Privacy Policy
1. Introduction
MyDirector AI Inc. ("MyDirector AI," "we," "us," or "our") operates the web application at app.mydirector.ai and the website at mydirector.ai (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
2. Data Controller
MyDirector AI Inc.
Contact: hello@mydirector.ai
For any privacy-related inquiries, data access requests, or concerns, please email us at the address above.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Email address — for authentication and communication
- Password — stored as a cryptographic hash (we never store or see your plain-text password)
- Full name — optional, for personalization
- Bio — optional, user-provided description
3.2 Onboarding Data
During the onboarding process, we collect:
- Audio recording — a voice recording of your answers to onboarding questions (MP3 format, max 50MB)
- Transcript — an AI-generated text transcription of your audio recording
3.3 AI Interview Session Data
When you participate in AI interview sessions, we collect:
- Video recording — a recording of your interview session (MP4 format)
- Audio stream — real-time audio transmitted during the session
- Transcript — AI-generated text transcription of the conversation
- Session metadata — duration, date, status, and end reason
- Content hooks — AI-detected viral content patterns from your conversation
- Conversation memory — key insights and topics from your sessions, stored for context in future sessions
3.4 Instagram Data
If you connect your Instagram account, we collect:
- Instagram access token — encrypted at rest using AES-256-GCM encryption
- Instagram user ID and profile URL
- Public profile metrics — follower count, following count, post count, and growth trends
- Competitor/inspiration accounts — Instagram handles you choose to track
We do NOT access your Instagram DMs, stories, or post content. We only access public profile metrics via the official Instagram Graph API.
3.5 Research Data
When you trigger content research, we generate and store:
- Research summaries — viral topics, key insights, and strategic questions derived from analyzing public competitor content
- Research PDFs — generated research reports
- Vector embeddings — numerical representations of research content for AI-powered search
3.6 User-Generated Content
Notes — content ideas and notes you create within the app (max 2,000 characters each)
3.7 Payment Information (Stripe)
When you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do NOT store your credit card number, CVV, or full payment details on our servers. Stripe may provide us with:
- Last four digits of your card
- Card brand and expiration date
- Billing address
- Transaction history and subscription status
For Stripe's own privacy practices, see: https://stripe.com/privacy
3.8 Automatically Collected Data
- IP address — collected only during email verification attempts and account deletion, for security purposes
- User agent — browser/device information, collected only for security logging
- Authentication cookies — functional session cookies required for login (not used for tracking)
3.9 What We Do NOT Collect
- We do NOT use Google Analytics or any third-party analytics/tracking service
- We do NOT use tracking pixels, fingerprinting, or behavioral analytics
- We do NOT place advertising or marketing cookies
- We do NOT sell or share your data with advertisers
4. How We Use Your Information
We use your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service (interviews, research, recordings) | Contract performance |
| Account authentication and security | Contract performance / Legitimate interest |
| Generating AI-powered content insights | Contract performance |
| Storing conversation context for personalized sessions | Consent (you initiate each session) |
| Processing payments | Contract performance |
| Sending transactional emails (verification, export ready) | Contract performance |
| Preventing abuse and enforcing rate limits | Legitimate interest |
| Security logging (IP, user agent on sensitive actions) | Legitimate interest |
We do NOT use your data to train AI models. Your conversation data is stored in a memory service (Mem0) solely to provide context for your own future sessions — it is never used for model training, fine-tuning, or shared with other users.
5. Third-Party Service Providers
We share your data with the following processors, solely to operate the Service:
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase | All account data, files | Database, authentication, file storage | Cloud (AWS) |
| Vercel | Request/response data | Application hosting and delivery | Cloud (Global CDN) |
| LiveKit Cloud | Audio/video streams, user ID | Real-time interview sessions | Cloud |
| OpenAI | Audio stream, conversation context | AI interview processing (real-time model) | Cloud (US) |
| Google (Gemini) | Research data | AI content analysis in research workflows | Cloud (US) |
| Anthropic | Research data | AI content analysis in research workflows | Cloud (US) |
| Mem0 | Interview insights, topics, hooks | Conversation memory for session continuity | Cloud |
| Stripe | Payment and billing data | Payment processing | Cloud (US) |
| Meta/Instagram | Access token | Fetching your public Instagram metrics | Meta servers |
| Hostinger | User ID, audio files (onboarding) | Self-hosted automation workflows (N8N) | Cloud (EU) |
All processors are bound by data processing agreements and handle your data in accordance with their respective privacy policies.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (profile, email) | Until you delete your account |
| Interview recordings (video) | Until account deletion + 90 days, then permanently deleted |
| Onboarding recordings (audio) | Until account deletion, then immediately deleted |
| Research PDFs | Until account deletion, then immediately deleted |
| Interview transcripts | Until account deletion |
| Conversation memory (Mem0) | Until account deletion |
| Instagram tokens | Until you disconnect Instagram or delete your account |
| Instagram analytics | Until account deletion |
| Security logs (IP, user agent) | Retained for security audit purposes |
| Payment records (Stripe) | Per Stripe's retention policy and legal requirements |
Post-Deletion Retention: When you delete your account, interview video recordings are retained for 90 days (to allow for recovery if deletion was accidental), then permanently purged. All other data is deleted immediately upon account deletion. A daily automated cleanup process ensures scheduled deletions are executed on time.
7. Your Rights
For All Users
You have the right to:
- Access your data — request a copy of all personal data we hold about you
- Export your data — use the in-app "Export My Data" feature to download your data (profile, recordings, transcripts, research) as a downloadable package
- Delete your account — use the in-app "Delete Account" feature to permanently remove your data (requires re-authentication for security)
- Rectify your data — update your profile information at any time within the app
- Disconnect third-party accounts — revoke Instagram access at any time
Additional Rights for EU/EEA Residents (GDPR)
If you are located in the European Union or European Economic Area, you also have the right to:
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time (without affecting the lawfulness of prior processing)
- Lodge a complaint with your local Data Protection Authority
Additional Rights for California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt-out of sale — we do NOT sell your personal information to third parties
- Non-discrimination — we will not discriminate against you for exercising your rights
To exercise any of these rights, email us at: hello@mydirector.ai
8. Data Security
We implement the following security measures to protect your data:
- Encryption at rest for sensitive tokens (AES-256-GCM)
- Row-Level Security ensuring users can only access their own data
- Distributed rate limiting to prevent abuse
- Constant-time secret comparisons to prevent timing attacks
- CSRF/origin validation on all state-changing requests
- HTTPS enforcement across all services
- Fail-closed access control (deny on error)
- Regular security audits and vulnerability assessments
For more details about our security practices, visit our Security page.
9. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) where applicable
- Data Processing Agreements with all third-party processors
- Encryption in transit and at rest
10. Cookies
We use only essential functional cookies required for authentication and session management. We do NOT use:
- Analytics cookies
- Advertising cookies
- Third-party tracking cookies
- Social media cookies
Because we only use strictly necessary cookies, no cookie consent banner is required under ePrivacy regulations. However, we disclose their use here for full transparency.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth session | Maintains your login session | Session / 7 days |
| CSRF token | Protects email verification from cross-site attacks | Session |
11. Age Requirement
The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal data from individuals under 18. If we learn that we have collected data from a user under 18, we will delete their account and data promptly. If you believe a minor has provided us with personal data, please contact us at hello@mydirector.ai.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users via email for significant changes
- Post a notice on the Service
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
13. Contact Us
MyDirector AI Inc.
Email: hello@mydirector.ai
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us using the information above.