1. Who we are
Marketing Copilot is operated by Synstek Internet Private Limited, a company incorporated in India with its registered office at Patna, Bihar, India. For purposes of the EU/UK GDPR we are the data controller of personal information processed about you as a website visitor, account holder, or end user of the Service.
For questions about this policy or to exercise your rights, contact us at support@metty.ai. Our designated grievance officer under India's Digital Personal Data Protection Act, 2023 (DPDPA) is Navin Kumar, reachable at the same address.
2. Information we collect
2.1 Information you provide
- Account information: name, email address, password (hashed by our authentication provider), organization name, and role.
- Billing information: name, billing address, and payment metadata. Card details are collected and stored by our payment processor (see Section 5) and are not retained on our servers.
- Communications: messages you send to support, your conversations within the Service (which may include questions about your marketing data), and any feedback you provide.
- Brand context you choose to share: free-form descriptions of your business, target audience, goals, and KPIs you enter into the Service to improve answer quality.
2.2 Information collected from your connected platforms
When you connect a marketing platform (e.g., Meta Ads, Google Ads, Google Analytics 4, Mixpanel, PostHog, Microsoft Clarity), we receive an OAuth access token (or, for some platforms, an API key) that authorizes us to read data on your behalf. Using that token, we retrieve:
- Marketing performance data: ad accounts, campaigns, ad groups, ads, daily performance metrics (impressions, clicks, spend, conversions), audience targeting summaries, and creative metadata.
- Web and product analytics data: aggregated session metrics, conversion events, traffic sources, and event counts. We do not pull raw event-level user records by default.
- Search performance data: queries, impressions, clicks, and average ranking for properties you have verified.
- UX signal data: aggregated metrics from session recording tools (e.g., counts of rage clicks, dead clicks, JavaScript errors). We do not pull individual session recordings by default.
We only request the minimum scopes needed to read this data. We never request scopes that would let us modify your campaigns, send messages, or take other write actions, unless you explicitly enable that capability in a future feature.
2.3 Information we collect automatically
- Device and connection data: IP address, browser type, operating system, device identifiers, and timestamps of requests.
- Usage data: pages visited, features used, queries submitted to the AI assistant, latency and error metrics. We use this to operate, secure, and improve the Service.
- Cookies and similar technologies: see our Cookie Policy for details.
3. How we use information
We use the information described above to:
- Provide, maintain, and improve the Service;
- Authenticate users, fulfill subscription and billing obligations, and send service-related notices;
- Run AI agent queries on your behalf to answer your questions, generate digests, and detect anomalies in your data;
- Monitor service performance, detect abuse, prevent fraud, and secure our infrastructure;
- Communicate with you about updates, security alerts, and (with consent) product news;
- Comply with legal obligations and enforce our Terms.
We do not train AI models on your data. Your queries, conversations, and connected-platform data are not used to train any general-purpose model, ours or our subprocessors'. Conversations are sent to our AI subprocessor (OpenAI) under contractual terms that prohibit training on customer inputs and outputs.
4. Legal bases for processing (EU/UK)
Where the GDPR applies, we rely on the following legal bases:
- Contract: to provide the Service you have signed up for and process billing.
- Legitimate interests: to operate, secure, and improve the Service; prevent abuse; and conduct limited product analytics.
- Consent: for non-essential cookies, marketing communications, and any optional features you opt into. You may withdraw consent at any time without affecting prior processing.
- Legal obligation: where we must process information to comply with applicable law.
5. How we share information
We share information only with the categories of recipients listed below, and only as needed to provide and operate the Service.
5.1 Service providers (sub-processors)
We use the following sub-processors at the time of writing:
| Provider | Purpose | Region |
|---|---|---|
| OpenAI, L.L.C. | AI model inference for the agent | United States |
| Clerk Inc. | User authentication and session management | United States |
| Supabase Inc. | Managed Postgres database hosting | Asia (Mumbai) |
| Upstash Inc. | Caching and rate limiting | Asia (Mumbai) |
| Inngest Inc. | Background job orchestration | United States |
| Vercel Inc. | Frontend hosting and edge delivery | Global edge network |
| Render | API server hosting | Singapore |
| Razorpay Software Pvt. Ltd. | Payment processing (subscription billing) | India |
| Langfuse GmbH | Internal observability and tracing | European Union |
The current list above is maintained as part of this Privacy Policy. We notify customers of material changes at least 30 days before they take effect, where required by your contract. Subscribe to change notifications by emailing support@metty.ai.
5.2 Connected marketing platforms
When you connect a third-party platform, we exchange information with that platform on your behalf using the OAuth credentials you grant. Each platform has its own privacy policy that governs how it processes your data; we are not responsible for those practices.
5.3 Legal and safety
We may disclose information when we reasonably believe it is necessary to comply with applicable law, valid legal process, or a lawful request from a competent authority; to enforce our Terms; or to protect the rights, property, or safety of our users, ourselves, or others.
5.4 Business transfers
If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will notify you of such a transfer in advance where required by law.
5.5 We do not sell personal information
We do not sell, rent, or trade personal information to third parties for monetary or other valuable consideration, as those terms are defined under applicable laws including the CCPA.
6. International transfers
We are based in India and use sub-processors in the United States, European Union, and other regions. Where personal information is transferred outside your country of residence, we rely on appropriate safeguards including, where relevant, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms recognized under DPDPA.
7. Security
We apply administrative, technical, and physical safeguards designed to protect information from unauthorized access, alteration, disclosure, or destruction. These include:
- Encryption in transit: TLS 1.2 or higher for all network communication.
- Encryption at rest: OAuth access tokens and refresh tokens are encrypted with AES-256-GCM before storage. Database volumes are encrypted at the storage layer.
- Access controls: least-privilege access for employees, with multi-factor authentication required for all production systems.
- Audit logging: security-relevant events are logged and retained.
- Vendor due diligence: sub-processors are reviewed for adequate security and contractual data protection commitments.
No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and applicable regulators in accordance with law.
8. Retention
- Account data is retained for as long as your account is active. After account deletion, we delete or anonymize identifying data within 30 days, except where retention is required by law (e.g., tax records).
- Connected-platform data we have synced is retained for as long as the connection is active and for 30 days after disconnection, after which it is deleted.
- Conversations and queries are retained for as long as your account is active. You can delete individual conversations from within the Service.
- Logs are retained for up to 90 days, then deleted or anonymized.
- Backups are retained on a rolling basis and overwritten within 30 days.
9. Your rights
Subject to applicable law (including the GDPR and DPDPA), you have the right to:
- Access the personal information we hold about you;
- Request correction of inaccurate or incomplete personal information;
- Request deletion of your personal information;
- Restrict or object to certain processing;
- Receive your information in a portable format;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with a supervisory authority (in India, the Data Protection Board; in the EU, your local DPA; in the UK, the ICO).
To exercise any of these rights, write to support@metty.ai. We will respond within the timeframes required by applicable law (typically within 30 days under GDPR; without undue delay under DPDPA).
10. Children
The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent revision.
12. How to contact us
Email: support@metty.ai
Postal: Synstek Internet Private Limited, Patna, Bihar, India
Grievance Officer (India): Navin Kumar, support@metty.ai