Privacy Policy

1. Introduction

Bytown ("we," "us," or "our") operates the websites bytown.co and ads.bytown.co, along with related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address — provided directly or through Google, LinkedIn, or magic link authentication
• Name — if provided through your OAuth profile or manually entered
• Profile photo — if available from your OAuth provider (Google or LinkedIn)
• Authentication provider metadata — which sign-in method you used

2.2 Business Profile Data

When you use Bytown to create ad campaigns, we collect and generate:

• Website URL — provided by you during onboarding
• Company name and description — extracted and generated by AI from your website
• Website screenshot and logo — captured from your website for your dashboard
• Social media links — extracted from your website (Facebook, Instagram, LinkedIn, Twitter, YouTube, TikTok)
• Business intelligence — AI-generated analysis including revenue generators, customer segments, market positioning, and competitive strengths

2.3 Ad Platform Data

When you connect advertising accounts, we collect:

• OAuth access and refresh tokens — encrypted and stored securely to maintain your platform connection
• Ad account IDs and names — to identify which accounts you manage
• Campaign performance data — metrics such as impressions, clicks, conversions, and spend retrieved from your connected ad platforms

2.4 Campaign Data

• Campaign content — headlines, descriptions, keywords, and targeting parameters created through the Service
• Budget information — budget type and amounts you set for campaigns
• Performance snapshots — daily metrics captured for your campaigns

2.5 Conversation Data

• Chat messages — your conversations with our AI agents, including instructions, questions, and feedback
• Agent interactions — tool calls and responses generated during your sessions

2.6 Onboarding & Preference Data

• Role and seniority level — provided during onboarding
• Attribution source — how you heard about Bytown
• Privacy mode preference — your choice to opt in or out of analytics and product improvement data collection
• Email report subscriptions — your preferences for receiving KPI reports and AI insights

2.7 Technical Data

• Usage data — pages visited, features used, timestamps, and session information
• Device information — browser type, operating system, and screen resolution
• IP address — used for security, fraud prevention, and approximate geolocation

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service — create and manage ad campaigns on your behalf, generate AI-powered ad copy, keywords, and targeting recommendations
• Manage your account — authenticate your identity, maintain your session, and personalize your experience
• Connect to ad platforms — access your Google Ads, Meta Ads, and LinkedIn Ads accounts to create, monitor, and optimize campaigns
• Generate AI insights — analyze your business, website, and campaign performance to provide recommendations and reports
• Send communications — deliver KPI reports, AI insight summaries, onboarding guidance, and service updates via email
• Improve the Service — if you opt in (see Privacy Mode), analyze usage patterns and AI performance to improve our product
• Ensure security — detect and prevent fraud, abuse, and unauthorized access

4. Google API Services User Data Policy

This section applies specifically to data obtained through Google APIs, including the Google Ads API and Google OAuth.

4.1 Scopes Requested

When you connect your Google account, Bytown requests the following OAuth scopes:

• https://www.googleapis.com/auth/adwords — to read and manage your Google Ads campaigns, including creating campaigns, retrieving performance data, and executing optimizations
• openid — to verify your identity using OpenID Connect
• email — to retrieve your email address for account identification
• profile — to retrieve your name and profile photo for display in the application

4.2 Limited Use Compliance

Bytown's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the Service as described in this privacy policy
• We do not transfer Google user data to third parties except as necessary to provide the Service, comply with applicable laws, or as part of a merger, acquisition, or asset sale — and only with your consent where required
• We do not use Google user data for serving advertisements
• We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymized for internal operations
• We do not use Google user data to develop, improve, or train generalized AI and/or machine learning models. Data retrieved through Google APIs is used only to serve your own account's functionality within Bytown and is not included in any model training pipeline operated by Bytown or its AI subprocessors (Anthropic Claude, Google Gemini).

4.3 How We Use Google Ads Data

Data retrieved through the Google Ads API is used exclusively to:

• Display your campaign performance metrics in the Bytown dashboard
• Generate AI-powered campaign recommendations and optimization suggestions
• Create and manage ad campaigns on your behalf based on your instructions
• Produce performance reports and KPI summaries sent to your email
• Conduct campaign audits and search term reviews at your request

4.4 Token Storage & Security

Your Google OAuth tokens (access and refresh tokens) are encrypted using Fernet symmetric encryption before being stored in our database. Tokens are never exposed to the frontend application, stored in browser storage, or transmitted without encryption.

4.5 Revoking Access

You can revoke Bytown's access to your Google account at any time by:

• Disconnecting your Google Ads account from the Bytown dashboard
• Visiting your Google Account permissions page and removing Bytown

Upon revocation, we will delete your stored Google OAuth tokens within 30 days. For complete deletion of your Bytown account and all associated Google data, see our Data Deletion Instructions.

5. Meta Platform Data

This section applies specifically to data obtained through Meta Platform APIs, including Meta Business APIs for Facebook and Instagram ads.

5.1 Permissions Requested

When you connect your Meta account, Bytown requests the following Meta Platform permissions:

• ads_management — to create and edit campaigns, ad sets, and ads on your behalf
• ads_read — to retrieve performance data (impressions, clicks, conversions, spend) from your ad accounts
• business_management — to list the ad accounts, Pages, and Pixel assets you have access to, so you can choose which to connect
• pages_show_list — used only when you opt to run Page-linked ads
• instagram_basic and instagram_manage_insights — used only if you run Instagram ad campaigns

5.2 Meta Platform Terms Compliance

Bytown complies with the Meta Platform Terms and Meta's Developer Policies. Specifically:

• We only use Meta Platform data to provide and improve the Service as described in this privacy policy
• We do not sell, rent, license, or transfer Meta Platform data to data brokers or information resellers
• We do not use Meta Platform data for serving advertisements outside of your own ad accounts
• We do not use Meta Platform data to develop, improve, or train generalized AI or machine learning models. Data retrieved through Meta APIs is used only to serve your own account's functionality within Bytown and is not included in any model training pipeline operated by Bytown or its AI subprocessors (Anthropic Claude, Google Gemini).
• We access only the ad accounts and business assets you explicitly connect during onboarding

5.3 How We Use Meta Ads Data

Data retrieved through Meta Platform APIs is used exclusively to:

• Display your campaign performance metrics in the Bytown dashboard
• Generate AI-powered campaign recommendations and optimization suggestions
• Create and manage Meta ad campaigns on your behalf based on your instructions
• Produce performance reports and KPI summaries sent to your email
• Conduct campaign audits at your request

5.4 Token Storage & Security

Your Meta OAuth tokens (access and refresh tokens) are encrypted using Fernet symmetric encryption before being stored in our database. Tokens are never exposed to the frontend application, stored in browser storage, or transmitted without encryption.

5.5 Revoking Access and Deleting Data

You can revoke Bytown's access to your Meta account at any time by:

• Disconnecting your Meta account from the Bytown dashboard
• Visiting Facebook Settings → Business Integrations and removing Bytown

Upon revocation, we will delete your stored Meta OAuth tokens within 30 days. For complete deletion of your Bytown account and all associated Meta data, see our Data Deletion Instructions.

6. Third-Party Services

We use the following third-party services to operate the Service. Each service receives only the minimum data necessary for its function:

• Supabase — database hosting and user authentication (stores account data, business profiles, campaigns, and conversations)
• Google Ads API — reading and writing Google Ads campaign data on your behalf
• Meta Ads API — reading and writing Meta (Facebook/Instagram) ad campaign data on your behalf
• LinkedIn Ads API — reading and writing LinkedIn ad campaign data on your behalf
• Anthropic (Claude) — AI language models that power our campaign creation agents (processes your chat messages and business data to generate recommendations)
• Google (Gemini) — AI language model used for intent classification (processes your chat messages to route them to the appropriate agent)
• Resend — email delivery service (receives your email address and report content to deliver KPI reports and notifications)
• PostHog — product analytics platform (receives anonymized usage events if you opt in; see Privacy Mode)
• Apify — web scraping service (accesses your publicly available website URL to extract business information during onboarding)
• Vercel — frontend hosting and web analytics (receives standard web traffic data)

We do not sell, rent, or trade your personal information to any third party.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption at rest — all OAuth tokens for ad platform connections are encrypted using Fernet symmetric encryption before storage
• Encryption in transit — all data transmitted between your browser and our servers uses HTTPS/TLS encryption
• Row-level security — our database enforces row-level security (RLS) policies ensuring users can only access their own data
• Access controls — the frontend application uses a restricted (anonymous) database key with limited permissions; sensitive operations are performed server-side with elevated credentials
• Token isolation — encrypted OAuth tokens are never exposed to the frontend application or included in API responses to the browser

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

• Account data — retained for as long as your account is active
• Campaign data — retained for as long as your account is active, plus 90 days after account deletion to allow for recovery
• Conversation history — retained for as long as your account is active
• OAuth tokens — deleted within 30 days of disconnecting a platform or deleting your account
• Analytics data — anonymized and aggregated analytics may be retained indefinitely
• Email delivery logs — retained for 12 months for deliverability monitoring

To request deletion of your account and associated data, contact us at [email protected]. We will process your request within 30 days.

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete personal data
• Right to erasure — request deletion of your personal data (subject to legal retention obligations)
• Right to restriction — request that we limit how we process your personal data
• Right to data portability — request your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests, including profiling
• Right to withdraw consent — withdraw consent at any time where we rely on consent as the legal basis for processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Legal basis for processing: We process your data based on (a) your consent (e.g., connecting ad accounts), (b) contractual necessity (e.g., providing the Service), (c) legitimate interests (e.g., improving the Service, preventing fraud), and (d) legal obligations.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete — request deletion of your personal information (subject to exceptions)
• Right to opt-out of sale — Bytown does not sell personal information. We never have and never will sell your data to third parties.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at [email protected]. We will verify your identity before processing any request and respond within 45 days.

11. Privacy Mode

During onboarding, Bytown offers you a privacy mode choice:

• Help Improve Bytown — you agree to share anonymized usage data and AI interaction patterns with our analytics tools (PostHog) to help us improve the product
• Privacy Mode — we minimize data collection to what is strictly necessary to provide the Service. Analytics events are not sent, and your usage patterns are not tracked beyond what is required for core functionality

You can change your privacy preference at any time from your account settings.

12. Email Communications

We may send you the following types of email:

• KPI reports — campaign performance summaries (weekly or monthly, based on your preference)
• AI insight summaries — AI-generated campaign optimization recommendations
• Onboarding guidance — helpful tips during your first days with Bytown
• Service updates — important changes to the Service, terms, or policies

Every marketing and report email includes a one-click unsubscribe link with a unique token. You can also manage your email preferences from your account settings. Service-critical emails (e.g., password resets, security alerts) cannot be unsubscribed from.

13. Cookies & Tracking

Bytown uses the following tracking technologies:

• Authentication cookies — essential cookies set by Supabase to maintain your login session
• PostHog analytics — if you opt in (see Privacy Mode), we use PostHog to collect anonymized usage events including page views, feature usage, and AI interaction metrics. PostHog may set cookies to identify returning sessions.
• Vercel Analytics — privacy-friendly web analytics that collects page views and performance metrics without personally identifying you

We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking or retargeting networks.

14. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information as soon as possible. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

15. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and the European Union. Our third-party service providers operate in various jurisdictions. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by the European Commission
• Data processing agreements with all third-party service providers
• Compliance with applicable data transfer frameworks

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email if you have an active account
• Display a prominent notice on the Service for at least 30 days

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, contact us at:

• Email: [email protected]
• Website: bytown.co

We aim to respond to all privacy-related inquiries within 30 days.