Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how the operator of 3two1studio.com (the "Company," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the websites at 3two1studio.com and 3two1ads.com, any associated subdomains, mobile or desktop applications, application programming interfaces, and related products and services (collectively, the "Service").

This Policy applies to information we process as a controller (deciding why and how personal data is processed), including information from visitors to our website, account holders, and prospective customers.

Where we process personal information on behalf of a customer who uses the Service to manage their own end users' data, we act as a processor or service provider. In those cases, our customer is the controller, and that customer's privacy policy (not ours) describes how their end users' personal information is handled. Our processing in that capacity is governed by our agreement with that customer (including any Data Processing Addendum) and by this Policy to the extent consistent.

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you should not use the Service.

2. Scope

This Policy applies to personal information we process about:

• Visitors to our websites and marketing pages;
• Account holders who register for the Service, including Owners, Administrators, and Seat users of Organization and Enterprise accounts;
• Prospective customers who contact us, request a demo, complete a form, or attend an event;
• Contacts whose business contact information is provided to us by our customers or obtained from publicly available sources for business development; and
• End users of customer accounts, to the extent we act as a processor on the customer's behalf.

This Policy does not apply to third-party websites, products, or services that are not operated by us, even if you access them through links on the Service or through integrations you enable. Those third parties have their own privacy practices, and we encourage you to review them.

3. Information We Collect

We collect information in three ways: (a) information you provide to us; (b) information we receive from third parties at your direction; and (c) information we collect automatically when you use the Service.

3.1 Information You Provide

Account and profile information. Name, email address, password (hashed), business name, job title, business address, phone number (optional), billing information, and profile photo (optional).

Payment information. Billing name, billing address, tax identification number, and limited payment-card information (such as last four digits and expiration date). Full payment-card data is collected and processed directly by our payment processor; we do not store full card numbers on our servers.

Customer Content. Text, images, audio, video, brand guidelines, product descriptions, website URLs, logos, prompts, instructions, and other materials you submit to the Service. Customer Content may contain personal information that you choose to upload, such as the names or likenesses of individuals who appear in your brand assets.

API keys, access tokens, and credentials. Credentials for AI model providers, advertising platforms, analytics providers, e-commerce platforms, email providers, and social-media networks that you connect to the Service. We store these credentials encrypted at rest.

Communications. The contents of email, chat, support tickets, call recordings (where lawful and disclosed), survey responses, and other communications you send to us.

Events and marketing. Information you provide when you register for an event, subscribe to a newsletter, download gated content, or respond to a promotion.

3.2 Information We Receive From Third Parties at Your Direction

When you connect a third-party platform to the Service, you authorize us to receive information from that platform, which may include:

• Advertising platforms (Meta, Google Ads, TikTok, LinkedIn, X, Pinterest, and others): ad account identifiers, campaign, ad-set, and ad metadata, performance metrics, audience identifiers, creative assets, and related data.
• Analytics providers (Google Analytics, Google Search Console): property identifiers, aggregated traffic metrics, and other analytics data.
• E-commerce platforms (Shopify, WooCommerce, Stripe): product catalogs, store metadata, order statistics, customer counts (not customer identities, unless you elect to share them), and related data.
• Email-marketing providers (Mailchimp, Brevo, HubSpot, and others): list identifiers, campaign identifiers, and performance metrics.
• Social-media networks: connected account identifiers, profile metadata, and the permissions you grant during OAuth.
• AI model providers (Anthropic, OpenAI, Google, xAI, Perplexity, and others): usage and error responses tied to API calls we make on your behalf using your credentials.
• Identity providers (Google OAuth): if you sign in with a third-party identity provider, we receive your name, email, and profile photo.

We receive only the data necessary to provide the features you request, as constrained by the scopes you authorize.

3.3 Information Collected Automatically

When you use the Service, we automatically collect:

• Device and browser data: IP address, device identifiers, device type, operating system, browser type and version, language settings, and time zone.
• Usage data: pages, screens, and features viewed; clicks; search terms; timestamps; referrer URLs; session duration; prompts submitted; Outputs generated; feature usage counts; and error logs.
• Cookies and similar technologies: see Section 7 below.
• Log data: server logs, request headers, performance data, security events, and diagnostic information.

3.4 Information From Other Sources

We may receive information about you from publicly available sources, business-information providers, marketing partners, event co-sponsors, and service providers that support fraud prevention, identity verification, or compliance.

3.5 Sensitive Personal Information

We do not intentionally collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, genetic data, or biometric data for the purpose of uniquely identifying a person). Please do not submit sensitive personal information to the Service. If you upload sensitive personal information as Customer Content, you do so at your own risk and you represent that you have all necessary consents.

3.6 Children's Data

The Service is not directed to, intended for, or marketed to children under sixteen (16) years of age, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hello@3two1studio.com and we will delete the information.

4. How We Use Personal Information

We use personal information for the following purposes:

Providing the Service. Authenticating users, executing AI agent pipelines, generating Output, connecting to third-party services, storing and retrieving your data, fulfilling subscriptions, and operating and maintaining the Service.

Billing and payments. Processing payments, issuing invoices and receipts, managing subscriptions, detecting and preventing fraudulent transactions, and collecting overdue amounts.

Service improvement and development. Analyzing usage in an aggregated and de-identified form to monitor performance, debug issues, develop new features, improve user experience, and measure product effectiveness. We do not use your Customer Content to train or fine-tune general-purpose AI models.

Security, fraud prevention, and abuse mitigation. Detecting, investigating, and preventing security incidents, unauthorized access, abuse, and violations of our Terms of Service or Acceptable Use Policy.

Customer support. Responding to inquiries, providing technical assistance, troubleshooting, and communicating with you about your account.

Communications and marketing. Sending transactional messages (such as receipts, security alerts, and account notices), product-update announcements, and, where permitted, marketing communications. You can opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us.

Legal, regulatory, and policy compliance. Complying with applicable law, responding to lawful requests from governmental and regulatory authorities, enforcing our agreements and policies, protecting the rights, property, and safety of the Company, our users, and the public, and preparing for and participating in litigation and investigations.

Business operations and corporate transactions. Conducting internal administration, accounting, audit, and corporate governance, and carrying out due diligence for, or executing, mergers, acquisitions, financings, reorganizations, or divestitures.

With your consent or as otherwise disclosed at collection.

4.1 Legal Bases (for Users Protected by EU/UK GDPR)

Where the EU General Data Protection Regulation or UK GDPR applies, we rely on the following legal bases:

• Contract: to perform our agreement with you or take steps at your request before entering a contract;
• Legitimate interests: to operate, secure, and improve the Service; to develop and market our products; to prevent fraud; and to support our business, in each case balanced against your rights and interests;
• Legal obligation: to comply with applicable laws and regulatory requirements;
• Consent: where you have consented, for example, to certain marketing activities or certain cookies. You may withdraw consent at any time.

5. How We Share Personal Information

We do not sell personal information for monetary consideration. We share personal information only as described below.

5.1 Service Providers and Subprocessors

We share personal information with trusted third-party service providers that perform services on our behalf under written contracts that impose confidentiality and data-protection obligations. Categories of service providers include:

• Cloud infrastructure and hosting: Amazon Web Services (U.S.);
• Database and caching: Amazon Aurora PostgreSQL, Amazon ElastiCache;
• Storage: Amazon S3;
• Payment processing: Stripe, Inc.;
• AI model providers: Anthropic, OpenAI, Google, xAI, Perplexity, and similar providers, for AI inference;
• Email delivery: transactional and marketing email providers (e.g., Brevo);
• Customer support: help-desk, live-chat, and knowledge-base tools;
• Analytics and monitoring: product-analytics, error-monitoring, and performance-monitoring tools;
• Identity and authentication: identity-provider and single-sign-on services;
• Security: bot-management, fraud-detection, and abuse-monitoring tools;
• Professional services: auditors, legal counsel, tax advisors, accountants, and consultants, as needed.

A current list of significant subprocessors is available upon request to hello@3two1studio.com.

5.2 Third-Party Platforms You Connect

When you authorize an integration with a third-party platform, we transmit information to and receive information from that platform at your direction and subject to the permissions you grant. Your use of those platforms is governed by their privacy policies, not this Policy.

5.3 Within Your Account

If you are a member of an Organization or Enterprise account, the account Owner and Administrators may have access to information about your use of the Service, the Customer Content you contribute, and your account profile. If your account was created by an Organization, the Organization may have the right to access, modify, export, or delete your account information in accordance with its internal policies and applicable law.

5.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, personal information may be transferred as part of that transaction, subject to standard confidentiality protections.

5.5 Legal and Safety Disclosures

We may disclose personal information to governmental or regulatory authorities, law-enforcement agencies, courts, and other third parties when we believe in good faith that disclosure is necessary to (a) comply with applicable law, regulation, subpoena, court order, or other legal process; (b) enforce our Terms of Service or other agreements; (c) investigate, prevent, or address suspected or actual fraud, security, or technical issues; or (d) protect the rights, property, or safety of the Company, our users, or the public.

5.6 With Consent or at Your Direction

We may share personal information for any other purpose with your consent or at your direction.

5.7 Aggregated and De-Identified Information

We may create and share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify any individual.

6. AI Processing and Automated Features

6.1 How We Use AI

The Service uses AI models and automated agent pipelines to generate Output based on prompts, Customer Content, and other inputs you provide. AI providers we use include Anthropic, OpenAI, Google, xAI, Perplexity, and similar providers (collectively, "AI Providers").

6.2 Data Sent to AI Providers

When you invoke an AI feature, the Service transmits the inputs necessary to generate Output to one or more AI Providers. We have contractual arrangements with AI Providers and rely on their commitments not to train their foundation models on our customers' inputs unless a customer expressly opts in. AI Providers may retain data temporarily for abuse monitoring and legal-compliance purposes in accordance with their own policies.

6.3 Your Responsibility

You are responsible for what you submit to AI features. Do not submit personal information that you do not have the right to submit, and do not submit sensitive personal information unless you have a lawful basis and appropriate safeguards. Review Output for accuracy, bias, and compliance before relying on it.

6.4 Automated Decision-Making

The Service does not make decisions about you that produce legal or similarly significant effects without human involvement. Output generated for you is reviewed and acted upon by you or by users in your account.

7. Cookies and Tracking Technologies

7.1 What We Use

We and our service providers use cookies, web beacons, pixel tags, software development kits (SDKs), local storage, and similar technologies (collectively, "Tracking Technologies") to operate and secure the Service, remember your preferences, analyze usage, and, where permitted, measure the effectiveness of marketing campaigns.

7.2 Categories of Tracking Technologies

• Strictly necessary: required for the Service to function (authentication, load balancing, CSRF protection, fraud prevention). These cannot be disabled.
• Functional: remember your preferences (language, theme, display settings).
• Analytics and performance: help us understand how visitors and users interact with the Service (e.g., Google Analytics).
• Advertising and measurement: allow us to measure the effectiveness of advertising and marketing campaigns and, where permitted, deliver targeted advertising (e.g., Meta Pixel, Google Ads tags).

7.3 Choices

Most browsers allow you to refuse or delete cookies through browser settings. You can also opt out of Google Analytics using the Google Analytics Opt-Out Browser Add-on, and opt out of interest-based advertising by visiting industry opt-out pages such as the Digital Advertising Alliance's consumer opt-out page. Where required by law, we present a cookie banner allowing you to grant or withhold consent for non-essential cookies. Disabling cookies may affect the availability and functionality of the Service.

7.4 Do Not Track

The Service does not currently respond to "Do Not Track" browser signals, because no common industry or legal standard has been adopted.

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, including to:

• provide the Service to you;
• comply with legal, tax, accounting, and regulatory obligations;
• resolve disputes, enforce our agreements, and protect our rights;
• maintain backups and disaster-recovery systems for a reasonable period.

Typical retention periods:

When retention periods expire, we will delete, de-identify, or anonymize personal information.

9. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, accidental loss, alteration, disclosure, and destruction. These measures include encryption in transit (TLS 1.2 or higher) and at rest (AES-256), access controls, network segmentation, logging and monitoring, secure software-development practices, vulnerability management, incident-response procedures, background checks for personnel with access to sensitive data, and regular security reviews.

In the event of a security incident that triggers notification obligations under applicable law, we will notify affected individuals and authorities as required.

10. International Data Transfers

We are headquartered in the United States, and we and our service providers store and process personal information in the United States and in other countries where our service providers operate. These countries may have data-protection laws different from those of your country.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy decision, we rely on recognized transfer mechanisms, such as the Standard Contractual Clauses adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum. A copy of the applicable transfer mechanism is available on request.

11. Your Rights and Choices

Depending on where you reside and the law that applies to you, you may have the following rights in relation to personal information we hold about you:

• Access: to obtain confirmation of whether we process your personal information and, if so, a copy of that information;
• Correction: to have inaccurate personal information corrected;
• Deletion: to request erasure of your personal information in certain circumstances;
• Portability: to receive your personal information in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller, where technically feasible;
• Restriction: to restrict processing of your personal information in certain circumstances;
• Objection: to object to processing based on legitimate interests or to processing for direct marketing;
• Withdraw consent: where processing is based on consent;
• Opt out of sale or sharing: where applicable law provides such a right;
• Non-discrimination: not to be subject to discrimination for exercising your rights;
• Lodge a complaint with a data-protection authority.

To exercise any right, email us at hello@3two1studio.com from the email address associated with your account, or use the tools in your account settings where provided. We may need to verify your identity before acting on a request. We will respond within the timeframes required by applicable law.

If you are an end user of a customer's account (meaning our customer determines why and how your personal information is processed), please direct your request to that customer. We will assist the customer as required by our agreement and by law.

11.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the rights described above and the right to opt out of "sale" or "sharing" of personal information as those terms are defined under the California Consumer Privacy Act. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising except through cookies you can disable as described in Section 7. We do not "sell" or "share" the personal information of known minors under sixteen.

Categories of personal information collected, disclosed for a business purpose, and retained are summarized in Sections 3, 4, 5, and 8 of this Policy. You may designate an authorized agent to make requests on your behalf.

11.2 Nevada and Other U.S. State Residents

If you are a resident of Nevada, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, or another U.S. state that grants privacy rights, you may exercise your applicable rights by contacting us as described above.

11.3 Marketing Opt-Out

You may opt out of marketing emails at any time by clicking the "unsubscribe" link in our messages or by contacting us. We may still send transactional and service-related messages that are necessary for the operation of the Service.

12. Third-Party Links and Services

The Service may contain links to third-party websites, platforms, and services, and may integrate with third-party services you connect. Those third parties operate independently of us and have their own privacy policies. We are not responsible for the content, privacy practices, or security of any third-party website or service.

13. Changes to This Policy

We may update this Policy from time to time. When we do, we will post the updated Policy at 3two1studio.com/privacy and update the "Last Updated" date. If the changes are material, we will provide additional notice, such as by email to the address associated with your account or by a prominent notice within the Service. We encourage you to review this Policy periodically.

14. Contact Us

If you have questions, comments, or concerns about this Policy or our privacy practices, or if you want to exercise your privacy rights, please contact us at:

Email: hello@3two1studio.com
Website: https://3two1studio.com

If you are an EU or UK resident and you wish to lodge a complaint, you may also contact your local data-protection authority.

This Privacy Policy is provided to help you understand our privacy practices. By using 3two1studio.com you acknowledge that you have read this Policy.