Privacy Policy

controlee.ai is an operator-facing tool that lets a single team manage content publishing, social media, ads, and analytics across multiple websites from one panel. Throughout this policy, “controlee.ai”, “we”, “us”, and “our” refer to this product and the people operating it.

Contact: hello@controlee.ai

We collect three categories of data, each kept separate inside our database:

1. Operator account data. Email, password hash, multi-factor authentication enrollment, and role (owner / admin / member). Stored in Supabase, encrypted at rest.
2. Connected-service credentials.When you connect a managed site to controlee.ai — WordPress, Meta Business assets, Google Analytics, Cloudflare, GoDaddy, Mailgun, etc. — we store the API keys or access tokens you provide. These are encrypted at rest with envelope encryption(per-record data-encryption keys wrapped by a master key) and are never returned to the browser in plain text.
3. Activity + audit logs.Every credential write, read, rotate, or reveal — plus every meaningful operation (article publish, ad action, agent decision) — is appended to an audit log along with timestamp, actor ID, IP address, and user agent. The audit log is append-only.

We use the data above strictly to operate the service:

• Account data authenticates you and enforces role-based access.
• Connected-service credentials are decrypted in-memory only when an operator (or a scoped agent token acting on the operator's behalf) explicitly invokes an operation that needs them — publishing an article, pulling analytics, updating a DNS record. They are never used for analytics, never shared with third parties, and never used for any purpose beyond the operation you requested.
• Audit logs are used for security incident investigation and to surface recent activity to operators (so you can see what an agent token did).

We do not sell, rent, or share your data with third parties for advertising or marketing. We share data only with the third-party services that you have explicitly connected, and only to perform the operations you request. For example, if you connect a Facebook Page, we send post content + your stored Page access token to graph.facebook.comwhen you click “Publish”. We never send your Page token anywhere else.

Subprocessors that handle our infrastructure on our behalf:

• Supabase — database + authentication (US region).
• Vercel — web hosting + serverless compute.
• Anthropic— AI agent reasoning. We send prompts that may contain content you author; we do not send credentials or audit log payloads.
• AWS KMS— master key custody for envelope encryption (no data leaves us; KMS only signs/wraps key material).

• Account data: until you delete your account.
• Connected-service credentials: until you delete the credential, delete the site, or delete your account. You can clear any credential at any time from the site's settings page; the prior plaintext is unrecoverable after the DEK is purged.
• Audit logs: retained for 24 months for security and compliance purposes, then automatically purged.

You can, at any time:

• View, edit, or delete your account.
• View and delete any connected-service credential.
• Export your data in machine-readable form by emailing the address below.
• Request deletion of all data associated with your account — see Data deletion instructions.

All data is encrypted in transit (TLS 1.2+) and at rest. Credentials use per-record envelope encryption with the master key held in AWS KMS — the master key never leaves AWS. Multi-factor authentication is required for every operator account. Sensitive operations (publishing, money-spending, credential rotation, credential reveal) require a paired human approval within a 5-minute window when invoked via agent tokens.

We'll post any material changes here and update the “last updated” date at the top. If the changes affect how we use credentials or audit logs, we'll notify operators directly via email before the change takes effect.

Questions, deletion requests, or data-export requests: hello@controlee.ai