Privacy Policy

Effective Date: July 14, 2026

abda AI, Inc. ("abda," "we", "us" or "our") is a privacy-first virtual persona app that captures user data from different sources and allows the user to sync with AI agents for hyper-personalization and contextual alignment under user control ("abda.ai"). Our mission is to make your data work for you, while prioritizing the privacy and security of it. We are committed to ensuring compliance with applicable privacy laws in the United States (including all applicable state privacy statutes), Canada, European Economic Area, United Kingdom, and Switzerland.

This Privacy Policy ("Policy"), available online at https://www.abda.ai/privacy, outlines how abda collects, uses, shares, and otherwise processes personal information from users, including visitors ("User," "you," or "your") of our website, app, and services (collectively, our "Services"). By using our Services, you acknowledge this Policy; our legal basis for processing may include contract performance, legitimate interests, or legal obligations, as set out in Section 3. This Policy incorporates our Terms of Service. If you do not agree with the terms of this Policy, please discontinue your use of our Services.

1. Personal Data

For purposes of this Policy, "personal data" (also called "personal information" under the California Consumer Privacy Act/Privacy Rights Act and similar U.S. state laws) means any information that relates to an identified or identifiable natural person or is reasonably capable of being linked to a particular consumer or household, as set out in the EU GDPR, UK GDPR, Canada's PIPEDA, the revised Swiss Federal Act on Data Protection, and all applicable U.S. federal or state privacy statutes. Personal data may include, for example, your name, business email address, date of birth, demographic information (such as gender, ZIP code, employment status, education level, household income range, relationship status, and — if you choose to provide it — your race and Hispanic or Latino origin), postal address, telephone number, username, unique device or browser identifiers, Internet-protocol (IP) address, authentication tokens, advertising click identifiers (such as the Google Click ID (gclid), and gbraid/wbraid for clicks originating in a mobile app), web-analytics identifiers (such as Google Analytics client and session IDs), usage and telemetry logs, or other information generated through your use of our Services. Personal data also includes biometric, genetic, and special category data as defined under GDPR and international equivalents. Operational metrics and telemetry that abda collects and processes for security, billing, analytics, and product-improvement purposes (collectively, "Service Data") are processed by abda in its role as a data controller, as described in Section 8.

Service Data does not include user-submitted content or data intentionally stored within Personas, and it is handled separately from such user-controlled data.

abda does not require users to provide biometric identifiers or other special-category data. Some optional features may process health-related information (e.g., allergies) or location data only if you choose to use those features. We minimize collection, limit processing to the requested purpose, and provide controls to delete this data.

This definition will be interpreted to include any equivalent term under other privacy laws that come into force during the life of this Policy.

2. Collection and Use of Information

Information You Provide Directly

When you create an account, purchase a subscription, open a support ticket, or otherwise use our Services, you may supply personal data such as your name, business-email address, phone number, payment information (processed via Stripe; see Stripe's privacy policy at stripe.com/privacy for details on how they handle your card details and transaction data). For usage-based services like abda Companion, we collect and process Usage Data (e.g., API calls, storage usage, prompt volumes) to meter consumption against your Credits (prepaid balances). These Credits are tracked in separate balances per service, with metering reliant on Stripe and third-party providers. We do not store full payment card details; Stripe serves as the source of truth for billing records, which may include anonymized usage metrics shared with us for invoicing, and topic artefacts (for example, natural-language prompts). These artifacts are used only to serve your virtual persona and, once anonymized or aggregated, to improve our models; they are never used to train general-purpose AI models that benefit other customers without your permission.

Date of Birth (Age Eligibility)

When you create an account, we ask for your date of birth to confirm you meet the eligibility requirements for our Services (at least 18 years old, or the age of majority in your jurisdiction). We use your date of birth solely to verify eligibility and to comply with age floors imposed by our reward-processing and offer partners. Your date of birth is stored encrypted at rest using AES-256-GCM and is retained for the life of your account; if you close your account, it is deleted with the rest of your account data. We do not share your date of birth with third parties, do not use it for advertising, and do not include it in analytics events.

Survey Eligibility Profile (Demographic Information)

If you choose to take paid surveys through our rewards program, we first ask you to complete a short survey-eligibility profile. This profile collects demographic information: your gender, ZIP code, employment status, education level, household income range, and relationship status, and optionally your race and whether you are of Hispanic or Latino origin (you may select "prefer not to say" on any question). We use this information to match you with surveys you are more likely to qualify for, to reduce the number of surveys that screen you out partway through, and to understand our user base in aggregate.

Your profile answers are stored encrypted at rest using AES-256-GCM. We use them only to match you with surveys and to understand our user base in aggregate; we never share your race or Hispanic-origin information with any third party, and we do not sell your demographic information or use it for advertising. Completing the profile is required only if you want to take surveys; the rest of our Services, including other reward offers, do not require it. Your profile is retained for the life of your account, is included when you export your data, and is deleted when your account is closed.

Information Collected Automatically

When you interact with the Services, we automatically collect technical data such as IP address, browser type, operating system, device identifiers, pages visited, timestamps, and error logs. Certain operational metrics and telemetry ("Service Data") are processed by abda as an independent controller for security, billing, analytics, and product-improvement purposes (see Section 10).

Billing and Metering Data

Telemetry on service usage (e.g., abda Companion requests) is collected to generate monthly invoices showing consumption by service. This data is anonymized where possible and shared with Stripe for payment processing and revenue recognition.

Usage and Analytics Data

We record how you engage with key features (e.g., prompts submitted). If you authorize a third-party integration, abda accesses only the minimum data required to provide that integration and processes it under the same terms as other Customer Personal Data.

Email Analytics and Engagement Tracking

When we send you emails — including account and transactional messages as well as any product or marketing emails you have chosen to receive — we use tracking technologies to understand whether our emails are delivered, opened, and acted upon. Our emails may contain a small, invisible tracking pixel that records when the email is opened and the approximate time, and links in our emails may be encoded so that we can tell when they are clicked before forwarding you to the destination page. We use this information, primarily on an aggregated basis, to measure deliverability and engagement (for example, overall open and click-through rates, bounces, and unsubscribe rates), to diagnose delivery problems, and to improve the relevance and timing of our communications. This tracking is performed with the help of our email delivery provider, Brevo (Sendinblue), which acts as our sub-processor (see Section 5), and, for certain in-product campaigns, through open- and click-tracking endpoints operated by abda. Email-open detection is inherently approximate — some mail clients pre-load or block images, which can under- or over-count opens — and we do not use it to build advertising profiles or to make decisions that produce legal or similarly significant effects about you.

In the EEA, United Kingdom, and Switzerland we rely on your consent for marketing emails and their associated tracking; in the United States this measurement operates on the basis of our legitimate interests and on an opt-out basis. You can limit email tracking at any time by configuring your mail client not to load remote images, and you can stop receiving marketing emails (and their engagement tracking) by using the "unsubscribe" link in any such email or your account settings, as described in Section 13. Transactional and service messages necessary to operate your account are not subject to the marketing unsubscribe. We retain email engagement data as described in Section 11.

Advertising and Attribution Data

If you arrive at our Services from an online advertisement, we collect advertising-attribution data: the ad-click identifier supplied by the advertising platform (for Google ads, the gclid, or gbraid/wbraid for clicks that originate in a mobile app), web-analytics identifiers (such as Google Analytics client and session IDs), and campaign parameters (UTM source, medium, and campaign). We store this data associated with your account so that, when your activity later results in a measurable conversion, we can report that conversion — together with a coarse measure of its value — to the advertising platform (currently Google Ads) to measure and optimize our advertising. To improve the accuracy of this measurement, when you create an account we also provide Google with a securely hashed (SHA-256) version of your email address (a feature Google calls "enhanced conversions"). Your email is hashed in your browser before it is transmitted, so Google receives only the irreversible hash and never your actual email address, and it is used solely to match your sign-up to a prior ad interaction. We do not share your name or financial data for this purpose, and we share these account-stored identifiers and the hashed email address with Google and Microsoft Advertising. (Our cookie-based conversion tags also measure conversions for both — see Section 9 and our Cookie Policy.) This processing requires your consent in the EEA, United Kingdom, and Switzerland, and is subject to your right to opt out (including via Global Privacy Control) in the United States, as described in Sections 9 and 15. We retain advertising-attribution data for no longer than ninety (90) days (Section 11).

Financial Data

If you connect a financial account through our integration with Plaid Inc. ("Plaid"), we collect bank account metadata (such as institution name, account type, and masked account number) and transaction history. This data is used solely to provide the financial features you requested and is encrypted at rest using AES-256-GCM. You may disconnect your financial account at any time, which immediately revokes access and deletes the associated data. Plaid's own privacy policy (available at plaid.com/legal) governs how Plaid collects and processes your data before transmitting it to abda.

Rewards Payouts

If you earn rewards and request a cash payout, we collect the payout destination you provide — a PayPal email address, a Venmo handle or U.S. mobile phone number, or, for a bank transfer, your bank account number, routing number, and account-holder name — so that we can send your payment. These payout details are encrypted at rest using AES-256-GCM. For PayPal and Venmo payouts we disclose the relevant details only to our payout processors, PayPal, Inc. and Venmo (a PayPal service), solely to deliver the payment you requested; bank-transfer payouts are sent through our own banking provider. We do not sell or share these details for advertising, and we do not disclose them to any other third party except as required to process your payout or comply with law.

Gift Card and Charity Redemptions

Instead of a cash payout, you may choose to redeem earned rewards for a gift card (for example, Amazon, adidas, or Airbnb) or a donation to a participating charity. To create and deliver the reward you selected, we use a third-party rewards-fulfillment provider, Tremendous, LLC ("Tremendous"). When you submit a gift-card or charity redemption, we share with Tremendous the information needed to issue and deliver that reward — the recipient email address (your account email unless you provide another), the recipient name (if one is on your account), the reward amount, and the gift-card brand or charity you chose. You then claim your reward through a page hosted by Tremendous, and for charity redemptions Tremendous routes your donation to the charity or its charitable-giving partner. Tremendous processes this data as our service provider, solely to fulfill the reward; its handling of your information is also governed by its own privacy policy (available at tremendous.com/privacy). We do not sell or share this information for advertising, and we do not disclose it to any other third party except as required to fulfill your reward or comply with law.

Children's Data

abda's Services are not intended for individuals under the age of eighteen (18), and we do not knowingly collect or solicit personal data from anyone under this age. By using our Services, you represent that you are at least 18 years old or the age of majority in your jurisdiction. If we discover that we have collected personal data from a minor without verifiable parental consent, we will promptly delete that information. If you believe we may have collected such data, please contact us at privacy@abda.ai.

To enforce this age requirement, we ask applicants to enter their date of birth during signup through a neutral month-day-year form. If the date entered indicates the applicant is under 18, we block account creation. If we later learn that we hold personal data from a user under 13, we will delete it promptly consistent with the Children's Online Privacy Protection Act (COPPA).

We process this information on the legal basis of contract performance, legitimate interests, compliance with legal obligations, and your consent, for the following purposes:

  • to provide, operate, and maintain the Services,
  • to personalize your experience and tune AI-driven features for your virtual persona,
  • to analyze usage patterns and improve performance, functionality, and reliability,
  • to detect, prevent, and investigate fraud, abuse, or security incidents,
  • to deliver product updates and measure the effectiveness of our own marketing,
  • to measure, attribute, and optimize our advertising campaigns, including reporting conversions and a coarse value to advertising platforms such as Google Ads and Microsoft Advertising (see Sections 4, 9, and 15),
  • to communicate with you and provide customer support, as permitted by your account settings;
  • to process payments and other transactions you authorize,
  • to comply with legal, regulatory, export-control, and sanctions obligations in the jurisdictions where we operate,
  • to meet record-keeping, accounting, and audit requirements.

abda does not engage in automated decision-making that produces legal or similarly significant effects on individuals (GDPR Art 22). We collect only the personal data necessary for these purposes and retain it in line with the schedule in Section 11. You can exercise your opt-out or objection rights to certain processing activities as described in Section 9 ("Your Privacy Choices").

3. Legal Bases for Processing Your Data

abda processes personal data only where a valid legal ground applies under each privacy regime that governs our Services.

Applicable privacy frameworks

  • United States: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), UCPA (Utah), CTDPA (Connecticut), and any other U.S. state privacy laws in force during your use of the Services.
  • International: GDPR (EEA), UK GDPR, and the revised Swiss Federal Act on Data Protection (rev-FADP) for residents of the EEA, United Kingdom, or Switzerland.
  • Canada - Personal Information Protection and Electronic Documents Act (PIPEDA).

Legal bases we rely on

  • Performance of a Contract: We process your data to provide, maintain, and support the Services you have requested under our Terms of Service or other agreement with you.
  • Legitimate Interests: We use personal data to secure the platform, detect fraud, generate aggregate analytics, and improve AI features where these interests are not outweighed by your privacy rights.
  • Consent: We rely on your opt-in consent for non-essential cookies, marketing e-mails, and any other processing that requires consent under applicable law. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal Obligations: We retain and disclose information as necessary to comply with bookkeeping rules, export-control and sanctions regulations, court orders, or other legal duties.
  • Protection of Vital Interests:In rare cases, we may process data to protect an individual's vital interests, such as preventing serious harm or responding to an emergency.

4. Purposes of Use and Processing

We use personal information for the following business and commercial purposes:

  • Service Delivery and Support: Providing and maintaining our AI-driven app, including Persona Builder and Companion.
  • Service Integrity: Ensuring the security and integrity of our Services, including preventing fraud or unauthorized access.
  • Service Improvement and Research: Analyzing usage data and prompts to refine algorithms, enhance AI performance, and develop new features; where feasible, such analysis is performed on de-identified or aggregated data.
  • Personalization: Tailoring our Services to your preferences, such as optimizing Persona Builder based on your prompts.
  • Product Updates and Limited Marketing: Sending product announcements, event invitations, and other communications you have opted to receive, and measuring their effectiveness. For promotional credits (e.g., free Companion access), we may use your email and usage data to communicate offers. These are non-transferable and revocable; opt out of marketing via account settings.
  • Advertising Measurement and Attribution:Measuring the effectiveness of our advertising by reporting conversions and a coarse measure of their value to advertising platforms (currently Google Ads and Microsoft Advertising) and optimizing campaign bidding (return on ad spend). This involves disclosing advertising click identifiers for cross-context behavioral advertising, which constitutes a "share" under certain U.S. state privacy laws; you may opt out as described in Sections 9 and 15.
  • Business Continuity and Security: Safeguarding our business operations and proprietary data.
  • Legal and Regulatory Compliance: Complying with export-control and sanctions regulations, court orders, and privacy laws in the United States, European Economic Area, United Kingdom, Switzerland, Canada, and other applicable jurisdictions.
  • Auditing, Accounting, and Corporate Governance: Conducting audits, reporting, and corporate governance to ensure compliance and efficiency.
  • Dispute Resolution and Legal Defense: Meeting legal and regulatory obligations in the United States, Canada, and other jurisdictions.

5. Data Processing and Sub-Processors

abda processes personal information as a data controller (or "business" under certain U.S. state privacy laws) to provide and operate the Services described in this Privacy Policy. We engage third-party sub-processors to support our Services, such as:

  • Hosting and maintaining our app, website, and databases.
  • Processing payments through secure third-party payment processors.
  • Providing technical support, customer service, and analytics.
  • Storing and securing data, including integrations with Supabase and GitHub.
  • Aggregating financial account data through Plaid Inc. to provide account linking and transaction features.
  • Operating the rewards offerwall through a third-party offerwall provider. When you engage with an offer, we provide the provider with an opaque account identifier so it can confirm offer completion and we can credit the corresponding reward to your account. When we request the offers and surveys available to you, we also transmit your IP address and device information (a user-agent string describing your device model, operating system, and browser) to the provider so it can determine which offers and surveys are available for your region and device and to help detect fraud. We do not disclose your name, email address, or financial data to this provider.
  • Fulfilling gift-card and charity redemptions through our rewards-fulfillment provider, Tremendous, LLC. When you redeem rewards for a gift card or charitable donation, we share the recipient email address, recipient name (if any), reward amount, and selected brand or charity with Tremendous so it can issue and deliver the reward. We do not disclose this information for advertising.
  • Sending transactional and marketing emails and measuring their delivery and engagement (opens and clicks) through our email service provider, Brevo (Sendinblue). We provide Brevo with your email address and the message content so it can deliver our emails on our behalf; we do not authorize Brevo to use your information for its own purposes.
  • Measuring advertising conversions and optimizing campaigns through Google Ads (Google LLC). We disclose advertising click identifiers, a hashed (SHA-256) version of your email address, and a coarse conversion value to Google for this purpose; depending on your state of residence, this constitutes a "share" for cross-context behavioral advertising (see Sections 9 and 15).
  • Measuring advertising conversions and optimizing campaigns through Microsoft Advertising (Microsoft Corporation). When you interact with our Services after arriving from a Microsoft/Bing advertisement, its Universal Event Tracking (UET) tag may set cookies and disclose an advertising click identifier and a coarse conversion value to Microsoft. We also match conversions offline: we store the Microsoft advertising click identifier and, to improve accuracy, provide Microsoft with a hashed (SHA-256) version of your email address (enhanced conversions), the same way we do for Google. Depending on your state of residence, this constitutes a "share" for cross-context behavioral advertising (see Sections 9 and 15).

All sub-processors are bound by contractual obligations, ensuring compliance with applicable data protection laws. The current list of authorized sub-processors is always available at https://abda.ai/trust and includes the sub-processor's name, location, and processing purpose (e.g., Stripe for billing, Supabase for cloud hosting).

6. International Data Transfers

For customers in the EEA, UK, or Switzerland, we may transfer personal information to the United States or other jurisdictions whose privacy laws have not been deemed "adequate" by European or Swiss authorities.

7. Investigations

abda may investigate and disclose information, as permitted by law, if we believe in good faith that such action is:

  • Necessary to comply with a valid legal process or governmental request (e.g., subpoena, court order, or law-enforcement demand) and, unless legally prohibited, abda will notify the affected customer before producing data, consistent with our SCC and DPA obligations.
  • Helpful to prevent, investigate, or identify fraud, security incidents, or other wrongdoing in connection with our Services.
  • Necessary to protect our rights, reputation, property, or those of our users, affiliates, or the public.

Disclosures will comply with applicable privacy laws and be limited to what is necessary.

8. Log Data

When you use our Services, abda automatically collects operational telemetry ("Log Data") that helps us secure and improve the platform. Log Data may include:

  • Your device's IP address and approximate location
  • Browser type and version.
  • Pages, APIs, or features you access within the Services.
  • Timestamps and time spent on specific screens or functions.
  • Unique session or device identifiers and error/debugging codes.
  • Other usage statistics.

Log data is retained for up to ninety (90) days, unless required by law, to monitor performance, troubleshoot issues, and improve user experience.

9. Cookies and Other Tracking

abda and selected third-party partners use cookies, pixels, and similar technologies ("Cookies") to operate, secure, and analyze our Services. We deploy four types of Cookies:

  • Strictly Necessary Cookies support core functions such as sign-in, session routing, fraud prevention, and consent storage. These are set on the basis of legitimate interests / contract performance and do not require consent.
  • Analytics & Performance Cookiesmeasure feature adoption, diagnose errors, track user interactions, and improve service performance. We use first-party and third-party analytics providers for these purposes. Some of these providers additionally provide session replay and heatmaps, recording interactions such as mouse movement, scrolling, and clicks — with the content you enter into form fields masked, and, in our application, on-screen text masked as well — to help us diagnose usability issues. In the United States these analytics and session-replay technologies are enabled by default on an opt-out basis, and we honor CPRA "opt-out" signals (e.g., Global Privacy Control); in the EEA/UK/CH we load them only with your prior consent.
  • Some browsers offer a "Do Not Track" ("DNT") setting. Because there is no common industry standard for interpreting DNT signals, our Services do not currently respond to DNT signals.
  • Functional Cookiesremember your preferences (language, theme, layout) and are configurable in the in-product "Cookie Settings" panel.
  • Marketing Cookies enable conversion tracking and campaign measurement through Google Ads and Microsoft Advertising (Bing UET). These cookies require consent in the EEA/UK/CH and respect opt-out preferences (including Global Privacy Control) in the United States and other jurisdictions.

Advertising conversion measurement (including server-side).Separately from cookies, when you reach our Services from a Google advertisement we store the Google ad-click identifier (gclid, or gbraid/wbraid for clicks that originate in a mobile app) together with web-analytics identifiers, and — when your activity later results in a conversion — transmit that identifier and a coarse measure of the value of your activity to Google Ads so that Google can attribute the conversion and optimize our advertising. This transmission occurs on our servers and does not rely on cookies; disabling cookies does not stop it. This sharing of advertising identifiers constitutes a "share" for cross-context behavioral advertising under the California Consumer Privacy Act (as amended) and similar U.S. state privacy laws. We do not sell personal information for monetary consideration. In the United States you may opt out at any time by enabling Global Privacy Control (GPC) or through our Do Not Sell or Share My Personal Information page, and we honor these signals. In the EEA, United Kingdom, and Switzerland we store and transmit these identifiers only with your prior consent, which you may withdraw at any time. We retain these identifiers for no longer than ninety (90) days. This server-side transmission of stored identifiers is made to Google and to Microsoft Advertising (for Microsoft: an advertising click identifier, a hashed email address, and a coarse conversion value). Our cookie-based conversion tags, described above under Marketing Cookies, also measure conversions for both.

Tracking in emails.Separately from website cookies, the emails we send use similar technologies — an invisible tracking pixel and encoded links — to measure opens and clicks. This tracking, its purposes, and how to limit or opt out of it are described under "Email Analytics and Engagement Tracking" in Section 2. In the EEA, United Kingdom, and Switzerland we apply these technologies to marketing emails only with your prior consent; in the United States they operate on an opt-out basis, exercisable via the unsubscribe link or your account settings.

You can manage or withdraw your Cookie preferences at any time by (i) clicking the Cookie Preferences button in our Cookie Policy, (ii) changing your browser controls, or (iii) enabling an authorized browser signal such as the Global Privacy Control. Disabling non-essential Cookies will not affect core functionality but may limit analytics-based improvements. Cookie-derived identifiers are retained only for the period necessary to fulfil the purposes above and never longer than thirteen (13) months for analytics cookies after which they are deleted or irreversibly anonymized.

10. Information Security and Accuracy

abda is committed to protecting your personal information and maintaining its accuracy. We implement reasonable industry standard safeguards, including:

  • Data in Transit: All traffic between your browser or API client and our servers is protected with industry standard end-to-end encryption.
  • Data Storage: Database encryption with secure key management and pseudonymize or anonymize data, where feasible. Financial data received from third-party integrations (such as Plaid) is encrypted at rest using AES-256-GCM with per-value initialization vectors.
  • Access Controls: Role-based access, multi-factor authentication, and regular reviews to ensure only authorized staff can view your data.
  • System Resilience: Continuous backups with industry-standard recovery objectives designed to minimize downtime and data loss.
  • Your Role: Please keep your account credentials confidential, enable multi-factor authentication, and let us know if any of your information is incorrect so we can update it.

abda keeps a record of processing activities in line with GDPR Article 30(2) and performs regular risk assessments to adapt these measures as threats evolve. If you believe your account information is inaccurate, contact us as set out in Section 16 and we will correct it promptly. We implement reasonable security measures (e.g., encryption in transit/rest, access controls) to protect your personal data, but our Services rely on third-party providers like Supabase (for abda Cloud), OpenAI, Google, and OpenRouter (for AI Gateway). We cannot guarantee uninterrupted availability, security, or performance of these providers, and data interruptions, delays, or losses may occur due to their actions or events beyond our control (including force majeure). For abda Cloud, certain provisioned resources may not be immediately terminable via API; you remain responsible for any data hosted there until fully decommissioned. In cases of misuse or abuse (e.g., excessive data uploads causing cost spikes), you agree to indemnify us for related privacy or security claims arising from third-party provider interactions, as detailed in our Terms of Service. We use commercially reasonable efforts to notify you of material security incidents involving your data but disclaim liability for third-party failures.

11. Retention of Your Information

We retain personal information only as long as necessary to fulfill the purposes outlined in this Policy or as required by applicable law, including:

  • Providing and improving our Services.
  • Financial account data (including linked bank account metadata and transaction history) is retained for the duration of the linked account and deleted immediately upon disconnection or account deletion. Reward payout and redemption records (including gift-card and charity fulfillment records) are retained as long as necessary to process the reward and to meet our tax, accounting, and legal record-keeping obligations.
  • Date of birth (collected at signup for age-eligibility verification) is retained for the life of the account and deleted when the account is closed. It is not subject to any separate retention window beyond account lifetime.
  • Survey-eligibility profile answers (the demographic information collected if you opt into paid surveys) are retained for the life of the account and deleted when the account is closed. They are not subject to any separate retention window beyond account lifetime.
  • Complying with legal and regulatory obligations.
  • Resolving disputes or enforcing agreements. Customer data is retained for up to ninety (90) days, unless required by law, after which it is deleted or isolated. To cancel your account or request data deletion, contact us as outlined in Section 16. Upon account termination or expiration (including forfeiture of unused Credits as per the Terms), we will delete your Personal Data within 30 days, except for data required for fraud prevention, legal compliance, or legal defense purposes. Backups may retain data for up to 90 days. To request deletion, contact us at privacy@abda.ai; we comply with applicable laws (e.g., GDPR erasure rights). We retain Customer Data only as needed to provide the Services, with deletion available upon request (subject to backups and legal holds).
  • Advertising-attribution data — ad-click identifiers (gclid, gbraid, wbraid) and related web-analytics identifiers — is retained for no longer than ninety (90) days, consistent with the Google Ads offline-conversion import window, after which it is deleted. It is also deleted when you delete your account or opt out of advertising sharing.
  • Email engagement data — records of whether the emails we send you are opened or clicked — is retained only as long as necessary to measure deliverability and engagement and to improve our communications. Individual open and click events are retained for no longer than twelve (12) months, after which they are deleted or retained only as de-identified, aggregated statistics.

12. Links to Other Sites

Our Services may include links or integrations (for example, GitHub, Supabase, CI/CD tools, or payment providers) that are not controlled by abda. Your interactions with those third-party services are governed by their own privacy policies and terms. We encourage you to review those policies before providing personal data, as abda is not responsible for the privacy or security practices of external sites.

13. Notice and Communications

By using the Services, you consent to receive transactional or administrative electronic communications from abda — such as account alerts, security notifications, and billing messages. You may opt out of non-essential marketing e-mails at any time via the "unsubscribe" link or your account settings; this will not affect core service communications. To send formal privacy notices to abda, e-mail privacy@abda.ai or post to the address in Section 16. abda may provide legal or privacy notices to you via e-mail, in-product banners, or any other method allowed by law.

14. Governing Law & Venue

This Policy is governed by and construed in accordance with the laws of the State of Delaware, USA, without regard to its conflict-of-law principles. However, if you are located in a jurisdiction that grants you mandatory consumer protection or data protection rights under local law, those provisions will take precedence to the extent they conflict with this Policy. For residents of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, international data transfers are subject to the EU Standard Contractual Clauses governed by Irish law with the courts of Dublin as the chosen forum, the UK International Data Transfer Addendum governed by the laws of England and Wales with the courts of London as forum, and the Swiss Addendum governed by Swiss law with the FDPIC as the competent authority. Any other disputes arising under this Policy shall be exclusively resolved in the state or federal courts located in Newark, Delaware, unless otherwise required by applicable mandatory law. We disclaim warranties on data accuracy/security in AI outputs or third-party services.

No Professional Advice

Our Services provide AI-assisted tools that can generate summaries, but they are not a substitute for professional advice. You are responsible for reviewing, testing, and validating any output, and you assume all risk from relying on it.

Contact Details

If you have questions, concerns, or wish to exercise your privacy rights, please contact us:

Email: privacy@abda.ai

We aim to respond to verified data-subject requests within thirty (30) days, or longer where permitted under applicable law, in which case we will notify you of the delay and reason. If you believe your inquiry has not been satisfactorily resolved, you may lodge a complaint with your local supervisory authority, the Irish Data Protection Commission, the UK Information Commissioner's Office, or the Swiss FDPIC, as appropriate.

15. Residents of the United States, Canada, EEA, United Kingdom, and Switzerland

This section supplements the rest of the Policy and applies to individuals located in the United States—including California, Colorado, Connecticut, Virginia, Utah, Florida, Nebraska, and any other state with an active consumer-privacy statute, as well as Canada, the EEA, the United Kingdom, and Switzerland. abda collects the personal data categories below when you use the Services:

  • Identifiers such as name, e-mail, user ID, and IP address (city-level location only), and online advertising and analytics identifiers (such as Google ad-click IDs (gclid, gbraid, wbraid) and Google Analytics client/session IDs) when you arrive from an online advertisement.
  • Commercial information such as subscription tier and purchase history; full payment-card numbers are processed solely by our PCI-compliant provider and are never stored by abda.
  • Internet / network activity such as log-in events, feature usage, prompts submitted, telemetry, and email engagement events (opens and clicks on the emails we send you).
  • Financial data (via Plaid) such as bank account metadata, transaction history, and account balances, collected only when you explicitly connect a financial account; and reward payout details (a PayPal email address, a Venmo handle or U.S. phone number, or bank-transfer account details) that you provide when you request a cash payout of earned rewards, or the recipient email and name used to deliver a gift-card or charity reward.
  • Demographic information such as gender, ZIP code, employment status, education level, household income range, and relationship status, collected only if you choose to complete the survey-eligibility profile for paid surveys.
  • Inferences drawn to personalize the platform.
  • Sensitive/Health-Related Information.abda does not require sensitive personal information to provide the Services. However, the Persona Builder (including Topic Builder) may present questions that relate to health or wellness. You choose whether to answer these questions, and you control whether any responses are shared with third-party AI agents. If you choose to provide such information, it is provided voluntarily and will be processed and stored to deliver the features you select. The survey-eligibility profile also includes optional questions about your race and whether you are of Hispanic or Latino origin (racial or ethnic origin is a sensitive category under the GDPR and certain U.S. state laws); answering them is voluntary — "prefer not to say" is always available — and if you answer, your response is stored encrypted, is never shared with or sold to any third party, and is not used for advertising or automated decision-making. abda is not a healthcare provider, and the Services are not designed to process "Protected Health Information" under HIPAA; accordingly, abda is not HIPAA-compliant. Please do not submit Social Security Numbers, government ID numbers, precise geolocation, or other highly sensitive identifiers.

Depending on where you live, you may have some or all of the rights listed below (subject to legal limits). You can exercise them by e-mailing privacy@abda.ai; abda will verify your identity and respond within 30 days or the period required by your local law.

  • Right of Access/Portability: Request disclosure of personal information collected, used, or disclosed.
  • Right of Deletion: Request deletion of personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Withdraw Consent: Withdraw consent for certain processing activities.
  • Opt-out of sales, sharing, or targeted advertising:You may opt out of the "sale" or "share" of your personal information for cross-context behavioral advertising. We share advertising click identifiers and a coarse measure of your activity's value with Google Ads and Microsoft Advertising to measure and optimize our advertising; this constitutes a "share" (and, under some state laws, "targeted advertising") under U.S. state privacy laws, although we do not sell personal information for monetary consideration. Exercise this right by enabling Global Privacy Control (GPC) in your browser or through our Do Not Sell or Share My Personal Information page; we honor these signals.

abda will not discriminate against you for exercising your privacy rights. If you believe a request has been wrongly denied, U.S. residents may file an appeal by replying to our decision within sixty days; EEA, UK, or Swiss residents may contact their supervisory authority (the Irish DPC, the UK ICO, or the FDPIC).

Rights in Customer Data

As detailed in our Terms of Service, you grant us a perpetual, royalty-free license to use your Customer Data (excluding Personal Data) for business purposes, including operating/improving Services, training AI models, and analytics. We do not use raw or identifiable Personal Data for training but may anonymize/aggregate it for any lawful purpose. To opt out of using your Customer Data for model training, contact us at privacy@abda.ai.

Sharing with Third Parties

We share Customer Data with Infrastructure Providers (e.g., Supabase for hosting) and Third-Party AI Providers (e.g., OpenAI, Google Gemini, OpenRouter for prompt processing) as necessary to provide Services. We also disclose limited advertising and analytics identifiers — a Google ad-click ID (gclid, gbraid, or wbraid), Google Analytics client/session IDs, and a coarse measure of the value of your activity — to Google Ads, and a Microsoft ad-click identifier, a hashed email address, and a coarse conversion value to Microsoft Advertising, for conversion measurement and advertising optimization; depending on your state of residence, this constitutes a "share" for cross-context behavioral advertising. These shares are governed by their privacy policies (linked above). We do not sell personal information for monetary consideration. For billing, anonymized usage data is shared with Stripe.

16. Changes to This Policy

abda reserves the right to update or revise this Privacy Policy to reflect changes in our practices, legal requirements, or the Services themselves. We will post any revised Policy at https://abda.ai/privacy and indicate the "Effective" date at the top of the document. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by e-mail or in-product banner. Your continued use of the Services after the new Policy takes effect constitutes acceptance of the revised terms.

17. Severability

If any provision of this Policy is found to be unlawful, void, or unenforceable under applicable law, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, deemed severed, and the remaining provisions will remain in full force and effect.

18. Entire Agreement

This Policy, together with the Terms of Service, and any supplemental product terms, constitutes the entire agreement between you and abda regarding privacy and data protection in connection with the Services. In the event of a conflict, the Privacy Policy will control with respect to Customer Personal Data, followed by the Terms of Service.

View our Cookie Policy and opt-out of non-essential cookies here: https://abda.ai/cookies.