Privacy Policy
This Privacy Policy explains what personal data Desklight ("we", "us") collects when you use the Desklight platform (the "Service"), how we use it, who we share it with, and your rights. We aim to be plain about it.
1. Data we collect
1.1 Account data
When you sign up we collect your email address, name (if provided), and a hashed password. If you sign in via a third-party identity provider, we receive whatever profile fields you authorize (typically email and name).
1.2 Workspace data
Inside the Service you create brands, posts, calendar entries, knowledge base entries, and team members. We store this data so the Service works. We also store any files, documents, photos, or brand assets you upload or generate.
1.3 Generated content
When you ask Allie or any AI agent to generate text, images, or video, we store the prompt, the output, and minimal metadata (model used, generation time) for delivery and revision history.
1.4 Connected services
If you connect third-party services through Composio, we store the connection metadata and an OAuth token issued to us. We use those tokens only to perform the actions you initiate. Tokens can be revoked at any time from Settings → Connectors in the app or from the third-party provider's settings.
Connectors fall into two groups:
- Storage and design — Dropbox, Google Drive, OneDrive, Figma. We store the OAuth token, your selected root folder (if any), and minimal file metadata (name, modified date, ID) for files you reference. We don't bulk-import file contents.
- Social publishing — Facebook, Instagram, LinkedIn, X, TikTok, YouTube. See section 1.5 below.
1.5 Social publishing platforms (Meta, LinkedIn, X, TikTok, YouTube)
When you connect a social account so Desklight can publish on your behalf, we receive a limited, scoped set of data from that platform. We use it only to schedule and publish the posts you create inside Desklight, and to surface confirmation that a post went live.
| Platform | What we receive | What we do with it |
|---|---|---|
| Facebook (Meta) | OAuth access token, list of Pages you manage, Page IDs, Page name, Page access token | Post text + media to the Page you select. Read back the published post URL for your records. |
| Instagram (Meta) | OAuth access token, IG Business account ID, linked Facebook Page ID, IG media IDs after publish | Publish images, videos, and captions to the IG Business account. Read back the resulting media ID + permalink. |
| OAuth access token, organization URN(s) you can post as, your LinkedIn member URN | Publish posts to your personal feed or a Company Page you administer. | |
| X | OAuth access token, your X user ID and handle | Publish posts. |
| TikTok | OAuth access token, your TikTok user ID and display name | Publish posts. |
| YouTube | OAuth access token, channel ID, channel display name | Upload videos with title, description, and thumbnail. |
We do not read your inbox, scrape your followers, copy other users' content, post anything you didn't create, or use this data for advertising or training. Our use of information received from Meta APIs adheres to the Meta Platform Terms, including the Limited Use requirements.
You can revoke a single platform connection at any time from Settings → Connectors → Disconnect inside Desklight, or from the platform's own app-permissions settings. Revoking deletes the OAuth token and connection metadata from our database within 24 hours.
To delete all data Desklight has received from connected platforms (along with the rest of your workspace), follow the steps in our Data Deletion page.
1.6 Billing data
Payments are processed by Stripe, Inc. We never see or store your full card number. We retain Stripe customer IDs, subscription IDs, plan tier, and high-level billing status (current/past due/canceled) for billing purposes.
1.7 Usage data
We collect basic logs about how the Service is used: timestamps, IP addresses, requested URLs, error events, and feature interactions. Logs are used to operate, secure, and improve the Service.
1.8 Cookies
We use a small number of strictly-necessary cookies to keep you signed in and to remember your UI preferences (theme, sort order, sidebar state). We do not use third-party advertising or cross-site tracking cookies.
2. How we use data
| Purpose | Legal basis (GDPR) |
|---|---|
| Operate and provide the Service | Contract |
| Process payments and manage subscriptions | Contract |
| Send transactional email (assignments, approvals, billing, role changes, password resets) | Contract / Legitimate interest |
| Detect and prevent abuse, fraud, or security incidents | Legitimate interest |
| Improve features and fix bugs | Legitimate interest |
| Comply with law (tax, accounting, lawful requests) | Legal obligation |
| Marketing email (only if you opt in or are an existing customer) | Consent / Legitimate interest |
We do not sell or rent your personal data. We do not use your User Content to train AI models — yours or anyone else's.
3. AI subprocessors
To deliver the Service we send your prompts and content to AI APIs operated by third parties. The current list:
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic, PBC | Claude — text reasoning, voice extraction, copy drafting | USA |
| OpenAI, L.L.C. | Embeddings, optional image generation | USA |
| Google LLC (Gemini API) | Image / video generation, brand-extraction vision | USA / EU |
| Replicate, Inc. | Hosted video model inference | USA |
| Stripe, Inc. | Payment processing | USA |
| Supabase, Inc. | Database, file storage, authentication | USA |
| Resend Inc. | Transactional email delivery | USA |
| Composio, Inc. | Third-party OAuth + connector tools | USA |
| AgentMail, Inc. | Email handling for AI agents | USA |
| Railway Corp. | Application hosting | USA |
| Netlify, Inc. | Marketing site hosting | USA |
Each subprocessor has its own privacy and data-retention practices. We do not allow these subprocessors to use your data for their own purposes, and we have no-train clauses with the AI providers where commercially available.
4. Data retention and deletion
We retain your data for as long as your account is active. You can delete your account and all associated data at any time through Settings → Danger zone → Delete account, or by following the Data Deletion instructions if you can't sign in.
When you click Delete, your workspace is scheduled for permanent deletion in 30 days. During this grace period the workspace is locked but recoverable — sign back in and click Restore. After 30 days, your personal data is permanently deleted from our database. Backup copies are overwritten within an additional 30 days, after which the data is irrecoverable.
The deletion includes any data Desklight received from connected social platforms (Facebook, Instagram, LinkedIn, X, TikTok, YouTube), including OAuth tokens, Page IDs, media IDs, and connection metadata. Stripe billing records are retained for the period required by tax and accounting regulations (typically up to 7 years).
5. Sharing data
We share personal data only with:
- Subprocessors listed above, strictly to deliver the Service;
- Your authorized teammates inside your workspace;
- Authorities, when legally required, with a valid subpoena, court order, or other lawful process — and we will notify you unless prohibited.
6. International transfers
The Service is hosted in the United States. If you access it from outside the United States, your data is transferred to and processed in the United States and other countries where our subprocessors operate. We rely on Standard Contractual Clauses where required for transfers of EU/UK personal data.
7. Your rights
Depending on where you live, you have the right to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Delete your data ("right to erasure");
- Export your data in a machine-readable format ("data portability");
- Object to or restrict certain processing;
- Withdraw consent at any time, where processing is based on consent;
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@desklight.ai. We will respond within 30 days.
8. Security
We take reasonable measures to protect your data: TLS in transit, encryption at rest in Supabase, principle-of-least-privilege access for our team, and regular review of subprocessor security posture. No system is perfectly secure; if we discover a breach affecting your personal data, we will notify you and the appropriate authorities as required by law.
9. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@desklight.ai and we will delete it.
10. California residents (CCPA / CPRA)
California residents have additional rights, including the right to know what personal data we collect, the right to delete it, the right to correct it, the right to opt out of "sale" or "sharing" (we do neither), and the right to non-discrimination for exercising these rights. To exercise your rights, email privacy@desklight.ai. The categories of personal information we collect, our sources, business purposes, and disclosures are described above.
11. Changes to this policy
We may update this Privacy Policy from time to time. If a change is material, we will notify you by email or in the Service at least fourteen (14) days before it takes effect.
12. Contact
Privacy questions or requests: privacy@desklight.ai.
General support: support@desklight.ai.