Privacy Policy

1. Overview

CMO Theory Inc. (“CMO Theory”, “we”, “us”, or “our”) operates the CMO Suite platform. This Privacy Policy explains what personal data we collect when you use CMO Suite, how we use it, who we share it with, and your rights regarding that data.

By creating an account or using CMO Suite you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Account and profile data

• Email address and hashed password when you register.
• Workspace name and any optional profile information you provide.
• Billing name and address collected by our payment processor (Stripe) during checkout.

Content you create

• Product information and images you upload (used to generate ad creatives on your behalf).
• Brand kit data: colors, fonts, tone-of-voice descriptions, and logo files.
• Customer avatars, creative angles, hooks, and layout templates you define.
• AI-generated images and text-overlay renders stored in your library.

Connected account data

• When you connect a Meta Ads account, we receive and store an OAuth access token scoped to ad management on your behalf. We do not receive or store your Meta password.
• We retrieve campaign and ad-set names from the Meta Marketing API solely to populate selection dropdowns in the publish workflow.

Usage and technical data

• Pages visited, features used, and generation counts for product analytics.
• IP address, browser type, and device information collected automatically.
• Server logs and error traces used for debugging and stability monitoring.

3. How We Use Your Information

• To create and operate your account and workspace.
• To generate ad creatives by passing your brief data to third-party AI models (Anthropic and Google). Only the minimum information necessary for the generation task is sent.
• To publish ad creatives to your Meta Ads account when you explicitly trigger a publish action.
• To process payments via Stripe and send billing receipts.
• To send transactional emails (account confirmation, password reset, billing notifications). We do not send marketing emails without your consent.
• To monitor platform health, investigate errors, and prevent abuse.
• To improve CMO Suite through aggregated, de-identified usage analytics.

We do not sell your personal data. We do not use your creative assets, brand data, or workspace content to train AI models.

4. Third-Party Services

CMO Suite relies on the following sub-processors. Each operates under its own privacy policy and data processing terms.

5. Meta Platform Data

CMO Suite integrates with the Meta Marketing API under Meta’s Platform Terms and Developer Policies. Our use of Meta data is limited to:

• Permissions requested: ads_management, ads_read, pages_show_list, pages_read_engagement.
• Your OAuth token is encrypted at rest and used only to perform actions you explicitly initiate within CMO Suite.
• We do not read, modify, pause, archive, or delete any existing Meta ads, campaigns, or ad sets without your explicit instruction.
• Campaign and ad-set names fetched from Meta are displayed only within your workspace and are not shared with other users or third parties.
• You can revoke CMO Suite’s access at any time from Meta Business Settings → Integrations → Connected Apps. We will also delete your token immediately upon disconnecting from the Settings page within CMO Suite.

6. AI-Generated Content

When you trigger a generation, your brief data (product details, avatar, angle, brand kit) is transmitted to Anthropic and/or Google for processing. Neither provider uses your prompts or outputs to train their models under our current enterprise agreements. Generated content is stored in your workspace on Cloudflare R2 and is not visible to other users.

7. Data Storage and Security

• Workspace data is stored in a Supabase PostgreSQL database hosted in the United States. Row-level security policies ensure each workspace can only access its own records.
• Images and generated assets are stored in Cloudflare R2 with per-workspace access controls.
• All data is transmitted over HTTPS/TLS. Tokens are encrypted at rest.
• We implement access controls, audit logging, and regular security reviews. No system is perfectly secure; we will notify affected users of any confirmed data breach without undue delay.

8. Data Retention

Your data is retained for as long as your account is active. If you delete your account we will delete your personal data and workspace content within 30 days, except where retention is required by applicable law or for legitimate business purposes (e.g. fraud prevention, tax records). Connected third-party tokens are deleted immediately upon disconnection or account deletion.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the right to access, correct, port, restrict processing of, or delete your personal data. You may also have the right to object to certain processing or withdraw consent where processing is based on consent.

To exercise any of these rights, email us at hello@cmotheory.com. We will respond within 30 days. We may need to verify your identity before processing your request.

10. Cookies

CMO Suite uses strictly necessary cookies to maintain your authenticated session. We do not use advertising cookies or third-party tracking pixels. Session cookies are stored in httpOnly cookies and are not accessible to JavaScript.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or by a notice within the platform at least 14 days before they take effect. Continued use of CMO Suite after the effective date constitutes acceptance of the updated policy.

12. Contact

Questions, requests, or concerns about this policy should be directed to: