MediaPilot
Get Started
MediaPilot
Legal

Privacy Policy

Effective Date: April 21, 2026 | Last Updated: May 18, 2026

Operated by Engineered Exposure LLP ("Company," "we," "us," or "our")

1. Information We Collect

1.1 Information You Provide Directly

  • Account Registration: Name, email, business name, industry, hashed password via Firebase.
  • Onboarding Profile: Website URL, social handles, target audience, brand voice, content goals, posting frequency.
  • Billing Information: Processed by Stripe — we store tokenized reference, billing name, address, last four digits only; we never store full card numbers or CVV.
  • Communications: Name, email, message contents when you contact support.
  • Content You Create: Posts, captions, images, videos, scheduled content, AI-generated graphics — collectively "User Content."
  • Referral Data: Referral codes and referral relationships between accounts (who referred whom). Collected and stored solely for the purpose of tracking and applying referral program rewards. Referral relationship data is not sold or shared with third parties and is retained as long as the referring account remains active.

1.2 Information We Collect Automatically

  • Device and browser info (browser type, OS, device type, screen resolution).
  • IP address and approximate geographic location.
  • Usage data (pages visited, features used, time spent, clickstream).
  • Firebase authentication tokens.
  • Log data (server logs, error reports, timestamps).
  • Cookies and similar tracking technologies (see Section 6).

We use Google Analytics 4 (Google LLC) to collect usage data including pages visited, scroll depth, click-through rates, session duration, and exit points. This data is collected via first-party cookies and is used solely to understand and improve site performance.

1.3 Information From Third-Party Platforms

  • Meta (Facebook/Instagram): Name, profile photo, email, Pages and Instagram accounts managed, page access tokens, engagement metrics, audience insights. Used solely to post content on your behalf, retrieve analytics, and display scheduling info.
  • TikTok: Username, profile info, authorized accounts, content posting permissions. Used solely to publish content you schedule.
  • LinkedIn, YouTube, and other connected platforms: Basic profile info and OAuth permissions necessary to publish and manage content.

We do not use social platform data to build advertising profiles, sell data, or for any purpose beyond providing the core Service features you authorized.

2. How We Use Your Information

We use the information we collect to:

  • (a) Provide, operate, and maintain the Service including scheduling and publishing content to connected accounts.
  • (b) Generate AI-powered captions, graphics, and content plans personalized to your business profile.
  • (c) Process payments and manage subscriptions through Stripe.
  • (d) Authenticate identity and maintain account security.
  • (e) Send transactional emails (verification, password reset, billing confirmations, scheduled post notifications).
  • (f) Send service announcements and, where opted in, marketing communications (opt out anytime).
  • (g) Monitor and analyze usage trends to improve the Service.
  • (h) Detect, investigate, and prevent fraud, abuse, and security incidents.
  • (i) Comply with legal obligations and respond to lawful requests.
  • (j) Enforce our Terms of Service and applicable policies.

We do not sell your personal information. We do not use your personal information or User Content to train third-party AI models without your explicit consent.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share only in these circumstances:

3.1 Service Providers

  • Firebase (Google LLC) — authentication
  • Stripe, Inc. — payments
  • Railway Technologies — hosting
  • Cloudflare, Inc. — CDN, R2 storage, DNS, security
  • Deepgram, Inc. — audio transcription
  • Anthropic, PBC — AI content generation
  • OpenAI, LLC — image generation via proxy
  • Sentry (Functional Software) — error monitoring
  • Redis/Upstash — queue management
  • Google LLC (Google Analytics 4) — website analytics

All providers are contractually bound to use data only as directed by us and to delete it when services cease.

3.2 Social Media Platforms

When you authorize connections to Meta, TikTok, LinkedIn, YouTube, or other platforms, we share User Content and scheduling data solely to publish on your behalf, governed by each platform's own terms and privacy policy.

3.3 Business Transfers

In a merger, acquisition, asset sale, or bankruptcy, your information may transfer. We will notify you by email or prominent notice before transfer and before your data becomes subject to a different privacy policy.

3.4 Legal Requirements

We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith disclosure is necessary to comply with legal obligations, protect Company rights or property, prevent wrongdoing, or protect user safety.

3.5 With Your Consent

We may share for any other purpose with your explicit consent.

4. Data Retention

  • Account data: Retained for subscription duration plus 90 days after deletion, then permanently deleted.
  • User Content: Retained for subscription duration plus 30 days after cancellation or deletion.
  • Billing records: Retained 7 years as required by tax and financial regulations.
  • Log data and analytics: Retained up to 12 months.
  • OAuth tokens: Deleted immediately upon account disconnection or deletion.

Deletion requests processed within 30 days. Residual backup copies purged within 90 days. Certain data retained longer where required by law.

5. Data Security

  • All data in transit encrypted via TLS 1.2 or higher (HTTPS).
  • All data at rest encrypted on Cloudflare R2 and Railway infrastructure.
  • Passwords never stored in plaintext — authentication managed via Firebase.
  • OAuth tokens encrypted at rest.
  • Access to production systems restricted to authorized personnel.
  • Systems monitored via Sentry and server-level logging.

No method of electronic transmission or storage is 100% secure. In the event of a breach affecting your personal information, we will notify you as required by applicable law.

6. Cookies and Tracking Technologies

We use cookies to maintain authenticated sessions, remember preferences, and analyze usage. For analytics, we use Google Analytics 4, which sets first-party cookies (_ga, _ga_*) to distinguish users and sessions. We do not use third-party advertising cookies or tracking pixels. You may configure your browser to refuse cookies or use the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout) to prevent GA4 data collection. Disabling cookies may impair certain features including the ability to remain logged in.

7. Third-Party Platform Permissions and Data Use

We access your social accounts only to publish content you have created and scheduled, and to retrieve basic analytics for your dashboard. We do not access your direct messages, private communications, or personal contacts. We do not use social platform data to build advertising audiences or sell data.

You may revoke our access at any time by disconnecting the account in Settings or revoking authorization through the respective platform's settings.

Our use of Meta API data complies with Meta's Platform Terms and Developer Data Use Policy. Our use of TikTok API data complies with TikTok's Developer Terms of Service.

7.5 Compliance with Meta Platform Terms

MediaPilot's integration with Meta (Facebook and Instagram) is governed by Meta's Platform Terms and Developer Data Use Policy. In addition to the commitments described above:

  • Data Minimization: We request only the minimum permissions necessary (Pages, Instagram Business, and publishing scopes) and do not collect or store personal data from your followers or audiences.
  • No Data Selling: We never sell, license, or sublicense any data obtained through Meta APIs.
  • Token Security: Access tokens are encrypted at rest and transmitted only over TLS. Long-lived tokens are refreshed automatically and revoked upon account disconnection.
  • Data Deletion: When you disconnect a Meta account or delete your MediaPilot account, all associated Meta tokens and cached platform data are permanently deleted within 30 days.
  • Annual Review: We conduct an annual review of our Meta integration to ensure continued compliance with Meta's evolving Platform Terms.

8. Your Rights and Choices

  • 8.1 Access and Portability: Request a copy of your data by emailing legal@getmediapilot.com.
  • 8.2 Correction: Update or correct inaccurate information anytime via the Settings page.
  • 8.3 Deletion: Request account and data deletion by emailing legal@getmediapilot.com or using account deletion in Settings. Processed within 30 days, subject to legal retention obligations.
  • 8.4 Data Deletion from Connected Platforms: Submit deletion requests for Meta or TikTok connected data to legal@getmediapilot.com. Processed within 30 days.
  • 8.5 Opt-Out of Marketing: Click "unsubscribe" in any marketing email or email legal@getmediapilot.com. Transactional communications are not subject to opt-out.
  • 8.6 California Residents (CCPA/CPRA): Right to know what data we collect, use, disclose, and sell; right to request deletion; right to opt out of sale (we do not sell personal information); right to non-discrimination. Contact legal@getmediapilot.com.
  • 8.7 European Residents (GDPR): Right to object to processing, right to restrict processing, right to lodge a complaint with your local supervisory authority. Legal bases include performance of a contract, legitimate interests, legal compliance, and consent where obtained.

9. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children under 18. If we become aware of such collection without parental consent, we will delete it promptly. Contact legal@getmediapilot.com if you believe we have collected information from a minor.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to this transfer.

11. Links to Third-Party Sites

The Service may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their policies before providing personal information.

12. Contact Us

Engineered Exposure LLP
Attn: Privacy
109 Bridge St, Unit #1119
Groton, CT 06340

Email: legal@getmediapilot.com
Website: getmediapilot.com

Read our Terms of Service →