Privacy Policy
Last updated: July 10, 2026
This Privacy Policy explains what information IO2Labs collects when you use our marketing platform, how we use it, who we share it with, and the choices you have.
1. Who we are
IO2Labs, LLC (“IO2Labs,” “we,” “us,” or “our”) is a Florida limited liability company based in the State of Florida, United States. We provide a multi-tenant platform that helps businesses capture their brand information and generate marketing content using artificial intelligence.
This policy applies to the IO2Labs application and related services (the “Service”). If you have questions, contact us at legal@io2labs.com.
2. Information we collect
We collect the following categories of information:
- Account information. Your name, email address, and authentication credentials, plus the organization (workspace) you belong to and your role within it.
- Business and client data you provide. The structured “variables” you enter about your business, clients, products, audiences, offers, and campaigns. This is the core data you use the Service to organize and generate content from.
- Uploaded media. Images, logos, and other files you upload, including model photos and likeness materials used to generate content.
- Imported records about your customers and leads. Files you choose to import into the Service — such as lead exports from your advertising accounts — which may include your customers’ names, contact details, and service details. See “Personal data you bring into the Service” below.
- Public business listing and review data. At your direction, we retrieve publicly available information about your business (or the businesses you manage) — such as your public business listing, profile details, and public customer reviews, which can include reviewer names and review text — through the search-data provider described below.
- Generated assets. The text, images, video, and audio the Service produces from your inputs, along with the input snapshot recorded for each generation.
- Assistant conversations and memories. Each client can have its own AI assistant. We collect the messages you send it, the assistant’s replies, and the memories you ask it to keep — the decisions and preferences it records, each attributed to the member who provided it and to the conversation it came from. These memories hold only your own notes, preferences, and decisions; they do not include your customers’ personal information, your credentials, or your payment details.
- Usage and energy data. Operational records of your activity, including generation history and your organization’s “energy” (usage credit) balance and ledger.
- Payment information. Subscription and billing details. Card payments are processed by our payment provider, Stripe; we do not store your full card number on our systems.
- Technical data. Standard server and security logs (such as request and error logs) needed to operate and secure the Service.
3. How we use your information
We use the information above to:
- Provide, operate, and maintain the Service and your account.
- Generate the marketing content you request by passing your inputs to the generation providers described below.
- Power each client’s AI assistant: answer your questions from that client’s business variables and records, and store the memories you ask it to keep so it builds on your earlier conversations.
- Process subscriptions and bill for usage.
- Secure the platform, prevent abuse, debug errors, and monitor the health of generations.
- Communicate with you about your account, support requests, and changes to the Service.
- Comply with our legal obligations.
We do not use your business data, uploaded media, or generated assets to train our own general-purpose models, and we do not sell your information.
4. Service providers and sub-processors
To deliver the Service, we share data with the third-party providers below strictly to perform the functions they support. Each processes only the data needed for that function.
- Vercel — application hosting and delivery. Serves the application and processes standard request and error logs.
- Supabase — authentication, database, and file storage. Hosts your account, business data, uploaded media, and generated assets.
- fal — AI media generation (images, video, audio). Receives the prompts, parameters, and media URLs needed to produce the assets you request.
- Anthropic — AI text and language generation, including the per-client assistant. Receives the prompts and context needed to produce text content and to power your assistant conversations — for a chat turn, this is your message, the relevant business variables and records the assistant cites, and the memories saved for that client.
- Firecrawl — website scraping during onboarding. Receives the website URL you choose to import so we can pre-fill your business variables.
- SerpApi — public listing and review retrieval. When you use features that read your public business presence, receives the business name, location, or listing identifier needed to fetch that publicly available data.
- Modal — compute infrastructure for 3D rendering. For workflows that produce 3D content, receives the product images and generated 3D models needed to render the output you request.
- Stripe — subscription and payment processing. Receives the billing details needed to process your subscription.
- Operational alerting (Discord/Slack webhook). When a generation fails, we send an internal alert containing your organization’s name, the workflow name, and a truncated error message so we can diagnose the failure. This alert does not include your full business data or generated assets.
We may add or change sub-processors as the Service evolves and will update this list accordingly.
5. Personal data you bring into the Service
Some features let you import, upload, or direct us to retrieve information about identifiable people other than yourself — for example your customers, leads, review authors, or employees. We process that information solely on your behalf and at your direction, to provide the Service to you. As between you and IO2Labs, you are responsible for that data: for having the legal right to collect and share it, for providing any notices and obtaining any consents the law requires, and for honoring those individuals’ privacy rights. If an individual contacts us directly about data you brought into the Service, we may refer their request to you, and we will assist as required by applicable law.
6. Cookies
We use only essential cookies required to sign you in and keep your session active, set through Supabase’s server-side authentication. We do not use advertising, analytics, or third-party tracking cookies at this time.
7. Marketing site and forms
Our public marketing website is separate from the signed-in Service and offers a couple of contact forms. When you submit one, we collect only what you enter, and we use it for a single, specific purpose:
- Agency service inquiries. If you contact us about our marketing services, we collect your name, your business name, your email address, an optional phone number, and the trade, service area, and message you provide. We use this solely to respond to your inquiry and to follow up about working together. The phone number, if you choose to give one, is used only to respond to your inquiry — we do not use it for marketing calls or texts.
- Platform early-access sign-ups. If our self-serve platform isn’t open to you yet and you ask to be kept in the loop, we collect your email address and use it to contact you about early access and product updates.
Along with each submission we record a small amount of attribution information so we know where an inquiry came from: the campaign parameters in the link you arrived on (UTM source, medium, and campaign), the referring web address, and any short self-description you provide on the form (for example, what kind of business or client work you run). These details are read from the page’s web address and your browser’s referrer header at the moment you submit the form — not through advertising, analytics, or tracking cookies (see “Cookies” above).
Our marketing site also uses privacy-friendly, cookieless analytics provided by our hosting provider (Vercel Web Analytics) to measure page views in aggregate. It sets no cookies and does not identify individual visitors.
These marketing submissions are kept in a standalone table in our database (hosted by Supabase, our infrastructure provider), separate from any customer workspace data. We do not sell this information, and we do not add you to unrelated mailing lists. We keep a submission until you ask us to delete it; to have yours removed, email us at legal@io2labs.com.
If you register for the platform and we aren’t able to offer you a slot at that time, we keep your registration details so we can notify you if one opens up. There is no automatic deletion window — email us at legal@io2labs.com any time and we will delete your registration details.
8. How we share information
We share your information only with the sub-processors listed above, and only as needed to run the Service. We may also disclose information if required by law, to protect our rights or the safety of others, or in connection with a business transfer (such as a merger or acquisition). We never sell your personal information.
9. Data retention
We retain your account and business data for as long as your account is active or as needed to provide the Service. We retain generation history and ledger records to support billing and your split-testing record. When you ask us to delete your account, we delete or anonymize your data within a reasonable period, except where we must retain certain records to meet legal, accounting, or security obligations.
Assistant memories and conversations. An assistant’s memories live with the client they belong to: you can delete any memory at any time, and deleting a client deletes its assistant along with all of its memories. The content of your assistant conversations is kept on a rolling 12-month window — after 12 months, the words of each message are permanently deleted. A metadata-only record of each exchange (which member sent it, when, its status, and the energy it cost, but none of the message text) is retained afterward for billing and audit reconciliation. There is no separate action you need to take; this pruning runs automatically.
10. Your rights and choices
You may request access to, a copy (export) of, or deletion of the personal information we hold about you. Self-service export and account deletion are not yet available in the app — to make any of these requests, contact us at legal@io2labs.com and we will respond as required by applicable law. Depending on where you live, you may have additional rights under local privacy laws.
11. Security
We design the Service with tenant isolation: every organization’s data is scoped to that organization and protected by row-level security in our database, so one customer cannot access another customer’s data. We use reputable infrastructure providers and apply reasonable administrative, technical, and organizational safeguards. No system can be guaranteed perfectly secure, so we cannot promise absolute security.
12. Children's privacy
The Service is intended for businesses and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us so we can remove it.
13. Governing law
This Privacy Policy and any dispute arising from it are governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws rules.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. Your continued use of the Service after a change takes effect means you accept the revised policy.
15. Contact us
For privacy questions or to exercise your rights, contact us at legal@io2labs.com.
See also our Terms of Service and Acceptable Use Policy.