Privacy Policy

This Privacy Policy describes how Pinnacle MAV Media LLC("we," "us," "our") collects, uses, discloses, and otherwise processes personal information in connection with Pinnacle AdForge and related websites (collectively, the "Service"). It should be read with our Terms of Service, Cookie Policy, and, for business customers processing personal data on behalf of others, our Data Processing Addendum.

1. Who is responsible?

For personal information described here, the data controller is Pinnacle MAV Media LLC. Contact:

2. Scope

This policy applies to visitors to our marketing sites, account holders, organization members, billing contacts, and others who interact with the Service. If you are an employee of a Customer, your employer's privacy notice may also apply.

3. Personal information we collect

We collect the following categories of information, depending on how you use the Service:

• Identifiers & account data: name, email address, user ID, organization name, role, profile photo URL, authentication provider identifiers.
• Commercial information: subscription plan, invoices, payment status, credit balances, and transaction history (payment card data is processed by our payment processor; we typically receive tokens or last-four digits, not full PAN).
• Customer Content: text, files, prompts, creative outputs, comments, and configuration you submit to workspaces — which may include personal information about your clients or end users if you upload it.
• Internet or network activity: IP address, device identifiers, browser type, approximate location derived from IP, diagnostic logs, and security telemetry.
• Communications: support tickets, survey responses, and email correspondence.
• Inferences: product usage patterns used to operate, secure, and improve the Service (we do not sell personal information as defined below).

4. Sources

We collect personal information from you, your organization, your device, our subprocessors (e.g., auth and payment providers), and, when you connect integrations, from those third parties as authorized by you.

5. Purposes of processing

We use personal information to:

• Provide, operate, maintain, secure, and improve the Service;
• Create and manage accounts, organizations, projects, and permissions;
• Process payments, credits, taxes, and billing disputes;
• Communicate about the Service, security incidents, and policy updates;
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with law and enforce our terms;
• Analyze aggregated or de-identified usage trends.

6. AI and automated processing

When you use AI-powered features, we and our subprocessors (including model providers and inference routing infrastructure) may process prompts, contextual fields, attachments you choose to include, generated outputs, technical metadata (such as request identifiers and latency signals), and safety or abuse classifications to deliver, secure, meter, and improve operation of the Service. Automated systems may produce inaccurate, biased, or inappropriate content; you remain responsible for human review before external use. A detailed description of AI scope, customer obligations, and limitations appears in our AI & automated systems statement.

Training and model improvement: Unless we state otherwise in-product, in this Privacy Policy, or in a separate written agreement, we do not use your identifiable Customer Content to train or fine-tune generalized public models for unrelated third parties. We may use aggregated or de-identified data, automated quality metrics, and security classifiers to maintain and improve the Service and to detect misuse.

Retention: AI-related logs are retained for periods necessary to provide the Service, comply with law, resolve disputes, enforce agreements, and maintain security, after which they may be deleted or minimized subject to backup and archival cycles. Exact retention varies by data category and legal requirements.

Legal bases (EEA/UK/Switzerland): Where GDPR applies, AI processing is generally necessary to perform our contract with you (Art. 6(1)(b)); certain monitoring may rely on legitimate interests (Art. 6(1)(f)) balanced against your rights. You may have rights of access, erasure, restriction, objection, and portability as described below.

7. How we disclose personal information

We disclose personal information as follows:

• Service providers (subprocessors): hosting, database, authentication, payments, email, logging, security, and AI inference infrastructure — subject to contractual obligations. See Subprocessors.
• Organization administrators: certain profile and activity information may be visible to admins of workspaces you join.
• Legal & safety: when required by law, legal process, or to protect rights, safety, and security.
• Business transfers: in a merger, acquisition, financing, or sale of assets, with notice where required.

We do not sell personal informationfor money. We do not share personal information for cross-context behavioral advertising as a "sale" or "sharing" under the California Consumer Privacy Act / CPRA, except as disclosed if our practices change.

8. Retention

We retain personal information for as long as necessary to provide the Service, comply with law, resolve disputes, and enforce agreements. Retention of Customer Content may depend on organization settings, backups, and legal holds. Aggregated or de-identified data may be retained indefinitely.

9. Security

We implement technical and organizational measures designed to protect personal information. See our Security overview. No system is perfectly secure.

10. International transfers

We are based in the United States. If we transfer personal information from the EEA, UK, or Switzerland to the U.S. or other countries, we use appropriate safeguards such as the EU Standard Contractual Clauses (and UK Addendum where applicable), supplemented by technical and organizational measures.

11. Rights for individuals in the EEA, UK, and Switzerland

If applicable law provides, you may request access, rectification, erasure, restriction, portability, or object to processing based on legitimate interests. You may lodge a complaint with a supervisory authority. To exercise rights, contact technical@thepinnacle.media. We will respond within the timeframes required by law.

Legal bases (GDPR): we process personal information based on performance of a contract, legitimate interests (security, product improvement, analytics that are not overridden by your rights), legal obligation, or consent where required.

12. U.S. state privacy rights

Residents of California, Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws may have rights to access, delete, correct, opt out of certain processing, or appeal our decisions, subject to exceptions. Submit requests to technical@thepinnacle.media. We will verify your request consistent with law. We do not discriminate against you for exercising rights.

California "Shine the Light": California residents may request certain information about disclosure of personal information to third parties for direct marketing; we do not disclose personal information to third parties for their direct marketing purposes as traditionally understood in that statute.

Nevada: Nevada residents may opt out of certain sales of covered information; we do not currently sell such information as defined in Nevada law.

13. Children

The Service is not directed to children under sixteen (16), and we do not knowingly collect their personal information. If you believe we have collected information from a child, contact us to delete it.

14. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects solely without human review. AI outputs are assistive; you remain responsible for decisions you make using them.

15. Third-party links

Our websites may link to third-party sites. We are not responsible for their privacy practices.

16. Changes to this policy

We may update this Privacy Policy and will revise the "Last updated" date. Material changes may require additional notice where required by law.

17. Contact