GETDIGITALCONTENT PRIVACY POLICY

One Cube Technologies LLC, a Texas limited liability company doing business as GetDigitalContent ("GDC," "Company," "we," "us," or "our"), with its principal place of business in Katy, Texas 77494, United States, is committed to protecting the privacy of our users ("you" or "your").

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the GetDigitalContent platform ("Platform" or "Services"), including our AI-powered content generation pipeline, campaign management tools, social media publishing integrations, AutoResearch self-improvement system, and all related services.

This Privacy Policy is incorporated into and forms part of our Terms and Conditions. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

1.1 Account Registration Data

When you create an account, we collect:

• Identity Information: Full name, email address, and password (stored as a salted hash using ASP.NET Core Identity)
• Business Information: Business name, industry, website URL, target audience descriptions, and competitor information provided during business discovery onboarding
• Role Information: Your assigned role within each Business (Owner, Admin, or Writer)

1.2 Brand Voice and Business Profile Data

To personalize your content generation experience, we collect:

• Brand voice specifications (tone, style, vocabulary preferences, formality level)
• Business discovery questionnaire responses
• Audience personas and demographic descriptions
• Competitor URLs and market positioning details
• Content preferences and topic guidelines
• Knowledge base materials you upload or provide (when you supply a URL as a resource, we may extract and store the textual content from that web page for use in your Business's knowledge base)

1.3 Content and Campaign Data

During your use of the Services, we process:

• Campaign configurations (themes, topics, schedules)
• Blog content (outlines, sections, metadata, featured images)
• Social media post content generated for each platform
• Audio narration files generated via Azure Text-to-Speech
• Editorial changes, approvals, and revision history
• Image selections and AI-generated imagery

1.4 Payment Information

We use third-party payment processors to handle subscription billing. We do NOT directly store your full credit card numbers, bank account details, or complete payment credentials. Our payment processor may share limited billing information with us, such as the last four digits of your card, billing address, and transaction status.

1.5 Technical and Usage Data

We automatically collect:

• Device Information: Browser type, operating system, device type, and screen resolution
• Connection Information: IP address, Internet service provider, and approximate geographic location
• Usage Data: Pages visited, features used, click patterns, session duration, and navigation paths
• Performance Data: Page load times, error logs, and API response metrics
• Referral Data: How you arrived at the Platform (referral URLs, search terms, marketing campaign identifiers)

1.6 Integration Data

When you connect third-party services, we may receive:

• WordPress: Site URL, authentication credentials (stored encrypted), publishing status
• Social Media Accounts: Platform account identifiers and display names (OAuth tokens are managed by Outstand.so — see Section 5)
• Published Content Metrics: Engagement data, view counts, and interaction metrics from connected platforms (collected for AutoResearch purposes)

1.7 Communication Data

We collect the content of communications you send to us, including support requests, feedback, and correspondence via email or in-app messaging.

1.8 Newsletter and Notification Preferences

If you subscribe to our public newsletter (without creating an account), we collect your email address and name. For registered users, we store notification preference settings across three categories — content updates, product announcements, and educational materials — which you may update at any time through your account settings.

2.1 Service Delivery

We use your information to:

• Create and manage your account and Business profiles
• Operate the multi-agent AI content generation pipeline (Research, Writer, Fine-Tuner, Proofreader, Editor, Image, VoiceOver agents)
• Generate campaign plans, blog content, social media posts, images, and audio narration
• Process your editorial changes and manage approval workflows
• Publish content to your connected WordPress sites and social media accounts
• Execute the AutoResearch self-improvement loop for your Business
• Enforce Plan entitlements and usage quotas

2.2 Service Improvement (Account-Scoped Only)

• Analyze content performance metrics to improve YOUR content quality through the AutoResearch loop
• Adjust YOUR Agent Prompts based on YOUR content evaluation data
• Generate aggregated, anonymized usage analytics that cannot identify individual users

2.3 Communications

• Send transactional emails (account verification, password resets, subscription confirmations)
• Deliver service notifications (campaign completions, publishing status, system alerts)
• Provide customer support responses
• Send product updates and feature announcements (with opt-out)
• Send marketing communications (only with explicit consent; see Section 10 for opt-out)

2.4 Security and Compliance

• Detect, prevent, and respond to fraud, abuse, and security threats
• Enforce our Terms and Conditions and Acceptable Use Policy
• Comply with legal obligations, court orders, and regulatory requirements
• Maintain audit logs for security and compliance purposes

2.5 Legal Basis for Processing (GDPR)

For users subject to GDPR, our legal bases for processing are:

• Contract Performance: Processing necessary to provide the Services you subscribed to (Sections 2.1)
• Legitimate Interests: Service improvement, security, and fraud prevention (Section 2.2, 2.4)
• Consent: Marketing communications and non-essential cookies (Section 2.3)
• Legal Obligation: Tax, regulatory, and law enforcement compliance (Section 2.4)

3.1 How Your Data Flows Through AI

When the Services generate content for your Business, the following data processing occurs:

1. Research Agent: Uses your business profile and campaign topic to query SerperDev for web research data. Search queries are derived from your Input but do not contain personally identifiable information.
2. Writer Agent: Receives your brand voice specifications, business context, research results, and Agent Prompts. Sends these to our underlying AI Large Language Model (LLM) API to generate draft content. The respective AI provider processes this data under its data processing terms.
3. Fine-Tuner, Proofreader, and Editor Agents: Process the draft through iterative AI refinement rounds using our AI language models, each applying your customized prompts.
4. Image Agent: Searches Unsplash for relevant stock photos or generates images using AI. Uses Google image recognition for topical validation.
5. VoiceOver Agent: Sends blog text to Azure Text-to-Speech to generate audio narration files, which are stored in Azure Storage.
6. Semantic Indexing: Published blog content is processed into vector embeddings for internal semantic search and content retrieval. These embeddings are stored within our Azure-hosted database and are not shared with third parties.

3.2 AI Provider Data Handling

AI Language Models (LLMs): Content sent to our underlying AI language models for generation is processed under the respective provider's enterprise data processing terms. Our providers do not use your prompts or outputs to train their general-purpose models when accessed through their APIs. Data is processed in transit and is not persistently stored by the AI provider beyond the API request lifecycle.

Azure Services: Audio files, storage, and compute are hosted on Microsoft Azure under its enterprise data processing agreement. Data residency is primarily in U.S.-based Azure regions.

3.3 No Cross-User Data Training

We share data with the following categories of third-party providers, solely to the extent necessary to operate the Services:

4.1 Cloud Infrastructure

4.2 AI and Content Processing

4.3 Publishing and Integration

4.4 Analytics

4.5 Payment Processing and Email Delivery

4.6 Sub-Processor Updates

We will update this Privacy Policy when we add new sub-processors that handle personal data. Material sub-processor changes will be communicated through our standard notification channels.

5.1 OAuth Connection Flow

When you connect a social media account (LinkedIn, X/Twitter, Facebook, Instagram, Threads, TikTok, YouTube, Pinterest, Bluesky, or Google Business), the connection is facilitated through Outstand.so as an OAuth broker:

1. You initiate the connection from within your GetDigitalContent Business dashboard
2. You are redirected to the social media platform's OAuth authorization page
3. You authorize access by logging in and granting permissions directly to the platform
4. The resulting OAuth tokens are received and stored by Outstand.so (encrypted with AES-256)
5. GetDigitalContent stores only a social account identifier and display name — we NEVER receive or store your raw OAuth tokens

5.2 Data Isolation

Each Business's social media connections are isolated by Business ID, which serves as the tenant identifier with Outstand.so. One Business cannot access or publish to another Business's connected accounts, even within the same user account.

5.3 Publishing Data Flow

When content is published to your social media accounts:

• GetDigitalContent sends the post content (text, images, hashtags) to Outstand.so's API
• Outstand.so uses the stored OAuth tokens to publish to the designated social platform
• Publishing status and any error messages are returned to GetDigitalContent for display
• Performance metrics (views, engagement, clicks) may be collected back from social platforms via Outstand.so for AutoResearch purposes

5.4 Token Revocation

You can disconnect any social media account at any time through your Business dashboard. Upon disconnection:

• Outstand.so revokes and deletes the stored OAuth tokens
• GetDigitalContent removes the social account reference from your Business
• No further publishing to that account is possible until re-connection
• Previously published content remains on the social media platform (removal must be done directly on that platform)

5.5 Outstand.so Data Handling

Outstand.so processes your social media data under its own privacy policy and data processing terms. Key protections include: AES-256 encryption of all OAuth tokens, automatic token refresh cycles, tenant isolation by Business ID, and data deletion upon account disconnection. GDC maintains a data processing agreement with Outstand.so.

6.1 We Do Not Sell Your Data

6.2 Limited Disclosure Circumstances

We may disclose your information only in the following circumstances:

• Service Providers: To third-party providers listed in Section 4, solely for the purpose of operating the Services, under contractual data protection obligations
• Legal Requirements: When required by law, court order, subpoena, or government regulation
• Rights Protection: To protect the rights, property, safety, or security of GDC, our users, or the public
• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets (you will be notified of any change in data controller)
• With Your Consent: When you explicitly authorize sharing
• Aggregated Data: We may share anonymized, aggregated statistics that cannot reasonably identify any individual user

6.3 Your Published Content

Content you publish through the Services to WordPress or social media platforms becomes subject to the privacy policies and terms of those respective platforms. GDC is not responsible for how those platforms handle your published content after delivery.

7.1 Security Measures

We implement comprehensive security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
• Encryption at Rest: Data stored in Azure is encrypted at rest using AES-256 encryption
• Authentication: ASP.NET Core Identity with salted password hashing, session management, and Cloudflare Turnstile CAPTCHA for bot protection
• Access Controls: Role-based access control (Owner/Admin/Writer) with principle of least privilege
• Infrastructure Security: Azure-managed firewalls, DDoS protection via Cloudflare, Web Application Firewall (WAF)
• Tenant Isolation: Business data is logically isolated by Business ID across all storage and processing layers
• Secure API Communications: All third-party API calls use encrypted connections with API key rotation

7.2 Security Limitations

While we implement industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any unauthorized access.

7.3 Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within seventy-two (72) hours of confirming the breach
• Notify relevant supervisory authorities as required by applicable law (including GDPR Article 33 and state breach notification laws)
• Provide a description of the nature of the breach, the categories of data affected, approximate number of users affected, likely consequences, and remedial measures taken

8.1 Retention Periods

8.2 Post-Termination Data Handling

Upon account termination:

1. Days 1-30: Your account enters read-only mode. You may export your content, business data, and configurations.
2. Day 31+: We begin permanent deletion of your account data, business profiles, content, Agent Prompts, and associated files from primary systems.
3. Day 60+: Backup systems are purged of your data.

Certain data may be retained beyond these periods only as required by law (e.g., payment records for tax compliance).

8.3 Deletion Requests

You may request deletion of your data at any time by contacting [email protected]. We will process deletion requests within thirty (30) days, subject to any legal retention obligations.

We use cookies and similar tracking technologies on the Platform. For comprehensive details about the specific cookies we use, their purposes, and how to manage your preferences, please refer to our dedicated Cookie Policy.

9.1 Summary of Cookie Categories

• Essential Cookies: Required for Platform operation, authentication, CSRF protection, and security (Cloudflare Turnstile). Cannot be disabled.
• Analytics Cookies: Google Analytics for usage statistics (subject to consent)
• Marketing Cookies: Meta Pixel and Google Tag Manager for conversion tracking (subject to consent)
• Functional Cookies: Preferences, language settings, and session state

9.2 Consent and Control

Non-essential cookies are only placed after you provide consent through our cookie consent mechanism. You can modify your cookie preferences at any time. See our Cookie Policy for full details.

10.1 All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Data Export: Export your content and business data through available Platform tools
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in each email or through account settings
• Account Closure: Close your account at any time through account settings

10.2 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request and respond within thirty (30) days (or within the timeframe required by applicable law). We will not discriminate against you for exercising your privacy rights.

10.3 Limitations

In certain circumstances, we may be unable to fully comply with your request, such as when:

• A legal obligation requires us to retain the data
• The request is manifestly unfounded or excessive
• Compliance would adversely affect the rights of others
• The data is needed for the establishment, exercise, or defense of legal claims

The Services are hosted on Microsoft Azure infrastructure primarily located in the United States. Your data may be transferred to, processed in, and stored in the United States and other countries where our service providers operate.

11.1 Transfer Mechanisms

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with our sub-processors that include appropriate safeguards
• The EU-U.S. Data Privacy Framework (where applicable)

11.2 Safeguards

We ensure that any international data transfer is accompanied by appropriate technical and organizational safeguards, including encryption in transit and at rest, access controls, and contractual obligations on sub-processors.

The Services are NOT directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe that a child under 18 has provided personal information to us, please contact us at [email protected] and we will promptly delete it.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

13.1 Right to Know

You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.

13.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, security, completing transactions).

13.3 Right to Correct

You have the right to request correction of inaccurate personal information.

13.4 Right to Opt-Out of Sale/Sharing

We do not sell or share (as defined by CCPA/CPRA) your personal information for cross-context behavioral advertising. Therefore, there is no need to submit an opt-out request. Should our practices change, we will provide a prominent "Do Not Sell or Share My Personal Information" link.

13.5 Right to Limit Use of Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes other than those permitted under CPRA.

13.6 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access levels.

13.7 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. The agent must provide proof of authorization and we may verify your identity directly.

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

14.1 Additional Rights

• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests, including profiling
• Right to Withdraw Consent: Withdraw consent at any time for processing activities based on consent (without affecting the lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

14.2 Data Controller

One Cube Technologies LLC (DBA GetDigitalContent), Katy, TX 77494, United States, is the data controller for your personal data.

14.3 Data Protection Contact

For GDPR-related inquiries, contact our data protection team at [email protected].

14.4 Automated Decision-Making

The AutoResearch self-improvement loop involves automated processing of content performance data. This processing adjusts AI Agent Prompts but does not produce legal or similarly significant effects on you as an individual. The generated content is always subject to your review and approval before publication. You may object to automated processing at any time.

15.1 Data Collected

The AutoResearch self-improvement system collects and processes:

• Content performance metrics from published blogs and social media posts (views, engagement, time-on-page)
• Content approval rates and editorial revision patterns from the approval workflow
• Binary evaluation scores against defined quality criteria
• Statistical correlations between content characteristics and performance outcomes

15.2 Processing Scope

ALL AutoResearch processing is strictly isolated to a single Business:

• Performance data from Business A is never used to influence Business B's Agent Prompts
• Evaluation criteria may differ per Business based on industry and audience
• Each prompt mutation is versioned, logged, and reversible
• The system operates on automated Azure Function schedules and does not require user intervention

15.3 Opt-Out

AutoResearch is available only on eligible Plans (Pro and Enterprise). If enabled, you may disable AutoResearch for any Business at any time through your Business settings. Disabling AutoResearch freezes all Agent Prompts at their current state and stops performance data collection for improvement purposes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.

• We will post the updated policy on the Platform with a new "Last Updated" date
• For material changes that affect how we process your personal data, we will provide at least thirty (30) days' advance notice via email or in-app notification
• Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy
• If you do not agree with the changes, you should discontinue use and close your account