Privacy Policy
Last updated: May 7, 2026
This Privacy Policy describes how funnls (operated by FUNNLS AI LLC, 'funnls', 'we', 'us') collects, uses, stores, and shares personal data when you sign up for, connect platforms to, or use our Services. It also explains the rights you have over your data and how to exercise them.
If you do not agree with this Privacy Policy, please do not use the Services. By creating an account, connecting a platform, or otherwise interacting with funnls, you agree to the practices described here.
1. Who we are
funnls is an AI marketing platform for direct-to-consumer brands. We help small e-commerce teams generate brand books, ad creative, and marketing assets and optionally publish them to connected platforms (Shopify, Meta, Google, Klaviyo, others). Our company is FUNNLS AI LLC. You can reach us at support@funnls.ai.
2. What we collect
2.1 Information you give us
When you sign up: your name, email, password (hashed), workspace name, and any optional details you provide (role, business stage, how you heard about us).
2.2 Information from connected platforms
When you connect a third-party platform via OAuth, we read data from that platform on your behalf. Specifically:
- Shopify – under the scopes you grant (
read_products,read_orders,read_all_orders,read_customers,read_themes,read_content,write_products,write_themes,write_content, and related read/write scopes for discounts, files, inventory, locations, marketing events, publications, draft orders, and price rules): your store metadata, product catalogue, order history, customer records, theme assets, content pages, and any writes funnls performs on your authorization (such as drafting product copy, updating themes, or creating discount codes). - Meta (Facebook + Instagram) — via the Marketing API under the scopes you grant (
ads_read,pages_read_engagement,business_management, and others as you authorize): your ad accounts, campaigns, ad sets, ads, performance metrics, page metadata, and business assets. - Google (Ads, Analytics 4) — campaign and analytics data scoped to the accounts you authorize.
- Klaviyo – under the scopes you grant via OAuth (or via a Klaviyo private API key if you choose the manual connection path): campaigns, flows, segments, profiles, lists, templates, catalogs, coupons, custom objects, composer drafts, images, events, metrics, tags, subscriptions, forms, web feeds, webhooks, data privacy controls, tracking settings, and conversations. Read and write across these resources so funnls can build campaigns and flows on your behalf in addition to reading performance data.
- Other platforms — equivalent read-scoped data for any additional platform you choose to connect.
We request scopes only for the resources funnls needs to deliver its marketing-operations features. funnls is designed as a control plane for your marketing stack – we request both read and write scopes upfront so you can authorize once and let funnls build campaigns, flows, ads, and store updates on your behalf rather than re-prompting you for each action. You can revoke any connection at any time from Settings → Integrations or directly inside the connected platform’s dashboard. Disconnecting stops new reads and writes immediately.
2.3 Information we collect automatically
Like most web services, we collect basic technical telemetry — IP address, browser type, device, pages visited, timestamps, referring URL, and similar log data — for security, debugging, and product analytics. We use first-party cookies and similar technologies for authentication and session continuity.
3. How we use your data
- Provide the Services – generate brand books, analyze campaigns, surface insights, draft email and SMS content, generate ad creative, and (where you authorize it) publish content back to your connected platforms.
- Improve the product — measure feature usage, identify bugs, and improve user experience using aggregated and de-identified data.
- Communicate with you — respond to support requests, send service updates, and (only if you opt in) marketing communications. You can unsubscribe from marketing emails at any time via the link in each email.
- Security & compliance — detect abuse, prevent fraud, and comply with legal obligations.
We do not sell your personal data. We do not use your connected- platform data to train shared AI models that other customers can access. Brand-level data and campaign data stay scoped to your workspace.
4. AI providers
funnls uses third-party AI providers (such as Anthropic and OpenAI) to generate brand-book content, ad copy, email and SMS drafts, and other AI outputs. When we send a prompt to one of these providers, the prompt may include relevant context from your workspace (e.g. brand name, product descriptions, campaign metrics) so the output is tailored to your brand. We use enterprise APIs that, per the providers’ current terms, do not retain prompts for model training. We do not send your connected-platform raw data (full customer lists, full order history) to AI providers — only the minimum context needed to complete the requested task.
5. How we share data
We share personal data with the following categories of recipients, only as needed to operate the Services:
- Infrastructure providers – Vercel (hosting), Supabase (database, storage, authentication, Vault for OAuth tokens), Inngest (background jobs).
- Connected platforms you authorize – when you authorize funnls to publish content (e.g. push a campaign to Klaviyo, create an ad on Meta, update a Shopify theme, generate a discount code), we send the relevant data to that platform on your behalf.
- AI providers — see Section 4 above.
- Analytics providers — privacy-respecting product-analytics tooling for measuring usage and debugging.
- Legal / compliance — when required by law or to protect rights, property, or safety.
We require all subprocessors to maintain appropriate security and confidentiality measures.
6. Where we store data
funnls primarily stores data in the United States via Supabase (PostgreSQL + Storage). If you are located in the EEA, UK, Switzerland, or another jurisdiction with cross-border-transfer rules, transferring your data to the United States is permissible under applicable mechanisms (e.g. Standard Contractual Clauses) and we take steps to ensure adequate protection.
7. How long we retain data
We retain your personal data for as long as your workspace is active, plus a reasonable period afterward to comply with legal obligations and resolve disputes. When you delete your workspace or your account, we delete or anonymize personal data within 30 days, except where retention is required by law (e.g. tax records, billing history). Connected-platform tokens are revoked immediately on disconnect.
8. Security
We use industry-standard safeguards: TLS 1.3 in transit, AES-256 encryption at rest, OAuth tokens stored encrypted in Supabase Vault (never in plaintext), least-privilege access controls, audit logging, automated daily backups with point-in-time recovery, and regular dependency review. We conduct quarterly access reviews to confirm that only authorized personnel retain administrative privileges. Critical vulnerabilities are remediated within 72 hours of confirmation; high-severity issues within 7 days. We notify affected users of any confirmed personal-data breach within 72 hours where required by GDPR Article 33 or applicable state law. No system is perfectly secure; if you believe your account has been compromised, contact support@funnls.ai immediately.
9. Your rights
Depending on where you live, you may have rights regarding your personal data, including the right to:
- Access — get a copy of the personal data we hold about you.
- Correct — update inaccurate or incomplete data.
- Delete — ask us to erase your data (see Data deletion).
- Restrict / object — limit how we process your data or object to specific uses.
- Portability — receive your data in a structured format.
- Withdraw consent — where we rely on consent, you may withdraw it at any time.
To exercise any of these rights, email us at support@funnls.ai. We respond within 30 days.
9.1 California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know the categories and specific pieces of personal information we have collected, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of any sale or sharing for cross-context behavioural advertising. funnls does not sell personal information.
9.2 EEA / UK residents (GDPR)
If you are in the EEA or UK, our lawful bases for processing are: performance of a contract (to provide the Services you requested), legitimate interests (to operate, secure, and improve our Services), consent (where applicable, e.g. marketing emails), and compliance with legal obligations. You have the right to lodge a complaint with your local supervisory authority.
10. Children
The Services are designed for businesses and are not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we’ll change the “Last updated” date at the top and, for material changes, notify you by email or in-product notice. Continued use of the Services after changes take effect constitutes acceptance of the updated policy.
12. Contact
Questions, requests, or concerns about this Privacy Policy or our data practices: email support@funnls.ai.