Privacy Policy — Pitchwright

Last updated: 2026-05-16

Pitchwright is a product of Kazzaz Labs. In this policy, "we" and "us" refer to Kazzaz Labs operating the Pitchwright product.

This Privacy Policy explains how we collect, use, store, and share your personal data. It is designed to comply with the Saudi Personal Data Protection Law (PDPL) and the EU GDPR; users in those jurisdictions have additional rights detailed in Section 6.

0. Pitchwright is a machine

Pitchwright is an automated agent. It does not "know" anything about you, your organisation, or your industry except what you explicitly provide:

• The brand kit you upload (logo, color, fonts).
• The content sources you upload or paste (Word documents, text, approved photographs).
• The prompts you submit when generating a deck.
• The training feedback you log.

Pitchwright does not autonomously collect data from your device, your network, or the public web. Two future capabilities will be explicit opt-ins with separate consent flows:

• Content mode 2 (drive search) — granting Pitchwright access to a specific folder on your laptop, Google Drive, OneDrive, or other cloud storage to source content from. Off by default. Requires per-source authorisation that you can revoke at any time. Not yet built.
• Content mode 3 (web research) — having Pitchwright research a topic online before drafting. Off by default. Requires explicit per-generation opt-in. Web sources are cited in the generated deck. Not yet built.

You are responsible for reviewing every generated deck

Pitchwright produces AI-generated content as a productivity tool. The accuracy, suitability, and legal appropriateness of every deck is your responsibility:

• Verify facts, figures, attributions, and quotations before sharing the deck externally. The agent may state numbers or claims that look plausible but are not in your source material.
• Confirm that imagery is appropriate for the deck's audience and venue. The agent only uses imagery you have explicitly uploaded to your approved-assets vault — but you must confirm each asset was approved for the intended use.
• Ensure the deck meets your organisation's compliance, legal, and editorial standards before any external use.

To the maximum extent permitted by law, we disclaim liability for errors, omissions, misclassifications, or misuse arising from generated content that the user has not reviewed.

1. Data we collect

Account data (from Clerk):

• Email address, first and last name, profile image (if you upload one).
• Authentication metadata (sign-in events, IP addresses).

Content data (from you):

• Brand kits: logos, fonts, colors.
• Content sources: pasted text, uploaded Word documents, approved imagery.
• Generation history: prompts, agent outputs (outlines, critiques, designs), generated .pptx files.
• Training feedback: ratings + free-text comments you submit on individual generations to inform agent improvements.

Telemetry:

• Error reports (via Sentry — Frankfurt region).
• Anonymized usage statistics (generation count, average duration, model cost).
• Product analytics (via PostHog — EU region, opt-in only). Analytics are off by default and only start if you explicitly consent via the in-app banner; declining or ignoring it keeps them off. When enabled, we collect page paths you visit and your Pitchwright user ID (a random identifier — never your email, name, or any content). PostHog also derives approximate location from your IP address at the point of collection. We use in-memory storage, so analytics set no cookies; we do not record sessions, capture clicks/keystrokes, or run surveys. You can withdraw consent at any time, which stops collection immediately.

2. Where data lives

• Database: Postgres on a DigitalOcean droplet in Frankfurt (Germany, EU).
• Object storage: DigitalOcean Spaces in Frankfurt.
• Authentication: Clerk (US data plane).
• Error tracking: Sentry (EU data region — Frankfurt).
• Product analytics: PostHog (EU Cloud — eu.i.posthog.com). Opt-in only; collects page paths + a random user ID (no PII) and IP-derived approximate location. Off by default.
• Email delivery: Resend (Tokyo region — ap-northeast-1).
• Model providers: Anthropic (US — Claude family of large language models), Voyage AI (US — embeddings).

When you submit content to be processed by the agent pipeline, that content is transmitted to Anthropic's US servers for inference. Anthropic does not use API content for training. See https://www.anthropic.com/legal/aup for their policies.

3. How we use data

• To operate the Service (generate decks, store your assets).
• To improve the product (anonymized aggregates only).
• To comply with legal obligations.

We do not sell your data. We do not share your content with third parties except as required to operate the Service (the model providers listed above).

4. How long we keep data

• Account data: until you delete your account.
• Content data: until you delete it or your account.
• Generation history: 365 days, then archived to cold storage.
• Telemetry: 90 days.

5. Security

• Encryption in transit (TLS 1.3 via Cloudflare).
• Encryption at rest (Postgres and Spaces both use AES-256).
• Auth tokens scoped per-environment; rotated quarterly.
• Access logs retained 90 days.

6. Your rights

Under PDPL and GDPR you have the right to:

• Access your data — use GET /api/v1/me/export or contact us.
• Correct inaccurate data — edit in-app or contact us.
• Delete your data — use DELETE /api/v1/me or contact us.
• Object to processing — contact us.
• Portability — the export endpoint returns your data in machine-readable JSON.

Under PDPL specifically, you also have:

• The right to know how your data is processed.
• The right to withdraw consent for processing where consent is the legal basis.

Saudi users: data residency in the EU rather than the Kingdom is disclosed here. If you require local residency, contact us before creating an account.

7. Cookies

We use one functional cookie (pw-locale) to remember your language preference. We do not use tracking cookies. Our opt-in product analytics (PostHog, Section 1) is configured with in-memory storage and sets no cookies of any kind.

8. Children

The Service is not directed to children under 18. We do not knowingly collect data from children.

9. Changes

We will notify you by email at least 30 days before any material change.

10. Contact

Kazzaz Labs — Pitchwright Email: abdulkarim.kazzaz@gmail.com

For PDPL data-subject requests, mark the subject line "PDPL request" so we route it correctly.