Privacy Policy

Last Updated: October 28, 2024

1. Introduction

This Privacy Policy describes how txb.ai ("we", "our", or "us"), operated by Spawntech (Pty) Limited trading as The Experience Business, collects, uses, and shares information when you use our AI-powered service. We are committed to protecting your privacy and ensuring transparent data practices.

2. Information We Collect

2.1. Information You Provide

• Account information (name, email, password)
• Content and data you input into our Service
• Communication preferences
• Customer support interactions

2.2. Automatically Collected Information

• Usage data and interaction patterns
• Device information
• IP address and location data
• Browser type and settings
• Session information
• Performance and error data

2.3. AI-Related Data

• Input prompts and queries
• Generated outputs
• Model interaction patterns
• Training feedback and corrections

3. How We Use Your Information

We use collected information for:

3.1. Service Provision

• Delivering AI-powered features
• Processing your requests and generating responses
• Managing your account
• Providing customer support

3.2. Service Improvement

• Training and improving our AI models
• Enhancing accuracy and performance
• Developing new features
• Analyzing usage patterns

3.3. Communication

• Sending service updates
• Providing technical notifications
• Responding to your inquiries
• Marketing communications (with consent)

3.4. Security and Compliance

• Protecting against unauthorized access
• Preventing fraud and abuse
• Maintaining service integrity
• Complying with legal obligations

4. Data Storage and Processing

4.1. Data Storage

• We store data in secure, encrypted environments
• Data is retained only as long as necessary
• You can request data deletion (subject to legal requirements)

4.2. AI Model Training

• We may use anonymized data to train our AI models
• Personal identifiers are removed before training
• You can opt-out of contributing to model training

4.3. Supabase Data Handling

• User data is processed and stored using Supabase, a secure backend-as-a-service platform
• Supabase implements strong encryption standards and follows industry best practices for data protection
• We utilize Supabase's Row Level Security (RLS) to enforce fine-grained access control on our database, ensuring that users can only access data they are authorized to view or modify

4.4. Payment Information

• We do not store payment information directly
• Payment processing is handled by third-party payment providers
• We utilize secure APIs provided by our payment partners to process transactions
• For details on how payment information is handled, please refer to the privacy policies of our payment providers

4.5. Payment Providers

We use the following payment provider to process transactions:

• Paystack: For all online payments

4.5.1 Privacy policy

Paystack Privacy Policy

Paystack is PCI-DSS compliant and implements industry-standard security measures to protect your payment information. When you make a payment, you will be redirected to Paystack's secure platform or interact with their embedded interface.

We recommend reviewing Paystack's privacy policy to understand how they handle your payment information.

5. Information Sharing

We share information with:

5.1. Service Providers

• Cloud hosting providers
• Payment processors
• Analytics services
• Customer support tools

5.2. Legal Requirements

• Court orders
• Legal obligations
• Government requests
• Protection of rights

5.3. Business Transfers

• Merger, acquisition, or sale of assets
• Due diligence processes

6. Data Security

We implement security measures including:

• Encryption in transit and at rest
• Access controls and authentication
• Regular security audits
• Incident response procedures
• Implementation of Row Level Security (RLS) policies in Supabase to control data access at the database level
• Regular security audits of our Supabase configuration and RLS policies
• Utilization of Supabase's built-in security features, including SSL enforcement and secure password hashing

7. Your Rights and Choices

You have the right to:

• Access your personal information
• Correct inaccurate data
• Request data deletion
• Opt-out of marketing
• Export your data
• Withdraw consent
• Lodge complaints with supervisory authorities
• Request a copy of your personal data stored in our Supabase database
• Receive information about how your data is processed within our Supabase infrastructure

8. Children's Privacy

• We do not knowingly collect data from children under 13
• Parents can request data deletion
• Age verification may be required

9. International Data Transfers

9.1. Data Transfer Mechanisms

• Standard contractual clauses
• Adequacy decisions
• Privacy Shield (where applicable)

9.2. Transfer Safeguards

• Data protection agreements
• Security assessments
• Compliance monitoring

10. Cookie Policy

10.1. Types of Cookies Used

Essential Cookies

• Supabase Auth (sb-access-token, sb-refresh-token): Manages authentication state
• CSRF Token (__Host-next-auth.csrf-token): Protects against cross-site request forgery
• Session (__Secure-next-auth.session-token): Maintains your logged-in status
• Language Preference (NEXT_LOCALE): Stores your preferred language

Functional Cookies

• User Preferences (txb_prefs): Saves your interface preferences
• Last Used Tools (txb_recent): Remembers recently used features
• Display Settings (txb_display): Maintains your display preferences

Analytics Cookies

• Google Analytics (_ga, _gid): Track user behavior anonymously
• Application Performance (txb_perf): Monitors service performance

Marketing Cookies (Optional)

We may use cookies related to our Customer Relationship Management (CRM) system and marketing efforts. These may include:

• Google Tag Manager: Used to manage and deploy marketing tags (including for Google Analytics and other marketing tools)
• CRM-specific cookies: May be used for tracking email campaigns, website interactions, and lead management
• Third-party analytics: Additional tools may be used to enhance our marketing insights and improve user experience

The specific cookies used will depend on our final choice of CRM and marketing tools. We are considering options such as HubSpot, ActiveCampaign, or Pipedrive.

Users can opt-out of these marketing cookies without affecting core site functionality. For the most up-to-date information on our marketing cookies, please check our Cookie Settings panel or contact our privacy team.

10.2. Cookie Management

• Cookie preferences can be managed via the Cookie Settings panel
• Browser settings can be used to control cookie acceptance
• Marketing cookies require explicit opt-in
• Essential cookies cannot be disabled as they are required for service functionality

11. AI-Specific Privacy Considerations

11.1. Model Training Data

• Training data is anonymized using industry-standard techniques
• Personal identifiers are removed before processing
• Training data is retained for a maximum of 12 months
• Model updates occur quarterly with validated datasets
• Training data is segregated from production data in separate Supabase projects to ensure data isolation

11.2. AI Output Privacy

• Generated content is stored with encryption at rest
• Outputs are accessible only to authorized team members
• Strategic assets are retained according to subscription terms
• Users can request complete deletion of generated content

12. Technical and Organizational Measures

12.1. Data Storage

• Primary data storage: Supabase (powered by PostgreSQL)
• Supabase region: West EU (London)
• Data replication: Managed by Supabase for high availability
• Encryption: AES-256 for data at rest, TLS 1.3 for data in transit, managed by Supabase

12.2. Security Measures

• Access control: Secure OAuth-based authentication (via GitHub, Google, or Azure)
• Monitoring: 24/7 automated system monitoring
• Auditing: Regular third-party security audits
• Incident response: Dedicated security team with 4-hour response time

12.3. Data Retention

• Active accounts: Data retained for duration of subscription
• Inactive accounts: Data retained for 180 days after last login
• Deleted accounts: Data purged within 30 days of deletion request
• Backups: Retained for 90 days maximum
• Supabase backups: Automated daily backups with point-in-time recovery for the last 7 days
• Database logs: Retained for 30 days for security and troubleshooting purposes

13. Changes to Privacy Policy

• We may update this policy periodically
• Notice of material changes will be provided
• Continued use constitutes acceptance

14. Additional Rights for Specific Regions

14.1. European Union (GDPR)

• Right to data portability
• Right to restriction of processing
• Right to object to processing
• Automated decision-making rights

14.2. California (CCPA/CPRA)

• Right to know
• Right to delete
• Right to opt-out of sale
• Non-discrimination rights

15. Compliance with South African Law

15.1. POPIA Compliance

• Registered Information Officer appointed
• Regular compliance audits conducted
• Data subject rights fully implemented
• Mandatory security compromise notifications

15.2. Cross-border Transfer Safeguards

• Standard contractual clauses implemented
• Data processing agreements with all processors
• Regular assessment of processor compliance
• Documentation of all data flows

16. Contact Information

For privacy-related inquiries, please contact us:

The Experience Business
(Trading as txb.ai)
Ground Floor, 3 Sandown Valley Crescent
Sandton, South Africa, 2196

Phone: +27 11 994 9960

Email Contacts:

• General Inquiries: hello@theexperiencebusiness.com
• Complaints: complaints@theexperiencebusiness.com
• Sales: sales@theexperiencebusiness.com
• Legal Matters: legal@theexperiencebusiness.com
• Data Protection Officer: privacy@theexperiencebusiness.com

Operating Hours: Monday to Friday, 08:00 - 17:00 SAST