Last updated 29 April 2026 · Version 1.0

Privacy Policy

This is the v1 of our privacy policy. We have written it in plain English, covered the main bases, and a counsel-reviewed long-form version will replace it before public launch. If you spot something missing or ambiguous, write to privacy@phivate.com and we will address it.

1. Who we are

“PhiVate” refers to the operating entities behind PhiVate AI Studio: APM Lanka Trading PVT LTD (Sri Lanka), EBISSYS PTY LTD (Australia), and AL APM Trading FZC (UAE). Together we are the data controller for marketing-website visitors and the data processor for AI Studio customer data — the distinction matters and is set out in our Data Processing Addendum (DPA).

We do not currently have an EU or UK establishment. EU/UK residents may contact privacy@phivate.com for any GDPR or UK GDPR matter; we will appoint an EU/UK Article 27 representative when required by data volume or processing scope.

2. What we collect

Account data. Name, email, organisation, region, billing address, role.

Brand intelligence inputs. Anything you upload while configuring brand DNA — positioning notes, voice samples, audience research, regional preferences, visual references.

Generated outputs. Strategy documents, content drafts, calendars, and analyses produced by AI Studio on your behalf.

Usage data. Module activity, credit consumption, log timestamps, IP, device and browser metadata, error traces.

Communications. Anything you send us via email, the contact form, or scheduled calls.

3. Why we collect it

To deliver AI Studio, support your team, bill correctly, secure the platform against abuse, debug issues, and improve the product. We do not collect personal data we do not need.

We use your browser’s reported timezone to render local context in our site footer (your city, local time, current weather, and a regional note). We do not store this information.

4. Lawful basis

Contract performance for service delivery and billing. Legitimate interest for security and fraud prevention. Consent for marketing emails and the Transmission newsletter — one-click unsubscribe always.

5. How long we keep it

Account data for the life of the account plus 90 days. Brand intelligence inputs and generated outputs for the life of the account plus 30 days, then permanently deleted unless you have already exported them. Billing records retained for seven years per regulatory requirements. Logs retained for 90 days unless an active investigation requires longer.

6. Who we share with

Sub-processors who power infrastructure, model inference, payments, and transactional email. The current list is in the DPA, Section 6. We do not share personal data with advertisers, data brokers, or any third party for their own marketing.

7. Sub-processors

See the DPA for the current sub-processor list, the purpose of each, and the region they operate from. We give thirty days’ notice of any addition or replacement.

8. International transfers

Data may be processed in the United States, European Union, Australia, UAE, or Sri Lanka depending on the sub-processor. Where required, we use Standard Contractual Clauses, adequacy decisions, or equivalent safeguards under the laws of each jurisdiction.

9. Your rights

Access, correction, deletion, portability, objection, restriction, and withdrawal of consent — available to every individual whose data we hold, regardless of residency. Email privacy@phivate.com to exercise any of them; we respond within thirty days.

We do not sell your data, never have, never will.

Residents of jurisdictions with specific statutory privacy rights (EU/UK GDPR, California CCPA/CPRA, and other US state privacy laws including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and Utah UCPA) have additional rights detailed in Sections 10 and 11 below. We honour verifiable requests under any applicable law.

10. Rights for EU and UK residents (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland at the time of data collection, you have the following rights under the GDPR and UK GDPR in addition to those in Section 9:

  • Right of access (Article 15) — confirm whether we process your data and obtain a copy.
  • Right to rectification (Article 16) — correct inaccurate data.
  • Right to erasure (Article 17) — request deletion in specified circumstances.
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20) — receive your data in a structured, machine-readable format.
  • Right to object (Article 21) — including direct marketing.
  • Right not to be subject to solely automated decision-making (Article 22).
  • Right to lodge a complaint with a supervisory authority — in the EU member state of your residence, in the UK with the Information Commissioner’s Office (ICO), or with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland.

To exercise any GDPR right write to privacy@phivate.com. We respond within 30 days. Our lawful bases for processing under Article 6 are: contract performance for service delivery, legitimate interests for security, and consent for marketing communications.

11. Rights for California residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

  • Right to know what personal information we collect, the sources, the purposes, and any third-party sharing.
  • Right to delete personal information we have collected.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. PhiVate does not sell personal information and has not done so in the preceding 12 months.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

Categories of personal information collected, disclosed for business purposes, and (where applicable) sold or shared in the preceding 12 months are listed in our sub-processor table in the Data Processing Agreement at /dpa. We do not sell or share personal information.

To exercise any CCPA right, write to privacy@phivate.com.

12. Cookies and tracking

We use a single strictly necessary cookie (session) for authentication. We do not use analytics, advertising cookies, tracking pixels, third-party trackers, or fingerprinting. EU and UK visitors are not shown a cookie banner because no consent is required for a strictly necessary cookie under the GDPR Article 5(3) ePrivacy exemption.

13. Children’s privacy

AI Studio is a B2B tool for marketing professionals. We do not knowingly collect personal data from anyone under 16. If you believe we have, write to privacy@phivate.com and we will delete it.

14. Changes & contact

We will post material changes here and email account holders at least thirty days before they take effect. Questions, requests, or complaints — privacy@phivate.com.

— Free download

The PhiVate Brand Strategy Playbook.

The methodology we use with every premium client. Positioning, voice, audience, regional calibration — the full framework. Free PDF.

No newsletter, no spam. A PhiVate strategist may reach out once about your brand.