Skip to main content

Privacy Policy

Effective date: June 1, 2026. Last updated: June 1, 2026.

This Privacy Policy explains how 1st Place AI ("we", "us", "the Company"), the company that operates AI Domination, collects, uses, stores, shares, and protects personal information when you use our website, dashboard, APIs, browser extension, and integrations (collectively, the "Service"). It is written to satisfy the disclosure obligations of the EU General Data Protection Regulation (GDPR), the United Kingdom GDPR, and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

If you have any questions about how we handle your information, contact our Data Protection Officer at privacy@example.com.

1. Who is the data controller?

When you sign up for AI Domination directly (a self-service account), 1st Place AI is the controller of the personal data you provide.

When you use AI Domination as part of a workspace your employer or another organization owns, that organization is typically the controller and 1st Place AI acts as a processor on their behalf. In that case, the organization's own privacy policy applies in addition to this one — direct individual-rights requests (access, deletion, etc.) to the controller first.

2. What personal information we collect

We collect only the personal data the Service needs to function. The categories below describe every type of personal information we hold.

2.1 Information you provide

  • Account information: name, email address, password (stored as an argon2 hash; we never see the plaintext), profile picture URL.
  • Workspace information: workspace name, slug, brand color, support email, custom domain, automation settings, optional white-label header and footer.
  • Company profiles: business name, website, industry, description, brand voice, target customer types, target locations, compliance notes, social profile URLs. You provide these when you set up a company inside the Platform.
  • Billing information: name, billing address, VAT/tax identifier, the last four digits of your payment method. Full card numbers are tokenized and held by Stripe, our payments processor; we never see or store them.
  • Two-factor authentication secrets: a TOTP seed (encrypted at rest using AES-256-GCM) and ten one-time recovery codes (argon2-hashed; each consumed on use).
  • Content you generate or upload: drafts, approvals, comments, uploaded images, audit reports, chat history with the in-app assistant.

2.2 Information collected automatically

  • Server logs: IP address, user agent, request path, HTTP status, response time. Retained 30 days for security investigation.
  • Audit log: every consequential action (sign-in, content approval, publishing, integration connect/disconnect, admin impersonation). Retained for the life of the workspace and for one year after deletion for legal-compliance purposes (anonymized on user deletion — your name is removed but the action remains in the trail).
  • Cookies: see our Cookie Policy for the full list.

2.3 Information collected from third parties

When you connect an integration — Google, LinkedIn, Slack, WordPress, Webflow, Shopify, Wix, Squarespace, Reddit — we collect the OAuth tokens that allow us to act on your behalf in that third-party system, plus the metadata that integration returns (team name, channel list, page list, etc.). Tokens are encrypted at rest using AES-256-GCM.

3. Why we process personal information (lawful bases)

Under GDPR Article 6, we need a lawful basis for every category of processing. We rely on:

  • Performance of a contract (Article 6(1)(b)): providing the Service you signed up for — running audits, generating content, publishing it to your connected channels.
  • Legitimate interest (Article 6(1)(f)): security monitoring, fraud prevention, debugging, internal analytics on aggregated and de-identified data, and improving the Service. We balance our interest against your rights — see our LIA summary, available on request to privacy@example.com.
  • Consent (Article 6(1)(a)): non-essential cookies, marketing communications, product analytics. You may withdraw consent at any time via the cookie banner or your privacy settings inside the Platform.
  • Legal obligation (Article 6(1)(c)): retaining billing records to comply with tax law, responding to lawful court orders.

4. How we use personal information

We use personal information to:

  • Provide the core Service: account login, workspace management, audits, content generation, publishing, AI-engine visibility tracking, brand monitoring, reporting, and the in-app assistant.
  • Communicate with you: transactional emails (verification, password reset, deletion confirmation, billing receipts, security alerts) and, with your consent, product updates and drip onboarding.
  • Bill you for paid plans (via Stripe).
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Improve the Service through aggregated, de-identified analytics. We do not train our AI models on your data without your explicit, separate written permission.
  • Comply with our legal obligations and respond to lawful requests.

5. Who we share personal information with

We share personal data only with the categories of recipient below. The full list of named sub-processors is maintained at /legal/subprocessors and updated whenever it changes.

  • Sub-processors: the third-party service providers we use to operate the Service (hosting, AI inference, email delivery, payments, analytics, error monitoring, storage). Every sub-processor is bound by a written data processing agreement that imposes obligations equivalent to those in our DPA with you.
  • Authorities: when compelled by a valid court order, subpoena, or regulatory request, after first reviewing the request for legal sufficiency.
  • Successors: if we are acquired, merge, or sell substantially all our assets, personal data may transfer as part of the transaction, subject to the acquirer's commitment to this Policy or one materially as protective.

We do not sell personal information. Under CCPA, "sale" includes some forms of disclosure for monetary or other valuable consideration — we do not do that either. We also do not share personal information for cross-context behavioral advertising.

6. International data transfers

Our primary operating regions are the European Economic Area and the United States. Where personal data is transferred outside the EEA or the UK, we rely on:

  • Standard Contractual Clauses (SCCs): the 2021 EU SCCs and the UK addendum, executed with every non-EEA sub-processor.
  • Adequacy decisions: where the destination country has been recognized by the European Commission as providing an adequate level of protection.
  • Transfer impact assessments: completed before onboarding any sub-processor that involves a cross-border transfer.

You can request a copy of the SCCs we have in place with a specific sub-processor by emailing privacy@example.com.

7. How long we keep personal information

  • Account data: while your account is active, plus 30 days after deletion to allow recovery in case of mistaken deletion.
  • Audit log: life of the workspace plus one year after workspace deletion, in anonymized form (your name removed; actions retained).
  • Billing records: seven years, to comply with tax and accounting law in our operating regions.
  • Server logs: 30 days.
  • Backups: 35 days, then automatically purged.

When the retention period expires we delete the data securely, or — for backups — wait for the next backup-cycle rotation to do so.

8. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you (Article 15) — see /settings/data-export.
  • Rectification of inaccurate data (Article 16) — edit your profile and workspace settings inside the Service.
  • Erasure of your data (Article 17) — see /security. Some data is retained in anonymized form (the audit log) to preserve security integrity.
  • Restriction of processing (Article 18) — contact privacy@example.com.
  • Data portability (Article 20) — see /settings/data-export. The export is JSON, a structured machine-readable format.
  • Object to processing (Article 21) — see /settings/privacy.
  • Withdraw consent (Article 7(3)) — adjust the cookie banner or your privacy settings at any time.
  • Lodge a complaint with your national supervisory authority (Article 77) — find yours via the European Data Protection Board.

Under CCPA / CPRA, California residents additionally have the right to:

  • Know what categories of personal information we collect and disclose, the purposes, and the categories of recipient.
  • Delete their personal information, subject to the same retention exceptions as above.
  • Correct inaccurate personal information.
  • Limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the Service.
  • Non-discrimination: we do not deny service, charge different prices, or provide a different level of quality because you exercised a CCPA right.

We respond to verifiable rights requests within 30 days (GDPR) or 45 days (CCPA, extendable to 90 in complex cases). If we need more time we'll tell you.

To exercise a right that isn't directly actionable from the dashboard, email privacy@example.com from the email address on your account.

9. Security

We take the security of personal data seriously. Our controls include:

  • HTTPS-only transport (HSTS-preloaded), with modern TLS suites.
  • AES-256-GCM encryption at rest for OAuth tokens, TOTP secrets, webhook signing secrets, CMS configuration, and Slack bot tokens.
  • argon2 password hashing.
  • Two-factor authentication available on every account.
  • Audit logging of every consequential action.
  • Principle of least privilege for staff access. Direct database access is restricted to a named on-call group and is itself audited.
  • Annual penetration testing and a public vulnerability disclosure address (security@example.com).

If you believe you've discovered a security vulnerability, please email security@example.com. We commit to acknowledging within 24 hours and providing a remediation timeline within five business days.

10. Children's data

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you become aware that a child has provided personal information to us, please email privacy@example.com and we will delete the data promptly.

11. Cookies

See our dedicated Cookie Policy for a complete list of cookies, their purpose, retention, and consent controls.

12. EU and UK representatives

Where required by GDPR Articles 27 (EU) and the UK GDPR equivalent, we will designate an EU and a UK representative once we reach the thresholds that obligate one. Until then, contact our Data Protection Officer at privacy@example.com for any matter that would otherwise be addressed to a representative.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to the address on your account and through an in-app banner at least 30 days before they take effect. The "Effective date" and "Last updated" stamps at the top of the page show when the current version went live.

14. Contact

We respond to all good-faith privacy enquiries within five business days, and to formal rights requests within the timeframes set out in Section 8.

Privacy Policy · AI Domination