Privacy Policy

Last updated: May 15, 2026

OnPilot (“we”, “us”) operates the website at onpilot.app and the OnPilot web application. This policy explains what data we collect, why, and what you can do about it.

1. Data we collect

• Account data: email address, name (optional), and a hashed password or OAuth identifier when you sign up.
• Campaign data: the keywords, subreddits, target audiences, brand voice, and other configuration you create inside the app.
• Generated content: AI-drafted replies, your edits to them, and metadata about whether you sent them.
• OAuth tokens: if you connect an X (Twitter) account, we store an OAuth 2.0 access and refresh token, encrypted at rest.
• Billing data: Stripe processes your payment. We store only a Stripe customer ID and subscription status — we never see your card number.
• Usage analytics: page views, button clicks, and error reports via PostHog, used to debug and improve the product.

2. How we use it

• Run your campaigns: monitor Reddit and X for posts matching your keywords, score them, and draft replies.
• Provide and improve the product, fix bugs, and prevent abuse.
• Send transactional email (sign-in confirmations, trial-ending reminders, weekly summaries you can opt out of).
• Comply with legal obligations and enforce our terms of service.

We do not sell your data. We do not use your data to train third-party AI models.

3. Third-party processors

We share data only with the vendors we need to run the service:

• Supabase — database, authentication, file storage.
• Vercel — application hosting.
• Stripe — payment processing.
• Anthropic — AI model that scores leads and drafts replies. Your prompts and generated content pass through Anthropic’s API.
• Resend — transactional email delivery.
• PostHog — product analytics and error tracking.
• Reddit and X (Twitter) — public APIs we read to find leads. When you post a reply, your content is sent to those platforms under your account.

4. Cookies

We use first-party cookies to keep you signed in, remember your preferences, and run analytics. We do not use cookies for cross-site advertising. You can clear or block cookies in your browser settings — doing so may sign you out and disable some features.

5. Data retention

We keep your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to retain billing records for tax or fraud-prevention reasons.

6. Your rights

Depending on where you live (EU, UK, California, and similar jurisdictions), you have the right to access, correct, export, or delete your personal data, and to opt out of analytics. To exercise any of these rights, email us at alerts@onpilot.app.

7. Security

We use TLS in transit and AES encryption at rest for sensitive fields (e.g. OAuth tokens). Database access is row-level secured per user. No system is perfect — please report any security concern to alerts@onpilot.app.

8. Children

OnPilot is not intended for users under 16. We do not knowingly collect data from children.

9. Changes

We may update this policy as the product evolves. Material changes will be announced by email or in-app notice at least 7 days before they take effect. The “Last updated” date above will always reflect the current version.

10. Contact

Questions? Email alerts@onpilot.app.