Privacy Policy

Last updated: April 14, 2026

1. Information We Collect

Account information

When you create an account, we collect your email address and password (stored as a secure hash). If you sign in via Google OAuth, we receive your Google profile email and name.

Workspace and usage data

Data generated by your use of the Service, including: keyword configurations, discovered creator profiles, pipeline items, scoring results, outreach drafts, custom system prompts, prompt version history, and usage counters.

Creator data from third-party platforms

The Service uses YouTube API Services to collect publicly available information about content creators. Creator data is also collected from TikTok and Instagram. Data collected includes:

  • Public usernames / handles and profile URLs
  • Follower and subscriber counts
  • Public bio text and external URLs
  • Public content URLs, captions, and post dates
  • Engagement metrics (views, likes, comments) on public content
  • Whether the account is a business account (Instagram)

This data is sourced from publicly available profiles and content. Creators whose data is collected are not direct users of the Service and have not provided consent to us directly. Our legal basis for processing this data is legitimate interest in enabling brand-creator partnerships using publicly available information (see Section 7).

Payment information

Payment processing is handled by Stripe. We store your Stripe customer ID and subscription ID but do not store full credit card numbers. Payment method tokens are managed entirely by Stripe.

Server logs

Standard server logs including IP addresses, user-agent strings, request timestamps, and API response codes. These are used for security monitoring and debugging.

2. How We Use Your Information

  • Authenticating your sessions and managing workspace access.
  • Running discovery pipelines on your behalf (searching YouTube, TikTok, Instagram).
  • Scoring creators for brand fit using AI models.
  • Generating outreach draft messages using AI models.
  • Classifying custom system prompts for content safety using AI models.
  • Enforcing usage quotas and billing overage charges.
  • Sending transactional emails (invites, password resets, billing notifications).
  • Monitoring platform health, debugging issues, and improving the Service.

3. AI Processing

The Service sends data to third-party AI providers for the following purposes:

  • Creator scoring: Creator metadata (handle, platform, follower count, content summaries, engagement metrics) is sent to OpenAI to generate a brand-fit score, summary, niche tags, and rationale.
  • Draft generation: Creator metadata and evidence URLs are sent to OpenAI to generate outreach message drafts and subject lines.
  • Prompt classification: Custom system prompts submitted by tenants are sent to OpenAI for content safety classification before storage.
  • Prompt generation (Phase 2): Brand descriptions (provided by the tenant, not stored) are sent to OpenAI to generate suggested system prompts.

Data sent to OpenAI is processed under OpenAI's API data usage policy. As of the effective date, OpenAI does not use API inputs for model training.

4. Data Sharing and Sub-Processors

We do not sell your data. We share data only with sub-processors necessary to operate the Service:

  • Stripe — payment processing and subscription management
  • OpenAI — AI-powered scoring, drafting, classification, and generation
  • Apify — data collection from TikTok and Instagram public APIs
  • YouTube Data API v3 — data collection from YouTube (operated by Google). YouTube API usage is subject to Google's Privacy Policy. You can revoke the Service's access to YouTube data at any time via your Google Account security settings.
  • Resend — transactional and outreach email delivery

Each sub-processor processes data only as necessary to provide their service to us.

5. Data Retention

  • Account data: Retained while your account is active and for 90 days after deletion to allow for recovery.
  • Creator profiles and pipeline data: Retained for the lifetime of your workspace. Deleted when the workspace is deleted.
  • YouTube creator profile data (display name, channel URL, subscriber count, bio text): In compliance with YouTube Developer Policies §III.E.4, this platform-sourced data is refreshed at least every 30 days. Profiles whose underlying YouTube channel has been removed have their display name, subscriber count, and bio text cleared on the next refresh, while preserving outreach history attached to the profile. The refresh runs as a daily background job independent of any tenant action.
  • Prompt version history: Retained indefinitely as an immutable audit trail. Not deleted when a prompt is reverted or changed.
  • Prompt rejection log: Retained indefinitely for security audit purposes. Stores only the first 500 characters of rejected prompts.
  • Prompt generation log: Retained indefinitely. Stores only the character count of brand descriptions — the description text itself is not stored.
  • Server logs: Retained for 12 months.
  • Billing audit events: Retained indefinitely for financial compliance.

6. International Data Transfers

Your data may be transferred to and processed in the United States or other countries where our sub-processors operate (including OpenAI, Stripe, Apify, and Resend). By using the Service, you consent to the transfer of your data to these jurisdictions.

7. Rights of Creators (Non-Account Holders)

The Service collects publicly available information about content creators who are not direct users of the Service. Our legal basis for processing this data is legitimate interest: enabling brands to identify and reach out to creators whose public content aligns with their audience.

If you are a creator whose data appears in the Service and you wish to:

  • Request a copy of the data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data from the platform

Please contact us at support@soundminds.ai with your platform handle and the platform (YouTube, TikTok, or Instagram). We will process your request within 30 days.

8. Your Rights (Account Holders)

You may request a copy of your data, correction of inaccurate data, or deletion of your account at any time by contacting us. Depending on your jurisdiction, you may have additional rights under GDPR, CCPA, or other data protection laws.

9. Cookies and Local Storage

The Service uses essential browser storage for authentication and session management:

  • Authentication tokens: Stored in your browser's local storage to keep you signed in across page loads. These are removed when you log out.
  • Session preferences: UI state (such as dismissed banners and selected tabs) is stored in session storage and cleared when you close your browser.
  • Cookie consent: A single local storage entry records that you have acknowledged the cookie banner.

Advertising and conversion tracking: We load the LinkedIn Insight Tag on pre-authentication pages of this site (the login page and all pages under /signup, including the signup-completion page) to measure signup conversions from our LinkedIn advertising campaigns and to build retargeting audiences from signup-funnel traffic. The Insight Tag is not loaded on authenticated product pages (your dashboard, drafts, inbox, settings, and all other pages you see after signing in), so LinkedIn receives no information about the creators, campaigns, or outreach activity inside your workspace. You can opt out of LinkedIn's tracking via your LinkedIn advertising preferences or by using browser-level tracking protection. Aside from the LinkedIn Insight Tag on pre-authentication pages described above, we do not use analytics services (such as Google Analytics) or other third-party tracking pixels, and we do not participate in cross-site behavioral advertising on our authenticated product.

10. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of your personal information

We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes. To exercise your California privacy rights, contact us at support@soundminds.ai.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

Privacy and support: support@soundminds.ai

Billing: billing@soundminds.ai