Privacy Policy

This policy describes how Partial, Inc. ("CXO", "we", "us") collects, uses, and shares information when you use the CXO product at cxo.ai and any connected channels.

We've written this in plain language, with the specifics Meta App Review and most data regulators expect. If anything is unclear, write privacy@cxo.ai.

1. Who we are

CXO is operated by Partial, Inc., a Delaware C corporation. We're the data controller for the information you give us and the information we collect through connected services on your behalf.

Privacy questions: privacy@cxo.ai.

2. Information we collect

2.1 Information you provide directly

• Account details (name, email, password) when you sign up.
• Brand inputs you give CXO — references, links, brand descriptions, sample content.
• Billing information processed by our payment processor when you purchase a plan.
• Anything you type into the CXO chat.

2.2 Information from connected platforms

When you connect a third-party account (for example, Instagram, Facebook, or a Meta Ads account) through that platform's official login flow, you authorize CXO to access only the specific data covered by the permissions you approve. Depending on the scopes you grant, this may include:

• Instagram / Facebook account profile — your business account name, username, account ID, profile picture, and the Pages or accounts you administer.
• Content you publish through CXO — the media, captions, and metadata of posts, reels, stories, and ads CXO creates on your behalf.
• Engagement data — comments and direct messages received on content CXO manages, only where you've granted the corresponding permission.
• Ad account data — campaign structure, creative, spend, impressions, clicks, and conversions, only when you've granted ad management permissions.
• Access tokens — issued by the connected platform and stored encrypted so CXO can act on your behalf.

You can revoke any connection at any time from the connected platform's own settings or from CXO's settings; revocation is effective immediately and we stop calling that platform's APIs.

Meta permissions in detail. When you connect a Meta account, CXO requests the specific permissions listed below. Each permission grants access only to the data described — nothing more.

• pages_show_list — the list of Facebook Pages you administer, used to discover the Instagram Business or Creator account linked to a Page.
• pages_read_engagement — post-level engagement metrics on Pages you administer (reach, impressions, reactions, comments, shares), used for performance reporting.
• pages_manage_metadata — Page metadata required to resolve the Instagram Business account linked to a Page; no UI surface, used at connection time.
• instagram_basic — the connected Instagram Business or Creator account's profile: account ID, username, and profile picture URL.
• instagram_content_publish — used to publish posts, reels, stories, and carousels to your Instagram Business account, only after you review and approve the content. Includes media, caption, hashtags, and location tag — all user-supplied and user-approved.
• instagram_manage_insights — post-level performance metrics for your Instagram content (reach, impressions, likes, saves, shares, video views).
• instagram_manage_comments — comment text, commenter username, timestamps, and parent post ID for comments on your Instagram posts. Used for community-management workflows where you review comments and approve replies.
• instagram_manage_messages — message content, sender username, and conversation thread ID for direct messages in your Instagram Business inbox. Used for community-management and lead-reply workflows where you review messages and approve replies.
• ads_management — used to create, read, update, and delete ad campaigns, ad sets, and ads on your ad account, only after you review and approve each campaign. Includes campaign objects, ad creatives, audience definitions, budget, and schedule.
• ads_read — performance data for ads on your ad account: spend, impressions, clicks, conversions, ROAS, CPC, CPM, CPA.
• read_insights — Facebook Page-level reach and impressions, used in combined performance reporting alongside ad data.
• business_management — business object IDs, asset relationships, and role permissions, used to surface your connected Pages, ad accounts, and Instagram accounts in CXO settings so you can switch between brands or disconnect.

We do not request any Meta permissions beyond this list. If we add or remove a permission, we will update this section before the change takes effect, in addition to the sub-processor notification described in Section 4.

2.3 Information collected automatically

• Standard server logs (IP address, user agent, request paths, timestamps).
• Cookies strictly necessary for authentication and session management.

We do not currently run third-party advertising or behavioral analytics tags on cxo.ai. If we add product analytics in the future, we'll list the provider in Section 4 before turning it on.

2.4 Biometric and likeness data

Some product features may use voice data, facial scans, or other biometric identifiers you submit to create or transform content (for example, generating a video that matches a brand spokesperson, or a voice clone for narration). Where you provide this kind of data:

• We use it only to deliver the specific feature you requested.
• We do not use it to train general-purpose AI models, identify individuals, or for any other purpose.
• We retain it only as long as needed for that feature, and in any event no longer than the earlier of (i) the date the original purpose for collecting the data is satisfied, or (ii) three (3) years from your last interaction with us.
• Some U.S. states (including Illinois under BIPA, Texas under CUBI, and Washington under H.B. 1493) treat biometric identifiers as a special category of personal information; we comply with the consent and notice requirements of those laws where they apply to your use.
• You are responsible for obtaining all consents, releases, and rights of publicity from any identifiable individual whose biometric or likeness data you submit through the Services (see Section 3.1 of our Terms of Service).

3. How we use your information

• To run the product — generate creative, post on your behalf, manage campaigns and engagement, and serve you the responses you ask for in chat.
• To improve quality, debug issues, and prevent abuse.
• To bill you and enforce these terms.
• To comply with applicable law and platform policies (including Meta's).

We do not sell your personal information, and we do not use connected- platform data for advertising-targeting purposes outside the product you're paying for.

4. Sub-processors we share data with

To deliver the product, we route specific data to the vendors listed below. Each is contractually bound to handle the data only on our instructions. The list reflects what is in production as of the "last updated" date above; we'll keep it current as we add or remove vendors.

• Anthropic, Inc. — Claude API. Receives the chat content, prompts, and brand inputs needed to generate responses. United States.
• Google LLC — Gemini API. Receives prompts and content for generative tasks. United States.
• OpenAI, L.L.C. — Whisper API. Receives audio you upload, only for transcription. United States.
• FAL, Inc. — image and video generation infrastructure. Receives prompts and reference assets you submit for generation. United States.
• Apify Technologies s.r.o. — public-web brand discovery. Used only on accounts you explicitly identify in your brand-research workflows; never on data from your connected Meta accounts. European Union.
• Exa Labs, Inc. — public-web search. United States.
• Voyage AI Innovations, Inc. — embeddings for semantic search. United States.
• Langfuse GmbH — observability and tracing of CXO's AI requests. European Union.
• Supabase, Inc. — primary database (PostgreSQL) and file storage, hosted in us-east-1. United States.
• Vercel, Inc. — application hosting and edge delivery. United States.

We'll notify you by email at least thirty (30) days in advance of adding any new sub-processor that will process your personal data, so you can review and, if you object, request deletion under Section 7 before the new sub-processor begins processing. For changes that involve only operational, security, or location updates to existing sub-processors, we may use a shorter notice window or update this list without individual notice. The current list above is authoritative as of the "last updated" date at the top of this policy.

5. How long we keep it

• Account & product data — kept while your account is active and for up to 30 days after deletion is requested, while the deletion job runs.
• AI conversation history — your chat with CXO and any in-thread generated content. Kept while your account is active. On account-deletion request, removed within 30 days as the deletion job runs.
• Generated creative assets — images, videos, audio, and copy CXO generated for you. Kept while your account is active. On account-deletion request, removed within 30 days. Where you have published a generated asset to a connected platform, the platform retains its own copy under its own retention policy.
• Brand inputs — references, brand descriptions, sample content, uploaded assets you provided to inform generation. Same retention as AI conversation history. Removed within 30 days of account-deletion request.
• Engagement and insights data from connected platforms (post reach, impressions, comment counts, ad performance) — refreshed continuously while your connection is active; cached for up to 90 days for performance reporting and trend analysis, then aged out.
• Connected-platform tokens — kept only as long as the connection is active; deleted immediately on disconnection.
• Webhook event payloads from Meta — kept only as long as needed for debugging and audit, typically up to 90 days, then auto-purged.
• Server logs — kept only as long as needed for security and operations, typically up to 90 days, then rotated.
• Billing records — kept for up to 7 years after the last transaction for tax and legal purposes, even after account deletion.

6. Where your data lives & how it's protected

• Primary storage: PostgreSQL on Supabase, in AWS us-east-1.
• File storage: Supabase Storage, same region.
• All access tokens, OAuth credentials, and other secrets are encrypted with AES-256-GCM before being written to the database. Encryption keys are managed outside the application database.
• Transport is TLS 1.2 or higher between every component.
• Access to production data is role-restricted, auditable, and logged.

7. Your rights

Wherever you live, you can:

• Access the data we hold about you.
• Correct inaccuracies.
• Request a copy in a portable format.
• Request deletion — see cxo.ai/data-deletion.
• Withdraw any consent you've previously given.
• Object to or restrict certain types of processing.

For users in the EU, UK, California, and other jurisdictions with local privacy laws, these rights are available regardless of where you reside. To exercise any of them, email privacy@cxo.ai. We respond within 30 days.

Business customers who require a Data Processing Addendum (DPA) under GDPR, UK GDPR, CCPA, or other applicable laws — for example to extend processor obligations to their own end users — can request one by emailing legal@cxo.ai. We provide a standard DPA on request and can negotiate reasonable amendments for enterprise contracts.

8. International transfers

Most of CXO's infrastructure is in the United States. If you access the product from outside the US, your data will be transferred there. Where required, we rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors to lawfully move data across borders.

9. Children

CXO is not directed at, and we do not knowingly collect personal information from, anyone under 16. If you believe a minor has used CXO, contact us and we'll delete the account.

10. Changes to this policy

We'll update this page when our practices change. Material changes will be communicated by email to the address on your account before they take effect. Continued use of CXO after the update is acceptance of the revised policy.

11. Contact

Questions, requests, or complaints about how we handle your data: privacy@cxo.ai.