Privacy Policy

Effective date: April 27, 2026

Preliminary version. This Policy is a working draft pending counsel review. We will notify registered users by email of any material changes when the final form is published.

1. Who we are

This Privacy Policy explains how Cuitt LLC, doing business as Castle Point Innovations (“Company,” “we,” “us”), collects, uses, and shares information when you use AutoPersonas (the “Service”).

Privacy questions or requests: privacy@castlepointinnovations.com.

2. What we collect

2.1 Information you provide directly

Account information: name, email, password hash, optional display name and avatar.
Billing information: collected by our payment processor (Stripe). We never store full card numbers; we receive a tokenized reference plus the last four digits and brand of the card.
Character inputs: prompts, descriptions, persona attributes, optional reference photos (up to 4 SFW pose references per Character) and voice samples (up to 3 audio clips per Character) that you upload to design AI personas.
Generation inputs: motion prompts, dialogue scripts, image-edit instructions, brand-collab inputs.
Connected social accounts: handles, OAuth tokens, and follower / posting metadata for the platforms you connect (Instagram, X, Facebook).

2.2 Information collected automatically

Usage analytics: which features you use, generation counts, page views, click events, error reports.
Device data: IP address, user agent, approximate location (country / region).
Cookies and similar tech: session cookies for login, plus first- and third-party analytics cookies (e.g., Google Analytics 4).

2.3 Information from third parties

Engagement data from the social networks you connect (likes, comments, follower counts, post performance) so we can render analytics.
Payment status and fraud signals from Stripe.

3. How we use your information

Operate the Service: authenticate you, render the dashboard, schedule and publish your content, generate AI outputs, charge your card, send transactional email.
Improve the Service: aggregated usage analytics, debugging, abuse detection.
Communicate: account, billing, and security notifications. Marketing email is opt-in (separate from transactional).
Comply with law: respond to subpoenas and law-enforcement requests when legally required; investigate violations of our Acceptable Use Policy.

4. AI model training: what we do and don’t do

We do NOT train AI models on your User Inputs or Outputs. Your reference photos, voice samples, prompts, and generated images/videos are used only to render the specific outputs you requested, and are not added to any global training corpus.

Per-Character LoRA / voice-clone training, when offered, runs only against the specific Character you trigger it for, and the resulting model is bound to your account — not shared, sold, or used to improve any global model.

Third-party providers (Google Gemini, OpenAI, Kling, MiniMax / Hailuo, xAI Grok) process the prompts and reference materials you send through the Service in order to return outputs. Those providers’ own retention and training policies apply to that data while it’s in their custody. We minimize what we send (only the minimum needed for the requested generation) and prefer providers that contractually agree not to train on API inputs. See Subprocessors below.

Service providers / subprocessors: as listed below, only as needed to operate the Service.
Legal authorities: in response to lawful requests (subpoenas, court orders, etc.) or where we believe disclosure is necessary to investigate fraud, prevent imminent harm, or comply with law.
Successor entities: if Cuitt LLC is acquired or merged, your information may transfer to the successor, subject to this Policy.
With your consent: anything else.

We do not sell your personal information for monetary value. Targeted-advertising disclosures specific to U.S. state laws (CCPA / CPA / VCDPA / etc.) are addressed in your rights under U.S. state laws.

6. Subprocessors

We rely on the following service providers to deliver the platform. Each acts under a written data-processing addendum (DPA) where required by law:

Google Cloud (Firebase, Cloud Run, Firestore, Cloud Storage) — hosting, database, file storage. United States.
Stripe, Inc. — payment processing. United States.
Google — Gemini AI APIs — AI image / text generation. United States.
OpenAI — AI image generation (when selected by user). United States.
Kling AI / Kuaishou — AI video generation, voice clone, lip-sync. China — data sent here is limited to the specific generation request (prompt, reference image, voice sample).
MiniMax / Hailuo — AI video generation. China — data limited to the generation request.
xAI / Grok — AI video generation. United States.
SendGrid (Twilio) — transactional email. United States.
Google Analytics 4 — analytics. Pseudonymous identifiers; user-agent + IP.

We may add or change subprocessors. Material changes will be reflected here, and we will notify enterprise customers under DPA-required notice periods.

7. How long we keep your data

Account data: kept while your account is active and for up to 12 months after deletion (for legal / tax retention), then erased.
User Inputs and generated Outputs: kept while your account is active. After deletion, erased within 30 days unless legally required to retain (rarely).
Billing records: kept for 7 years to satisfy U.S. tax and accounting requirements.
Audit logs and security data: kept for 18 months.

8. Security

We use industry-standard practices: encryption in transit (TLS) and at rest, hashed-and-salted passwords, role-based access control on production data, and regular reviews of subprocessor security postures. No system is perfectly secure; we will notify affected users of any data breach as required by applicable law.

9. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact privacy@castlepointinnovations.com and we will delete it.

10. Your rights under U.S. state laws (CA, CO, CT, VA, etc.)

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another U.S. state with a comprehensive privacy law, you may have rights to:

Access the personal information we have about you.
Correct inaccurate information.
Delete your information (subject to legal retention exceptions).
Opt out of any sale or sharing for cross-context behavioral advertising. (We do not currently sell personal information or share it for cross-context behavioral advertising.)
Appeal a denied request.

To exercise these rights, email privacy@castlepointinnovations.com from the address associated with your account, or use the data export / deletion tools in Settings → Account.

11. Your rights under EU / UK GDPR

If you are in the EEA, UK, or Switzerland, you have rights under the GDPR (or UK GDPR) to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your local supervisory authority. Our legal bases for processing are: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to operate, improve, and secure the Service; (c) legal obligation — to comply with applicable law; and (d) consent — for marketing emails and optional analytics, where required.

Some subprocessors (notably Kling and Hailuo) are located outside the EEA. Data transfers to those subprocessors rely on Standard Contractual Clauses (SCCs) plus supplementary technical and organizational measures.

12. Changes to this Policy

If we change this Policy materially, we will notify you by email or prominent in-app notice at least 14 days before the change takes effect.

13. Contact us

Cuitt LLC d/b/a Castle Point Innovations
Privacy: privacy@castlepointinnovations.com
Legal: legal@castlepointinnovations.com
DMCA: see DMCA Policy