Privacy Policy

1. Introduction and scope

This Privacy Policy describes how Instantxs Inc. (“Instantxs,” “we,” “us,” or “our”), a company registered in the United States, collects, uses, discloses, and protects personal data when you visit our marketing websites, use the SetterAI web and mobile-accessible application (the “Service”), or otherwise interact with us.

The Service is offered in multiple regions, including the United States, the European Economic Area (“EEA”), the United Kingdom, Brazil, and Thailand. Where local laws provide additional rights or requirements, we apply them as described below.

By using the Service, you acknowledge that you have read this Policy. If you do not agree, do not use the Service.

2. Data controller and contact

For personal data relating to your SetterAI account, billing, and our operation of the platform, Instantxs Inc. is the data controller under the EU/UK General Data Protection Regulation ("GDPR") and similar laws.

Privacy inquiries: [email protected]

Registered entity: Instantxs Inc., United States. You may request our full registered mailing address by emailing [email protected].

EU/UK representative (GDPR Art. 27): If you are located in the EEA or UK, our designated representative can be contacted at [email protected]. We will provide the name and address of our appointed EU/UK representative upon request.

Brazil data protection officer (LGPD Art. 41): Our designated encarregado (DPO) for LGPD purposes can be reached at [email protected].

3. Personal data we collect

We may collect the following categories of information:

Account and profile data: name, email address, password (stored via our authentication provider in hashed form), language preference, company or business name, business type, and settings you configure in the Service.

CRM and operational content you upload: contact and lead records (e.g., name, phone, email, job title, LinkedIn URL, company, tags, notes), deals, pipelines, tasks, meetings, activities, campaigns, messages, templates, files, and other content you or your users submit.

Messaging and communications data: content and metadata of conversations across connected channels (e.g., WhatsApp, Instagram, Telegram, email), including inbound/outbound messages, media, delivery status, and channel identifiers.

Voice data: audio from voice notes or calls where you enable such features; call recordings and transcripts where supported (e.g., via telephony or AI voice providers); speech-to-text conversion performed by third-party AI services.

AI interaction data: prompts, completions, tool outputs, model selections, usage metrics, and cost logs when you use AI features. If you provide your own API keys (“bring your own key” or BYOK), your inputs and outputs may be processed directly by those AI providers under their terms.

Integration and credentials: OAuth tokens, API keys, webhook secrets, and configuration for integrations you connect (e.g., Twilio, Meta, LinkedIn, Google, Microsoft, Calendly, Cal.com, Vapi, Shopify, Stripe-connected billing identifiers, enrichment providers).

SEO and marketing-automation data: website URLs you submit, crawl/audit results, keyword and content data, Google Analytics 4 and Google Search Console data you authorize, Shopify store data you connect, competitor and backlink research inputs, and AI “mention” monitoring prompts and responses.

Marketing site and lead chat: messages you send through our public chat widget, session identifiers, locale, and optional details you provide (e.g., name, email, phone, company).

Payment data: subscription status, invoices, and transaction records. Payment card data is processed by our payment processor (e.g., Stripe); we do not store full card numbers.

Technical and usage data: IP address, device/browser type, approximate location derived from IP, cookies and similar technologies, local storage preferences (e.g., cookie consent, locale), logs, and security signals.

Enrichment data: information returned by third-party enrichment services when you use enrichment features (e.g., email, phone, title, company), based on identifiers you supply.

4. How we use personal data

We use personal data to: provide, operate, secure, and improve the Service; authenticate users; process subscriptions and payments; route messages and calls; run AI features you enable; provide support; send service-related notices; comply with law; enforce our Terms; detect and prevent fraud and abuse; analyze aggregated or de-identified usage; and communicate about products where permitted.

Legal bases (GDPR/UK): performance of a contract; legitimate interests (e.g., security, product improvement, fraud prevention), balanced against your rights; consent where required (e.g., certain cookies or marketing); legal obligation.

Legal bases (LGPD — Brazil): performance of a contract or preliminary procedures; legitimate interests; consent; compliance with a legal or regulatory obligation; regular exercise of rights in judicial, administrative, or arbitration proceedings; protection of life or physical safety; credit protection where applicable.

Legal bases (PDPA — Thailand): performance of a contract; legitimate interests; consent; compliance with law; vital interests; public interest or exercise of official authority where applicable.

5. How we share personal data

We share data with service providers who process it on our instructions (“processors”), including for example: Supabase (database and authentication); cloud hosting; Stripe (payments); Twilio (messaging/voice); Meta (WhatsApp Cloud, Instagram); Telegram; LinkedIn; Vapi (AI voice calls); OpenAI, Anthropic, Google AI, Perplexity, xAI, and similar providers when you use AI features; AWS SES or comparable email delivery; FullEnrich or other enrichment vendors; analytics or monitoring tools we may use; and professional advisers.

When you connect third-party accounts, those providers receive and process data under their own policies. BYOK configurations may cause data to flow directly to the AI provider you select, governed by your agreement with that provider.

We may disclose data if required by law, legal process, or governmental request; to protect rights, safety, and security; or in connection with a merger, acquisition, or asset sale (with notice where required).

We do not sell personal data for money. Certain sharing for analytics or advertising may be deemed “sale” or “sharing” under U.S. state laws; you may opt out where applicable as described in Section 8.

6. International transfers

We are based in the United States. Data may be processed in the U.S. and other countries where we or our subprocessors operate. Where GDPR/UK GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures as needed. Similar protections apply for Brazil (LGPD) and Thailand (PDPA) transfers as required.

7. Retention

We retain personal data for as long as your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Below are indicative retention periods:

Account data: retained for the duration of your active subscription plus 30 days after deletion request processing.

Billing and tax records: retained for a minimum of 7 years from the transaction date, or longer as required by applicable tax law.

Communication logs: retained while your account is active; deleted within 90 days of account deletion unless required for legal compliance.

AI interaction logs (prompts and completions): retained while your account is active for audit and support; deleted within 90 days of account deletion.

Backup copies: may persist for up to 90 days after deletion from production systems.

When you request account deletion, we process requests in line with our product flows (including support tickets and operational completion). You control much of the data inside your workspace (e.g., contacts, messages) and may delete it using in-product tools subject to technical limits.

8. Your privacy rights

EEA/UK/Switzerland (GDPR): access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is consent-based. We respond within 30 days, extendable by up to 60 days for complex requests with notice. You may lodge a complaint with your supervisory authority.

California (CCPA/CPRA): right to know, delete, and correct certain personal information; right to opt out of sale/sharing (we describe "sharing" above); limit use of sensitive personal information where applicable; non-discrimination for exercising rights. Authorized agents may submit requests as permitted by law. We respond within 45 days, extendable by up to 45 additional days with notice.

Brazil (LGPD): confirmation of processing, access, correction, anonymization, deletion, portability, information about sharing, revocation of consent, and objection where applicable. We respond within 15 business days or as required by ANPD regulations.

Thailand (PDPA): access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint to the Office of the PDPC. We respond within 30 days of receiving a verified request.

Submit requests at [email protected]. We may verify your identity before responding.

9. Cookies and similar technologies

We use cookies, local storage, and similar technologies. Categories include:

Strictly necessary: session management, security tokens, locale/language preferences. These cannot be disabled.

Analytics: aggregated usage metrics to improve the Service (e.g., page views, feature adoption). Enabled only with your consent where required.

Marketing: used for advertising, retargeting, and measuring campaign effectiveness. Enabled only with your consent.

Functional: enhanced features and personalization beyond core functionality. Enabled only with your consent.

You can manage preferences through our cookie banner where available and through browser settings. We honor Global Privacy Control ("GPC") and similar opt-out signals where required by law. See our Terms for links to third-party policies for integrated services.

10. AI-specific disclosures

AI-generated outputs may be inaccurate, incomplete, or inappropriate. You should not rely on them as professional, legal, financial, or medical advice. Voice or chat features may be AI-driven; you are responsible for disclosures to your end users where required by law or platform rules.

Content you submit may be sent to third-party model providers for inference. AI mention monitoring sends prompts you configure to third-party models and stores responses for your review.

Data handling by AI providers: We configure our API integrations to request that third-party AI providers do not train on your data where such options are available. However, each provider's retention and training policies are governed by their own terms, which may change. We encourage you to review the data processing terms of any AI provider whose models you select.

When you use BYOK, your relationship with the AI provider is direct; we encourage you to review their data processing terms.

11. Customers as controllers (your contacts)

If you use SetterAI to store or process personal data about your own customers, leads, or employees, you are typically an independent controller (or processor to your own clients) of that data. Instantxs processes such data as a processor on your behalf to provide the Service, in accordance with our Terms and, where applicable, a data processing addendum available on request.

You are responsible for having a lawful basis to message, call, enrich, or otherwise process your contacts and for honoring their rights under applicable law.

12. Security

We implement technical and organizational measures appropriate to the risk, such as encryption in transit, access controls, and vendor diligence. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13. Children

The Service is not directed to children. We do not knowingly collect personal data from children under 13 (U.S.) or under the minimum age required in your jurisdiction (e.g., 16 where EU law applies to consent). Contact us if you believe a child has provided data.

14. Changes to this Policy

We may update this Policy from time to time. We will post the revised version and update the “Last updated” date. Where required, we will provide additional notice (e.g., email or in-app message).

15. Contact

Instantxs Inc. — [email protected]