven (7) years to comply with tax and financial reporting obligations.
  • Logs and error records: typically retained for 30–90 days, then deleted or aggregated.
  • Backups: database backups retained for up to 30 days. Data deleted from the live database may persist in backups until the backup expires.

You may request complete deletion of your account and associated data by emailing privacy@phas3.ai. We will confirm deletion within 30 days of a verified request, except where retention is required by law.

8. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly necessary cookies: required for authentication, session management, and core functionality. These cannot be disabled without breaking the Service.
  • Analytics cookies: help us understand how users interact with the product in aggregate (Vercel Analytics, Google Analytics). Data is anonymized or pseudonymized where feasible.
  • Advertising cookies: used only on our public marketing pages (not in the authenticated app) via Meta Pixel, to measure the effectiveness of our own marketing.

Most browsers allow you to control cookies through settings. Disabling strictly necessary cookies will prevent you from using the Service. Disabling analytics or advertising cookies will not affect product functionality.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request that we correct inaccurate or incomplete information.
  • Deletion: request that we delete your personal information, subject to legal retention requirements.
  • Portability: request a copy of your information in a structured, machine-readable format.
  • Restriction or objection: ask us to restrict or object to certain processing activities.
  • Withdraw consent: where we rely on consent as the legal basis, you may withdraw consent at any time.
  • Non-discrimination: we will not discriminate against you for exercising your rights.
  • Complaint: lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@phas3.ai. We may need to verify your identity before acting on a request.

9.1 California Residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to limit the use of sensitive personal information. To exercise these rights, contact us at privacy@phas3.ai.

9.2 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, our legal bases for processing are: (a) performance of a contract (providing the Service you subscribed to), (b) legitimate interests (improving the Service, preventing fraud, ensuring security), (c) consent (for optional marketing communications and certain cookies), and (d) compliance with legal obligations. International transfers of your data to the United States are made under Standard Contractual Clauses or other appropriate safeguards.

10. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@phas3.ai.

11. International Data Transfers

phas3 is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate. We take appropriate safeguards to ensure that your information receives an adequate level of protection wherever it is processed, including relying on Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland.

12. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you interact with through phas3, including any advertising platforms you connect.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice in the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this policy indicates the most recent revision. Your continued use of the Service after the effective date of any change constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: privacy@phas3.ai
General contact: na@phas3.ai