Privacy Policy
Effective Date: September 14, 2025
Last Updated: September 14, 2025
This Privacy Policy (“Policy”) describes how EffortlessAI, LLC (“EffortlessAI,” “Company,” “we,” “our,” or “us”) collects, uses, shares, and protects information relating to individuals in connection with our websites, platforms, APIs, and artificial intelligence services (the “Service”). We are committed to protecting personal data and complying with applicable laws, including the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the Children’s Online Privacy Protection Act (COPPA), and other relevant privacy frameworks.
- Information We Collect
1.1 Account and Contact Information. We collect identifiers including name, email address, phone number, billing address, payment details, and company or organization information.
1.2 User Content and Inputs. We collect any data, text, prompts, files, or materials you submit (“User Content”). User Content may contain personal data if you choose to provide it. You must not submit sensitive categories of personal data unless expressly authorized.
1.3 AI-Generated Outputs. We may retain AI-generated outputs for quality control, auditing, troubleshooting, or improvement of the Service, subject to opt-out rights. You may opt out of your data being used to improve model performance. You can exercise this choice at www.effortlessai.com/privacy-choices or in your account under Account → Privacy → Model Improvement. API customers may set the header “X-Training-Opt-Out: true” to prevent training on submitted data.
1.4 Technical and Usage Data. We automatically collect IP addresses, device information, operating system, browser type, session activity, and diagnostic information.
1.5 Cookies and Tracking Technologies. We use cookies, pixels, and similar technologies for authentication, analytics, and advertising. See our Cookie Policy for details.
1.6 Voluntary Information. We collect information you provide voluntarily, such as customer support inquiries, survey responses, or feedback.
- How We Use Information
We process data to deliver and maintain the Service; manage accounts; generate outputs; improve models (unless you opt out); communicate with you; ensure security; analyze usage; and comply with law. We will not use personal data for materially different, unrelated, or incompatible purposes without first obtaining consent.
Where you have not opted out, your User Content and outputs may be used for limited purposes of improving models, which may include (a) fine-tuning models to better reflect user interactions; and (b) system-level analytics to enhance accuracy, security, and performance. We do not sell training data. If you opt out, your content will not be used for model fine-tuning and will be excluded from future training runs.
2A. Data Minimization and Purpose Limitation
We collect only the minimum personal data necessary for the purposes described in this Privacy Policy. We do not process personal data in ways that are incompatible with those purposes without first obtaining your consent.
- Legal Bases for Processing
Where the GDPR or similar laws apply, we rely on: (a) Consent; (b) Contractual necessity; (c) Legitimate interests (including improving models and preventing misuse); and (d) Legal obligations.
- Automated Decision-Making and Profiling
EffortlessAI may use automated processing, including profiling, to provide outputs and insights. Where processing produces legal or similarly significant effects, you have the right to obtain meaningful information about the logic, request human review, contest the decision, and express your views. Residents of Virginia, Colorado, and Connecticut may exercise opt-out rights regarding profiling.
We maintain consent logs (timestamp, preference state, region, device signal) to demonstrate compliance and will prompt for re-consent upon material changes or after 12 months in jurisdictions that require fresh consent.
- Data Sharing and Transfers
We share data with trusted service providers, as required by law, or in connection with mergers and acquisitions. Where data is transferred internationally, we rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), or equivalent lawful mechanisms. A current list of sub-processors is maintained on our Sub-processors Page.
We implement supplementary measures, such as encryption in transit and at rest and strict access controls, and conduct transfer impact assessments for restricted transfers outside the EEA, Switzerland, or the UK.
- Cookies and Tracking
We use cookies, pixels, and tracking technologies to authenticate users, analyze performance, and deliver advertising (where permitted by law and with consent). We honor Global Privacy Control (GPC) signals as valid opt-outs under CPRA. See our Cookie Policy for more detail.
Your Privacy Choices. You may exercise CPRA choices at /privacy-choices, including: (i) Do Not Sell or Share My Personal Information; and (ii) Limit the Use of My Sensitive Personal Information. We also honor browser-based Global Privacy Control (GPC) signals as opt-outs for sale/sharing.
We do not respond to browser “Do Not Track” signals. We do honor Global Privacy Control (GPC) signals as opt-outs of sale or sharing of personal information.
We do not offer financial incentives or price/service differences in connection with the collection, retention, sale, or sharing of personal information.
- Data Retention
We retain account data for the life of your account plus three (3) years; billing and transaction data for seven (7) years; User Content and AI outputs for up to 365 days unless disabled; system logs for 12–24 months; and training data copies only if you have not opted out. Upon expiration, data is securely deleted or anonymized.
We determine retention periods based on (i) the nature of the data, (ii) the purpose of processing, (iii) applicable legal or contractual obligations, and (iv) security and fraud-prevention needs.
- Your Rights
You may exercise rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. California residents have rights to know, delete, and opt out of sale or sharing (we do not sell data). Appeals of denied requests may be submitted within thirty (30) days to info@effortlessai.com. We respond to verified requests within 45 days, extendable by law.
In addition to the rights described above, you have the right to lodge a complaint with your local data protection authority if you believe our Processing of your Personal Data violates Applicable Data Protection Laws. EU/EEA residents may find their authority via the European Data Protection Board (https://edpb.europa.eu). UK residents may contact the Information Commissioner’s Office (ICO). U.S. residents may raise complaints with the Federal Trade Commission (FTC) or their state attorney general.
Residents of Virginia, Colorado, Connecticut, Utah, and Texas also have rights under state privacy laws, including the right to confirm Processing, access data, correct inaccuracies, request deletion, obtain a portable copy, and opt out of targeted advertising, profiling, or the sale of Personal Data. We will honor such requests in accordance with Applicable Data Protection Laws.
Verification. We verify consumer requests by matching at least two pieces of personal data, or three for sensitive or precise information, to data we maintain. We may also require a signed declaration. Authorized agents must provide written permission from the consumer, and we may verify the consumer’s identity directly.
Nevada Residents. Nevada residents may email info@effortlessai.com to opt out of the sale of covered information, though we do not sell personal information.
- Security
We implement administrative, technical, and organizational measures consistent with industry standards, including encryption, access controls, logging, monitoring, and secure development practices. Our AI risk program aligns with NIST AI RMF and ISO/IEC 42001. While no system is completely secure, we take all reasonable measures to protect data.
- Breach Notification
We will notify supervisory authorities within seventy-two (72) hours of becoming aware of a personal data breach and notify affected individuals and customers without undue delay, as required by law.
- Children’s Data
The Service is not directed to individuals under eighteen (18). We do not knowingly collect personal data from children. If we discover collection from a child under thirteen (13) in the United States without verifiable parental consent, we will promptly delete the data.
- Changes to This Policy
We may revise this Policy periodically. If changes are material, we will provide clear advance notice. Continued use of the Service constitutes acceptance.
In addition, EffortlessAI may make modifications as reasonably necessary to reflect changes in Applicable Laws or regulations, including without limitation data protection and artificial intelligence laws. Such modifications shall be effective upon posting, and continued use of the Service constitutes acceptance.
- Contact Information
EffortlessAI, LLC — 81 Broadway St., Suite 201, Asheville, NC 28801 • info@effortlessai.com
| Category (Cal. Civ. Code §1798.140) | Examples We Collect | Sources | Business / Commercial Purposes | Sold / Shared? | Categories of Recipients | Retention Period |
|---|---|---|---|---|---|---|
| Identifiers | Name, email, phone, IP address, device ID, account login, cookie ID | Directly from you; automatically from your device/browser | Account creation, authentication, fraud prevention, customer support, service delivery | Not sold · May share for ads (opt-out) | Cloud hosting, analytics, customer support, payment processors, advertising/marketing vendors | Account lifetime + 3 years; IP logs ≤ 24 months; cookies ≤ 13 months (EU) / 24 months (US) |
| Commercial Information | Billing address, payment card details, purchase/transaction history | You; payment processors | Process transactions, subscriptions, fraud detection, tax/accounting compliance | Not sold or shared | Payment processors, billing partners, tax authorities (where required) | Transaction records 7 years; card data tokenized & retained by processor only |
| Internet / Network Activity | Browsing events, page views, session data, clickstream, referring URLs, chatbot transcripts, API calls | Your device/browser; cookies & similar technologies | Service functionality, analytics, security monitoring, improve AI models, detect abuse | May share with analytics/ad partners (opt-out) | Analytics/CDN providers, security vendors, performance monitoring, marketing partners | Logs 12–24 months; aggregated analytics retained indefinitely |
| Geolocation Data | Approximate IP-based location, time zone, region | Automatically from device/network | Localized services, fraud/risk detection, legal compliance | Not sold · May share with analytics/CDN | CDN, security providers, analytics vendors | 12 months |
| Professional / Employment Information | Job title, employer, role, industry (if provided) | You; business partners | Lead scoring, CRM enrichment, B2B sales outreach | Not sold or shared | CRM vendors, sales/marketing service providers | Until deletion request or CRM record closure + 3 years |
| Education Information (protected) | Institution, degree, graduation year (if provided) | You | Recruiting/partner evaluation (if applicable) | Not sold or shared | CRM vendors, HR systems | Until deletion request or CRM record closure + 3 years |
| Inferences | Propensity scores, lead qualification, AI-generated summaries | Derived from interactions, analytics, CRM data | Personalization, sales acceleration, product improvement, model tuning | Not sold · May share for analytics/adtech (opt-out) | Analytics vendors, CRM providers, marketing automation | Derived inferences ≤ 12 months; aggregated/anonymized data indefinite |
| Sensitive Personal Information (SPI) | Gov’t ID, financial account/credentials, precise geolocation, race/ethnicity, union membership, genetic/biometric, health, sexual orientation (we instruct users not to provide these) | You (only if provided); we discourage submission | Account security, fraud prevention, legal compliance; NOT used to infer characteristics or for targeted ads | Not sold or shared | Payment processors (verification), security partners, legal authorities (if compelled) | Deleted upon detection or retained only as legally required (e.g., tax/AML) |
| Audio/Visual/Electronic Information | Voice recordings, chat transcripts, support calls (if provided) | You; support systems | Customer support, QA, improving support quality (with notice/consent) | Not sold or shared | Support vendors, cloud hosting, analytics providers | Support transcripts 24 months; recordings 90 days unless required for QA/legal |
| Other Information | Free-form fields, uploaded files, integration data you authorize | You; integrated systems | Provide requested services, improve platform, comply with legal requests | Not sold · May share with sub-processors to perform services | Hosting providers, integrated SaaS partners (as authorized by you) | Up to 3 years or until deletion request |
For choices including Do Not Sell or Share and Limit the Use of Sensitive Personal Information, visit /privacy-choices. We honor Global Privacy Control (GPC) signals.
