1. Introduction
ActualSales Group Ltd. ("ActualSales", "we", "our", or "us") operates the ActualSales.ai platform and the ASAI-SocialLogin application, accessible at https://actualsales.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or connect your social media accounts through ASAI-SocialLogin.
By accessing or using ActualSales.ai, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access the platform. This policy applies to all users of our platform worldwide, including users in the European Economic Area (EEA), United Kingdom, California, and other jurisdictions with specific data protection regulations.
2. Data Controller
ActualSales Group Ltd. is the data controller for the personal data processed through the ActualSales.ai platform. If you have any questions about how your data is handled, you may contact our data protection team at [email protected].
3. Information We Collect
3.1 Information You Provide Directly
- Account Registration Data: Name, email address, password, and optionally phone number when you create an account. If you register via social login (Google or GitHub), we receive your name, email, and profile photo from the OAuth provider.
- Payment and Billing Data: Billing name, billing address, and payment method details. All payment card information is processed and stored exclusively by our payment processor, Stripe, Inc. We do not store, process, or have access to your full credit card numbers.
- Business and Brand Data: Company name, website URL, brand assets (logos, colors, fonts), product descriptions, target audience information, and marketing content you provide for strategy and content generation.
- Integration Credentials: When you connect third-party platforms (Google Ads, Meta Ads, TikTok, LinkedIn, YouTube, Instagram, etc.) via ASAI-SocialLogin, you authorize those platforms to share access tokens and account information with us. API keys you enter manually are encrypted at rest.
- Communications: Messages you send us through support channels, demo booking forms, pricing inquiry forms, or email.
- AI Agent Configuration: Voice agent names, scripts, qualifying questions, objection handling rules, and other configuration data you provide when setting up AI agents.
3.2 Information Collected Automatically
- Usage Data: Pages and features you access, actions performed (e.g., strategies generated, banners created), timestamps, and session duration.
- Device and Browser Data: Browser type and version, operating system, device type, screen resolution, and language preference.
- Server Log Data: IP address, access times, referring/exit URLs, HTTP status codes, and bytes transferred.
- Cookie Data: Session identifiers, authentication tokens, and user preferences (see Section 10 for full cookie details).
3.3 Information from Third-Party Sources
- OAuth/ASAI-SocialLogin Providers: When you authenticate via Google, TikTok, or GitHub, or connect social media accounts via ASAI-SocialLogin, we receive your name, email address, and profile image as authorized during the consent screen.
- Connected Advertising Platforms: When you connect ad accounts (Google Ads, Meta Ads, TikTok Ads, LinkedIn Ads, X Ads), we access campaign data, analytics, and account information as authorized by your OAuth consent.
- Connected Social Platforms: When you connect social accounts via ASAI-SocialLogin (YouTube, Instagram, Facebook, TikTok, X, Snapchat), we access profile information, content metrics, and posting capabilities as authorized by your OAuth consent.
- Publicly Available Brand Data: When you submit a website URL for brand analysis, we analyze the publicly accessible content of that website, including logos, color schemes, fonts, meta descriptions, and page structure.
3.4 Voice AI and Call Data
If you use our AI voice agent features (powered by ElevenLabs):
- Call Transcripts: Conversations between your AI agent and callers are transcribed and stored.
- Call Recordings: Audio recordings of voice conversations may be captured and stored.
- Extracted Lead Data: Our AI extracts information from transcripts (such as name, phone, email, and custom fields you configure) to send to your CRM.
- Call Metadata: Duration, timestamps, phone numbers, and call disposition status.
4. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide you with our services, including account management, content generation, payment processing, and platform integrations.
- Legitimate Interests (Art. 6(1)(f)): Processing for platform security, fraud prevention, usage analytics to improve our services, and direct communications about your account. We balance these interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as connecting third-party OAuth accounts, enabling AI voice agents, or opting into marketing communications. You may withdraw consent at any time.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and other legal obligations.
5. How We Use Your Information
We use the information we collect for the following purposes:
5.1 Providing and Operating Our Services
- Creating and managing your user account and team.
- Analyzing brand websites and generating marketing strategies, landing pages, banners, newsletters, SMS templates, email templates, and ad copy.
- Generating AI images for landing pages and banners.
- Processing and resizing banner images and videos.
- Operating AI voice and text agents on your behalf.
- Connecting to and exchanging data with third-party advertising and social media platforms.
- Processing payments, managing credits, and handling subscriptions.
5.2 Communications
- Sending transactional emails: account verification, password resets, billing receipts, credit balance alerts, and invitation notifications.
- Responding to your support requests and inquiries.
- Sending service-related announcements (e.g., planned maintenance, policy changes).
5.3 Improvement and Analytics
- Monitoring usage patterns to improve platform features and user experience.
- Diagnosing and fixing technical issues.
- Analyzing credit usage and feature adoption to plan service improvements.
5.4 Security and Compliance
- Detecting and preventing fraud, abuse, and unauthorized access.
- Enforcing our Terms of Service.
- Complying with applicable laws and regulations.
6. AI and Automated Data Processing
Our platform extensively uses artificial intelligence and automated processing. We believe in full transparency about how AI interacts with your data:
6.1 Brand Analysis
When you submit a website URL, our automated workflows (powered by n8n) analyze the publicly available content of that website to extract brand elements such as colors, logos, fonts, messaging tone, and product information. This analysis is performed solely to generate marketing strategies for you.
6.2 Content Generation
We use third-party AI models to generate marketing content:
- Anthropic Claude: Used for text generation (strategies, ad copy, prompt enhancement, transcript field extraction).
- Image Generation APIs: Used to create banner images and landing page visuals based on your prompts.
- ElevenLabs: Used for voice AI agents (text-to-speech, speech-to-text, conversational AI).
6.3 No AI Training on Your Data
We do not use your personal data, business data, or AI-generated content to train, fine-tune, or improve any machine learning or AI models. Your data is used solely to provide our services to you. Our AI service providers (Anthropic, ElevenLabs) also do not use data sent through their APIs for model training per their respective terms of service.
6.4 Transcript Processing
When AI voice agents complete a call, the transcript is automatically processed by Claude AI to extract structured lead data (name, phone, email, and custom fields). This data is then sent to your configured CRM endpoint. Field names are standardized in English; field values are preserved in the original language of the conversation.
7. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
We share your information only in the following circumstances:
7.1 Service Providers (Sub-Processors)
We use the following third-party service providers to operate our platform. Each processes data only as instructed by us and under appropriate data protection agreements:
| Provider |
Purpose |
Data Processed |
| Stripe, Inc. |
Payment processing |
Billing name, address, payment method |
| Cloudflare, Inc. |
CDN, asset storage (R2), video streaming |
Uploaded images, generated assets, videos |
| Anthropic, PBC |
AI text generation and analysis |
Brand data, prompts, transcripts |
| ElevenLabs, Inc. |
Voice AI agents |
Conversation audio, transcripts, agent config |
| n8n GmbH |
Workflow automation |
Brand analysis data, webhook payloads |
| Twilio, Inc. |
Phone number services |
Phone numbers, call routing data |
| Postmark (Wildbit LLC) |
Transactional email delivery |
Email addresses, email content |
7.2 Connected Third-Party Platforms (ASAI-SocialLogin)
When you connect advertising or social media accounts via ASAI-SocialLogin, data is exchanged between our platform and the connected service as necessary for the integration to function. This may include:
- Google (YouTube, Google Ads): Account profile, channel data, campaign metrics, ad creatives.
- Meta (Facebook, Instagram, Meta Ads): Account profile, page insights, ad performance data, ad creatives.
- TikTok (TikTok, TikTok Ads): Account profile, video metrics, campaign analytics, video content.
- LinkedIn (LinkedIn Ads): Organization profile, sponsored content metrics, ad creatives.
- X/Twitter (X, X Ads): Account profile, tweet metrics, campaign data.
- Snapchat: Account profile, content insights.
You control which platforms are connected via ASAI-SocialLogin and may disconnect any integration at any time. Upon disconnection, we delete the stored access tokens and credentials for that platform.
7.3 Team Members
If you belong to a team, other team members with appropriate roles may access shared resources including brand data, marketing strategies, generated content, and integration status. Team owners control member access through role assignments.
7.4 Legal and Safety Requirements
We may disclose your information if required to do so by law, in response to valid legal process (such as a court order or subpoena), to protect our rights and property, to investigate fraud, or to protect the safety of our users or the public.
7.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our platform before your data is transferred and becomes subject to a different privacy policy.
8. Data Storage and Security
8.1 Infrastructure
- Application data is stored on secure servers with encrypted connections (TLS 1.2+).
- Static assets and media files are stored on Cloudflare R2 with encryption at rest.
- Database connections are restricted to authorized services only.
8.2 Encryption
- All data in transit is protected with TLS/SSL encryption.
- Integration credentials (API keys, OAuth tokens) are encrypted at rest using AES-256 encryption via Laravel's encryption facilities.
- User passwords are hashed using bcrypt and never stored in plain text.
8.3 Access Controls
- Access to production systems is restricted to authorized personnel only.
- We implement role-based access controls both internally and for platform users.
- Two-factor authentication (2FA) is available for user accounts.
8.4 Monitoring
- We maintain audit logs of system access and data operations.
- Automated monitoring detects and alerts on suspicious activities.
- Regular backups ensure data can be recovered in the event of an incident.
8.5 Incident Response
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR and other applicable regulations.
9. Data Retention
We retain your data according to the following schedule:
- Account Data: Retained while your account is active and for 30 days after account deletion to allow for recovery.
- Generated Marketing Content: Retained while your account is active. Deleted within 90 days of account deletion.
- Payment Records: Retained for 7 years after the transaction date, as required by tax and financial regulations.
- Call Recordings and Transcripts: Retained for 12 months from the date of the call, unless you request earlier deletion.
- Server Logs: Retained for 90 days for security and debugging purposes.
- Integration Credentials: Deleted immediately upon disconnection of an integration or deletion of your account.
When data is deleted, it is permanently removed from our active systems. Backup copies may persist for up to 30 additional days before being automatically purged.
10. Cookies and Similar Technologies
10.1 Cookies We Use
| Cookie |
Type |
Purpose |
Duration |
| actualsales_session |
Essential |
Session authentication and CSRF protection |
Session (2 hours) |
| remember_web_* |
Essential |
"Remember me" persistent login |
5 years |
| XSRF-TOKEN |
Essential |
Cross-site request forgery protection |
Session (2 hours) |
| theme |
Preference |
Dark/light mode preference |
LocalStorage (persistent) |
10.2 Third-Party Cookies
We do not use third-party advertising, analytics, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar tracking services on our platform. The only third-party scripts loaded are those required for integrated services (such as the ElevenLabs widget when AI agents are active on a landing page).
10.3 Managing Cookies
Essential cookies are required for the platform to function and cannot be disabled while using our services. You can clear cookies at any time through your browser settings. Disabling cookies will require you to log in again.
11. Your Privacy Rights
11.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Disconnect Integrations: Disconnect any connected third-party platform at any time, which immediately deletes stored credentials.
- Account Deletion: Request full account deletion by contacting us.
11.2 Additional Rights for EEA/UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:
- Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
- Restriction of Processing: Request that we limit how we process your data in certain circumstances.
- Objection: Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Withdrawal of Consent: Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
11.3 Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. No opt-out is required.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).
12. International Data Transfers
Our servers and service providers are located in various countries, including the United States and the European Union. If you are accessing our services from outside these regions, your data may be transferred internationally.
For transfers of personal data from the EEA/UK to countries that have not received an adequacy decision from the European Commission, we rely on:
- Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our service providers to ensure adequate protection of transferred data.
- Data Processing Agreements: All sub-processors are bound by data processing agreements that include appropriate safeguards.
- EU-US Data Privacy Framework: Where applicable, our service providers participate in and have certified compliance with the EU-US Data Privacy Framework.
13. Children's Privacy
Our services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
14. Third-Party Links
Our platform may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will notify registered users by email at least 14 days before material changes take effect.
- We will display a prominent notice on our platform.
Your continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related inquiries within 10 business days.