Privacy Policy

AI Ad Factory ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal information we collect when you use our AI Ad Factory service at https://kiloros.com (the "Service"), how we use it, who we share it with, and the rights you have over it.

We designed AI Ad Factory to collect the minimum data needed to operate the Service. We do not sell your data. We do not run ad networks on your data. We do not train AI models on your private content.

If you do not agree with this Policy, do not use the Service. By creating an account or using the Service you accept this Policy.

You provide directly:

• Account data — name, email address, password hash (bcrypt; we never see plaintext), and authentication tokens.
• Project content — images you upload, text prompts, scripts, scene descriptions, and project titles.
• Payment data — handled by Stripe. We receive a transaction ID, last 4 of card, and billing email. We never see your full card number or CVV.
• Support messages — anything you email us about.

Collected automatically:

• Usage logs — pages visited, features used, render counts, error events, IP address, browser user-agent.
• Cookies — strictly-necessary cookies for authentication (`access_token`, `refresh_token`) and CSRF protection. No third-party advertising cookies.
• Generated artifacts — videos, voiceovers, and storyboards your account produces are stored on our servers so you can re-download them.

From third-party AI providers: nothing — your prompts are sent through us to OpenAI / Fal.ai / Sora 2 / Kling, but their responses come back to us, not directly from them.

We use your data only for the purposes you'd expect from a SaaS product:

• To operate the Service (run renders, manage your account, deliver MP4s).
• To process payments via Stripe and credit your account.
• To send transactional emails (welcome, password reset, render-complete, receipts). We do not send marketing emails without a separate opt-in.
• To improve the Service — debugging, performance monitoring, fraud prevention.
• To comply with legal obligations and respond to lawful requests (court orders, DMCA notices).

We do not:

• Sell or rent your personal information to third parties.
• Use your private projects, scripts, or uploaded images to train AI models.
• Profile users for advertising networks.

We use the following sub-processors to operate the Service. Each is contractually bound by their own privacy commitments:

• Stripe, Inc. (payments) — handles all card data. stripe.com/privacy
• OpenAI (GPT-5.2 for scripts/analysis, TTS for voiceover) — receives your prompts via API. Per OpenAI's API terms, your prompts are not used to train their models.
• Google LLC (Sora 2 video generation, optional OAuth sign-in) — receives image + text inputs for generation requests.
• fal.ai and Kling AI (alternate video generation engines) — receive image + text inputs when you select those engines.
• Resend, Inc. (transactional email) — receives your email address and message body to deliver welcome / receipt / reset / render-complete emails.
• MongoDB Atlas (database hosting) — stores your account record + project metadata.
• Cloud hosting infrastructure — Emergent platform (currently US-East region).

Depending on where you live, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — fix anything inaccurate via Settings → Profile.
• Deletion — delete your account at Settings → Danger Zone. This permanently wipes your user record, projects, and transactions. Cannot be undone.
• Portability — request your data in a machine-readable JSON export.
• Withdraw consent — opt out of optional emails at any time (transactional emails like password reset are not optional).
• Object / Restrict — ask us to stop processing data in specific ways.
• Complain — file a complaint with your local data protection authority (e.g., the ICO in the UK, your EU DPA, the CPPA in California).

To exercise any right, email kiloros33@gmail.com. We respond within 30 days.

If you're in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR apply.

Legal bases for processing:

• Contract (Art. 6(1)(b)) — for delivering the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — for fraud prevention, security, product improvement.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and court orders.
• Consent (Art. 6(1)(a)) — for optional marketing emails (opt-in only).

International transfers — your data is processed in the United States. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers outside the EEA/UK.

Data Protection Officer — we are below the size threshold that legally requires a DPO. Please contact kiloros33@gmail.com for any privacy matter.

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• Right to know what personal information we collect, use, disclose, and sell (we do not sell).
• Right to delete personal information we collect.
• Right to correct inaccurate personal information.
• Right to opt-out of sale/sharing — we do not sell or share personal information.
• Right to non-discrimination — exercising your rights will never affect the price, level, or quality of Service.

To make a CCPA request, email kiloros33@gmail.com with the subject "CCPA Request".

For Indian users, we comply with the Digital Personal Data Protection Act, 2023 (DPDP Act):

• Notice — this Policy is your notice of personal data processing.
• Consent — by creating an account, you consent to processing for the purposes described in this Policy.
• Withdrawal — you may withdraw consent at any time by deleting your account.
• Grievance officer — please email kiloros33@gmail.com with the subject "DPDP Grievance". We acknowledge within 7 days and resolve within 30 days.
• Cross-border transfer — your data may be processed outside India by our sub-processors listed above.

• Passwords are hashed with bcrypt; we never store plaintext.
• All traffic is encrypted in transit via HTTPS/TLS 1.2+.
• Authentication uses short-lived JWT access tokens + HttpOnly refresh cookies. Tokens are signed with HS256.
• Payment data never touches our servers — Stripe handles card details end-to-end.
• Database access is restricted to application servers via IP allow-listing.
• We retain data only as long as needed; deleted accounts are wiped immediately from the primary database.

No system is 100% secure. If you suspect a breach, please email kiloros33@gmail.com immediately.

• Active accounts — kept for the lifetime of the account.
• Deleted accounts — user record and project metadata are removed immediately. Stored files (renders, voiceovers) are removed within 30 days by a janitor job.
• Payment records — kept for 7 years for tax/accounting compliance, then deleted.
• Server logs — kept for 90 days, then rotated out.

The Service is not directed to children under 13 (US) / 16 (EU). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email kiloros33@gmail.com and we will delete it.

We may update this Policy when we add new features or change sub-processors. We'll update the "Last updated" date at the top of this page. For material changes that affect your rights, we'll also email registered account holders at least 14 days in advance.

AI Ad Factory · Privacy inquiries

Email: kiloros33@gmail.com