KrisAI AdCraftSign In →

Privacy Policy

Last updated: April 1, 2026

1. Introduction

KrisAI AdCraft ("we", "our", or "us") operates the platform available at https://app.krisai.co. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered advertising platform. By accessing or using KrisAI AdCraft, you agree to this policy.

2. Information We Collect

2.1 Account & Profile Information

  • Name, email address, and password (hashed)
  • Business name, vertical (Attorney, Real Estate, or B2B), and role
  • Profile photo (if provided via Google OAuth)
  • Brand Voice settings: tone keywords, mission statement, personas, and USPs

2.2 Ad Campaign & Creative Data

  • Campaign briefs, ad copy, headlines, descriptions, and calls-to-action you generate
  • AI-generated images, audio voiceovers, and carousel slides stored in our Supabase storage
  • Campaign performance metrics retrieved from connected ad platforms

2.3 Third-Party Platform Credentials

When you connect Meta, Google Ads, or LinkedIn, we store OAuth access tokens and refresh tokens, encrypted at rest using AES-256-GCM. We use these solely to manage campaigns on your behalf.

2.4 Lead & CRM Data

  • Prospect names, emails, phone numbers, and company details you import or enter
  • Lead scores, sequence enrollment status, and activity history

2.5 Automatically Collected Data

  • IP address, browser type, operating system, and referring URLs
  • Session identifiers and authentication tokens (JWT, Supabase session)
  • API usage logs (request timestamps, endpoint, response status — no request bodies)

3. How We Use Your Information

  • Provide the service — generate AI ad copy and images, manage campaigns, store creatives
  • Authentication — verify your identity via email/password or Google OAuth (NextAuth.js)
  • AI generation — your brief and brand voice are sent to Anthropic (Claude), OpenAI (DALL·E / TTS), and fal.ai (FLUX) to produce ad content; see Section 5 for details
  • Campaign management — push and monitor ads on Meta, Google Ads, and LinkedIn using your authorized credentials
  • Billing & notifications — transactional emails about your account and usage
  • Security & abuse prevention — detect fraudulent activity and enforce rate limits
  • Product improvement — aggregated, anonymized analytics to improve platform features

4. Google OAuth & API Scopes

When you sign in with Google or connect Google Ads, we request only the scopes necessary for the features you use:

ScopePurpose
openidAuthenticate your identity
profileDisplay your name and avatar in the dashboard
emailCreate or link your KrisAI AdCraft account
https://www.googleapis.com/auth/adwordsCreate, manage, and report on Google Ads campaigns (only when you connect Google Ads)

KrisAI AdCraft's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party AI Services

To generate ad content, we send portions of your input (brief, brand voice, vertical) to the following processors:

  • Anthropic (Claude Opus) — ad copy, video scripts, carousel text. Privacy Policy
  • OpenAI (DALL·E 3, TTS-1-HD) — image generation and voiceover synthesis. Privacy Policy
  • fal.ai (FLUX.1) — primary image generation. Privacy Policy

We do not send personally identifiable information (PII) such as your name, email, or lead data to these services. Only your creative brief and brand voice inputs are transmitted.

6. Data Storage & Security

  • User data is stored in a PostgreSQL database hosted on Supabase (AWS us-east-1)
  • Generated images and audio are stored in Supabase Storage (public CDN for browser delivery)
  • OAuth tokens and sensitive credentials are encrypted at rest with AES-256-GCM
  • All data in transit is protected via TLS 1.2+
  • Access to the database is restricted to application servers via Supabase Row-Level Security (RLS)
  • We do not store credit card numbers — billing is handled by our payment processor

7. Data Retention

  • Account data is retained while your account is active
  • Generated creatives (images, audio) are retained in storage until you delete them
  • OAuth tokens are deleted when you disconnect a platform integration
  • Upon account deletion, all personal data is permanently removed within 30 days
  • Anonymized usage logs may be retained for up to 12 months for analytics

8. Data Sharing & Disclosure

We do not sell your personal data. We share data only in these circumstances:

  • Service providers — Supabase (database/storage), Vercel (hosting), Inngest (background jobs), Anthropic/OpenAI/fal.ai (AI generation), ad platform APIs (Meta, Google, LinkedIn)
  • Legal requirements — if required by law, court order, or government request
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to you
  • Your consent — in any other case, only with your explicit permission

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — update inaccurate or incomplete information via your Settings page
  • Deletion — request deletion of your account and associated data
  • Portability — receive your data in a machine-readable format
  • Withdraw consent — disconnect platform integrations at any time via the Integrations page
  • Opt-out — unsubscribe from marketing emails at any time

To exercise any of these rights, email us at privacy@krisai.co. We will respond within 30 days.

10. Cookies & Tracking

We use only essential cookies required to operate the service:

  • Session cookies — NextAuth.js and Supabase session tokens to keep you signed in
  • Preference cookies — your accent theme preference stored in localStorage

We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies.

11. Children's Privacy

KrisAI AdCraft is a business platform not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@krisai.co and we will delete it promptly.

12. International Data Transfers

Our servers are located in the United States (AWS us-east-1 via Supabase, Vercel iad1). If you access KrisAI AdCraft from outside the United States, your data will be transferred to and processed in the US. By using the platform, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice in the dashboard. The "Last updated" date at the top will always reflect the most recent revision. Continued use of the platform after changes constitutes acceptance.

14. Contact Us

If you have questions, requests, or concerns about this Privacy Policy, please contact:

KrisAI AdCraft

Privacy & Data Protection

Email: privacy@krisai.co

Website: https://app.krisai.co