Privacy Policy

Your data privacy and security are our top priorities

Last Updated: March 9, 2026

Our Commitment

Elephas AI is committed to protecting the privacy and security of your data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our marketing automation platform.

Who This Covers

This policy applies to all users of our platform including Platform Administrators, Franchise Brands, Franchise Owners, Location Managers, and end customers whose data is processed through our system.

1. Information We Collect

1.1 Platform User Information

When you create an account as a Platform Admin, Franchise Brand, Franchise Owner, or Location Manager, we collect:

  • Account information (name, email address, phone number)
  • Business information (company name, franchise brand, location details)
  • Login credentials (encrypted passwords)
  • Role and permission settings
  • Profile preferences and settings

1.2 Customer Data You Upload

As a SaaS platform, we process customer data on your behalf including:

  • Customer contact information (names, phone numbers, email addresses)
  • Customer preferences and consent status (SMS, email, marketing opt-ins)
  • Transaction data and order history from integrated POS systems
  • Loyalty program data (points, tiers, redemptions)
  • Customer segmentation and behavioral data
  • Campaign engagement metrics (opens, clicks, conversions)

1.3 Automatically Collected Information

  • Usage data (features accessed, campaigns created, pages viewed)
  • Device information (IP address, browser type, operating system)
  • Cookies and tracking technologies for authentication and analytics
  • API usage logs and system performance metrics

1.4 Integration Data

  • POS system webhooks and transaction data
  • Meta Ads account information and campaign performance
  • Google Ads account data and attribution metrics
  • Payment information processed through Stripe (we do not store full credit card details)

2. How We Use Your Information

2.1 To Provide Our Services

  • Create and manage your account and user profiles
  • Execute marketing campaigns (SMS, email, WhatsApp, ads)
  • Process customer data and generate segments
  • Provide analytics and performance reporting
  • Manage loyalty programs and offer redemptions
  • Track campaign attribution and ROI

2.2 Platform Administration

  • Authenticate users and enforce role-based access controls
  • Maintain multi-tenant data isolation between franchise brands and locations
  • Process billing and manage subscriptions
  • Provide customer support and respond to inquiries
  • Monitor system performance and prevent fraud

2.3 AI and Machine Learning

  • Generate AI-powered customer segments based on behavior patterns
  • Create personalized campaign content using OpenAI
  • Predict customer churn and lifetime value
  • Optimize send times and channel selection
  • All AI processing is done securely and customer data is never used to train third-party models

2.4 Communications

  • Send transactional emails (account notifications, password resets)
  • Provide platform updates and new feature announcements
  • Share best practices and educational content (you can opt out)

3. Data Sharing and Disclosure

3.1 We DO NOT Sell Your Data

Elephas AI does not sell, rent, or trade your personal information or your customer data to third parties for marketing purposes.

3.2 Service Providers

We share data with trusted third-party service providers who assist in platform operations:

  • Twilio - SMS message delivery
  • SendGrid - Email message delivery
  • Meta - Facebook and Instagram advertising
  • Google - Google Ads advertising
  • OpenAI - AI content generation (no customer PII sent)
  • Stripe - Payment processing
  • AWS - Cloud infrastructure and hosting

All service providers are bound by strict data processing agreements and only access data necessary to perform their services.

3.3 Within Your Organization

Data is shared within your franchise organization based on role-based access controls:

  • Platform Admins can view data across selected franchise owners and locations
  • Franchise Brands can view aggregated data across their network
  • Franchise Owners can access data for all their locations
  • Location Managers can only access data for their assigned locations

3.4 Legal Compliance

We may disclose information when required by law, such as to comply with a subpoena, court order, or legal process, or to protect our rights, property, or safety.

4. Multi-Tenant Data Isolation

As a multi-tenant SaaS platform serving multiple franchise brands, we implement strict data isolation:

  • Database-level isolation: All queries include tenant filters to prevent cross-brand data access
  • Row-level security: Customer data is scoped to specific brands and locations
  • API-level controls: All API requests validate user permissions before returning data
  • Encryption at rest: Sensitive data (credentials, API keys) encrypted using AES-256-GCM
  • Encryption in transit: All data transmitted over HTTPS/TLS 1.3
  • Regular security audits: Quarterly penetration testing and security reviews

5. Data Retention

  • Account data: Retained while your account is active plus 90 days after cancellation
  • Customer data: Retained according to your preferences or legal requirements (minimum 30 days for compliance)
  • Campaign data: Performance metrics retained for 2 years for analytics
  • Billing data: Retained for 7 years to comply with tax and accounting regulations
  • Audit logs: System logs retained for 1 year for security and troubleshooting
  • Deletion requests: Processed within 30 days of account closure

6. Your Data Rights

6.1 For Platform Users

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Portability: Export your data in CSV or JSON format
  • Restrict processing: Limit how we use your data
  • Object: Opt out of marketing communications

6.2 For End Customers

Elephas AI processes customer data on behalf of franchise brands. If you are an end customer and want to exercise your privacy rights (access, deletion, opt-out), please contact the franchise location directly. We will assist franchise brands in responding to customer requests.

6.3 California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information
  • Right to opt out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising privacy rights

6.4 GDPR Rights (European Users)

While Elephas AI primarily operates in the United States, we respect GDPR rights for European users and provide the same data protection standards globally.

7. Security Measures

We implement industry-standard security practices to protect your data:

  • Encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit
  • Access controls: Role-based access with least privilege principle
  • Authentication: JWT tokens with 15-minute expiration, bcrypt password hashing
  • Infrastructure: SOC 2 Type II compliant cloud hosting (AWS)
  • Monitoring: 24/7 security monitoring and incident response
  • Backups: Daily encrypted backups with 30-day retention
  • Vulnerability management: Regular security scans and patch management
  • Employee training: Annual security awareness training for all staff

8. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential cookies: Required for login and platform functionality
  • Analytics cookies: Understand platform usage and improve features
  • Preference cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling essential cookies may impact platform functionality.

9. Third-Party Integrations

When you integrate third-party services (POS systems, Meta Ads, Google Ads), you authorize us to:

  • Receive webhook data from your POS system
  • Access your advertising accounts to create and manage campaigns
  • Sync customer data for attribution tracking

You can revoke these integrations at any time through your account settings. Please review the privacy policies of integrated services as they have their own data practices.

10. Children's Privacy

Our platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Our platform is hosted in the United States. If you access our services from outside the U.S., your data will be transferred to and processed in the United States. We implement appropriate safeguards to protect data transferred internationally.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via email or platform notification at least 30 days before they take effect. Your continued use of the platform after changes indicates acceptance of the updated policy.

13. Data Processing Agreement

For enterprise customers processing customer data through our platform, we offer a separate Data Processing Agreement (DPA) that outlines our obligations as a data processor. Contact our legal team at legal@elephas.io to request a DPA.

Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, please contact us:

Email: privacy@elephas.io

Support: support@elephas.io

Address:
Elephas AI
Washington, DC
United States

Response Time: We will respond to privacy requests within 30 days. For urgent security matters, please include "URGENT" in your subject line.