circlify logo

Privacy Policy

Last updated: July 3, 2026

1. Introduction

Grayton Inc ("we", "our", or "us") operates the Circlify marketing intelligence platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including data obtained through Facebook and Instagram APIs provided by Meta Platforms, Inc., Google Ads API, and Shopify Admin API.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account registration details (name, email address, password)
  • Brand and business information you configure
  • Custom reply templates and brand voice preferences

2.2 Meta Platform Data

When you connect your Facebook and Instagram accounts, we access and store the following data through Meta's APIs:

  • Public Profile: Your Facebook user ID and name for authentication
  • Facebook Pages: Page names, IDs, categories, follower counts, and access tokens for Pages you manage
  • Instagram Business Accounts: Username, profile picture, follower count, media count for connected Instagram professional accounts
  • Posts and Media: Your Instagram and Facebook posts including captions, media URLs, engagement metrics (likes, comments, shares, saves, reach, impressions)
  • Comments: Comments on your posts including commenter usernames, comment text, timestamps, and like counts
  • Direct Messages: Instagram Direct and Facebook Messenger conversations for customer service management (only when you explicitly grant this permission)
  • Page Insights: Aggregated analytics data including post performance, audience demographics, and engagement metrics

2.4 Google Ads API Data

When you connect your Google Ads account, we access and store the following data through Google's APIs (read-only reporting):

  • Account metadata: Customer ID, account name, currency, and timezone
  • Campaign performance: Campaign and ad group names, status, channel type, daily spend, impressions, clicks, conversions, and conversion value
  • Search and creative data: Search terms, keywords, ad copy, and RSA asset performance metrics (for reporting and creative analysis only)
  • OAuth tokens: Refresh tokens stored server-side to maintain your connection; access tokens are short-lived and refreshed automatically

We use Google Ads data exclusively for read-only performance reporting and AI-generated analytics within your brand workspace. We do not create, edit, pause, or modify your Google Ads campaigns, budgets, bids, or ads via the API.

2.5 Shopify Data

When you connect your Shopify store, we access order, product, and customer data as authorized by the scopes you grant during OAuth. This data is used to reconcile paid media performance against real order revenue and to produce commerce performance reports.

2.6 Automatically Collected Information

  • Browser type and version
  • IP address and approximate location
  • Usage patterns and feature interactions
  • Device information

3. How We Use Your Information

We use the collected information to:

  • Provide and maintain the Service, including AI agent briefings, comment management, and AI-assisted reply generation
  • Generate daily executive reports (Business Pulse) and competitive intelligence briefings
  • Produce read-only paid media performance reports from Google Ads and Meta Ads data
  • Reconcile advertising spend against Shopify order revenue for true ROAS analysis
  • Display your social media engagement data in a unified dashboard
  • Generate AI-powered reply suggestions based on your brand voice and previous responses
  • Post approved replies to Instagram and Facebook on your behalf
  • Provide analytics and insights about your social media engagement performance
  • Identify customer support requests and actionable comments requiring attention
  • Track sentiment analysis of comments for business intelligence
  • Manage direct message conversations for customer service
  • Send you service notifications and updates
  • Improve and optimize the Service

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following service providers, strictly for the purpose of delivering the Service:

  • Supabase: Database hosting, authentication, and serverless functions (data storage and processing)
  • OpenRouter / OpenAI: AI language models used to generate reply suggestions and perform sentiment analysis. Only comment text and post captions are sent to AI models - no personal identifiers are included.
  • Meta Platforms (Facebook/Instagram): To post approved replies and fetch engagement data via Graph API
  • Google (Google Ads API): To fetch read-only campaign performance data via Google Ads API
  • Shopify: To fetch order and commerce data for revenue reconciliation and commerce reports
  • Cloudflare: CDN and SSL/TLS for secure content delivery

We do not share Platform Data (Meta, Google Ads, or Shopify) with any advertising networks, data brokers, or other third parties not listed above. We do not use Google user data for serving advertisements.

5. Data Storage and Security

Your data is stored on Supabase's infrastructure with encryption at rest and in transit. OAuth access tokens for Meta, Google Ads, and Shopify APIs are stored securely server-side and are never exposed to the frontend application. All database tables are protected by Row Level Security (RLS) policies ensuring users can only access their own data. All connections use HTTPS/TLS encryption.

6. Data Retention

We retain your data for as long as your account is active. Meta API access tokens are stored for up to 60 days (the maximum lifetime of a long-lived token) and are refreshed as needed. Engagement data (comments, analytics) is retained for the duration of your account to provide historical analytics. You may request deletion of your data at any time (see Section 8).

7. Your Rights

You have the right to:

  • Access: Request a copy of the data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your data (see Section 8)
  • Portability: Request your data in a machine-readable format
  • Withdraw Consent: Revoke Meta API permissions at any time through your Facebook settings
  • Object: Object to processing of your data for specific purposes

8. Data Deletion

You can request deletion of all your data associated with our Service in the following ways:

  • Through our app: Visit our Data Deletion page and submit a deletion request
  • Through Facebook: Remove our app from your Facebook settings at Settings > Apps and Websites > Circlify > Remove. This will trigger automatic data deletion on our end.
  • By email: Contact us at the email address listed in Section 12

Upon receiving a deletion request, we will delete all your personal data and Meta Platform Data within 30 days. Some anonymized, aggregated data may be retained for service improvement purposes.

9. Meta Platform Data Use

Our use of information received from Meta APIs adheres to the Meta Platform Terms and the Meta Developer Policies. Specifically:

  • We only request permissions necessary for the features we provide
  • Meta Platform Data is not sold to third parties
  • Meta Platform Data is not used for advertising or ad targeting
  • Meta Platform Data is not transferred to any data broker
  • Users can revoke access at any time through their Facebook or Instagram account settings

10. Google Ads API Data Use

Circlify's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google Ads data only to provide read-only reporting and analytics features within the Service
  • Google Ads data is not sold, transferred, or used for serving advertisements
  • Google Ads data is not used for creditworthiness or lending purposes
  • Human access to Google Ads data is limited to providing support with your authorization
  • You can revoke Circlify's access at any time via your Google Account security settings or by disconnecting Google Ads in Settings

11. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without verification of parental consent, we will take steps to delete that information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Grayton Inc

Email: privacy@circlify.ai

Website: https://www.circlify.ai

Application: https://app.circlify.ai

Address: [PLACEHOLDER — replace with your registered business address before deploy]