Privacy Policy

1. Who We Are

This Privacy Policy applies to Prago (the "Service"), operated by BoringDollars, Inc., a Delaware corporation (File No. 10560883), with offices at 131 Continental Dr Suite 305, Newark, DE 19713, United States. BoringDollars, Inc. is the data controller for all personal data processed under this Policy.

When we say "Prago", "we", "our", or "us", we mean BoringDollars, Inc. When we say "you" or "your", we mean anyone who uses or accesses the Prago service.

For privacy questions, contact us at: privacy@prago.io

2. Personal Data We Collect

We collect personal data in several categories, depending on how you interact with our Service.

2.1 Account and Identity Information

When you create an account, we collect:

• Name and email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Company name, website URL, and industry vertical
• Billing information (processed by Stripe — we store only a reference token, not raw card numbers)
• Profile photo (if you choose to provide one)

2.2 Connected Platform Credentials

A core function of Prago is connecting to third-party marketing, analytics, and publishing platforms on your behalf. We may, on your explicit authorization, connect to and publish content on your behalf to platforms including but not limited to:

• Google (OAuth or equivalent authorization): Google Analytics 4 read, Google Search Console read, and Indexing API write. May include YouTube channel scopes for planned video-integration features.
• X / Twitter (OAuth or equivalent authorization): account read and post publishing.
• LinkedIn (OAuth or equivalent authorization): LinkedIn Page management for content publishing.
• Meta (OAuth or equivalent authorization): may include Facebook Pages, Instagram Business, and Meta Ads Manager scopes for planned integrations.
• Reddit (OAuth or equivalent authorization): for posting to subreddits on your behalf.
• WordPress (Application Password or equivalent authorization): site URL plus an Application Password issued from your WordPress admin, used for blog publishing.
• Hashnode (Personal Access Token or equivalent authorization): blog cross-posting.
• Dev.to (API key or equivalent authorization): blog cross-posting.
• Ghost (Prago-managed): when you use our managed Ghost blog, the admin API key is generated and stored on your behalf for content publishing.
• SEO data tools (API key or equivalent authorization): including but not limited to Semrush, Ahrefs, and Moz for read-only SEO data.
• Other platforms: any platform you explicitly connect through our integrations settings, as made available.

All credentials — OAuth tokens, Application Passwords, API keys, and equivalent authorization material — are encrypted at rest using AES-256 in AWS Secrets Manager. We request only the minimum permission scopes required to perform the tasks you authorize. You may revoke these permissions at any time from your account settings or from the connected platform's own security settings.

2.3 Business and Marketing Content

To operate the Service, our AI agent processes:

• Your brand guidelines, tone of voice documents, and style preferences that you upload or describe
• Your existing published content (blog posts, social posts, landing pages) crawled for context
• Drafts, instructions, and feedback you provide in the agent chat
• Ad creative assets (images, copy, headlines) generated by the Service on your behalf
• Campaign performance data fetched from your connected platforms
• Website content fetched from your provided domain(s) for context

2.4 Communication Information

If you contact us directly (email, support chat, or feedback forms), we collect:

• The contents of your messages
• Your email address and name
• Any attachments or files you share

We may also collect information from public social media profiles if you mention Prago and we respond.

2.5 Usage and Log Data

When you use the Service, our servers automatically record:

• IP address and approximate geographic location (country / region)
• Browser type, version, and operating system
• Pages and features you visit, and the sequence of navigation
• Date and time of each request
• Referring URLs
• Error logs and crash reports
• Agent interactions (prompts sent, actions triggered, tasks completed)

2.6 Device Information

• Device type (desktop, mobile, tablet)
• Screen resolution and viewport size
• Browser language and timezone settings

2.7 Analytics and Performance Data

We use server-side product analytics via PostHog to understand aggregate usage patterns. We do not use Google Analytics on our own properties.

2.8 Cookies and Similar Technologies

We use strictly necessary cookies for session management and authentication. We do not use third-party advertising cookies. Specifically:

• Session cookies: Required for login state and security (CSRF protection).
• Preference cookies: Store your UI preferences (e.g., active dashboard view).
• Analytics cookies: Aggregate, anonymized usage data. These cookies do not identify you individually.

You may disable cookies in your browser settings, but doing so may prevent some features of the Service from working correctly.

3. How We Use Your Personal Data

We use the data we collect for the following purposes:

3.1 Providing and Operating the Service

• Authenticating your account and maintaining your session
• Running AI-generated marketing tasks on your chosen platforms
• Scheduling, publishing, and monitoring content on your behalf
• Retrieving performance data (analytics, ad results) and presenting it in your dashboard
• Managing your ad spend wallet and processing payments
• Generating reports and insights based on your marketing data

3.2 Personalizing and Improving the Service

• Learning your brand voice and preferences to produce more accurate content over time
• Improving the accuracy of the Prago Cadence agent model based on aggregated, de-identified interaction patterns (not your individual content — see Section 6)
• Developing new features based on usage trends

3.3 Security and Fraud Prevention

• Detecting, investigating, and preventing abuse, fraud, and unauthorized access
• Verifying identity for account recovery
• Enforcing our Terms of Service

3.4 Communications

• Sending transactional emails (receipts, password resets, security alerts)
• Sending product update notifications (you may opt out)
• Responding to your support requests and inquiries

3.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from public authorities
• Exercising or defending legal claims

4. GDPR and European Privacy Rights

This section applies specifically to users located in the European Economic Area (EEA), the United Kingdom, and Switzerland. It sets out our compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and equivalent UK legislation (UK GDPR and the Data Protection Act 2018).

4.1 Legal Basis for Processing

We process your personal data only where we have a valid legal basis under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver the Service you signed up for (e.g., running campaigns, processing payments).
• Legitimate interests (Art. 6(1)(f)): Processing for security, fraud prevention, product improvement, and direct marketing to existing customers — where these interests are not overridden by your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Processing required by applicable law.
• Consent (Art. 6(1)(a)): Where we rely on your explicit consent (e.g., for AI model training from your content). You may withdraw this consent at any time without affecting prior processing.

4.2 Your GDPR Rights (Articles 15–22)

As an EEA or UK data subject, you have the following rights, which you can exercise by emailing privacy@prago.io:

• Right of access (Art. 15): Obtain a copy of all personal data we hold about you, with information on how it is processed.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure / 'right to be forgotten' (Art. 17): Request deletion of your data where there is no overriding legitimate reason to continue processing. We will complete this within 30 days.
• Right to restriction (Art. 18): Ask us to pause processing of your data in specific circumstances.
• Right to portability (Art. 20): Receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
• Right to object (Art. 21): Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce significant legal or similarly significant effects on you.
• Right to withdraw consent (Art. 7(3)): Where processing is consent-based, you may withdraw at any time via Account Settings without affecting prior processing.

We will respond to rights requests within 30 days. No fee is charged for exercising rights in good faith. If we cannot fulfill a request, we will explain why.

4.3 Data Protection Officer

We do not currently have a formal DPO appointment (not required at our current processing scale). Privacy queries are handled by our founding team at privacy@prago.io. As we scale and if our processing activities require it under Article 37, we will appoint a qualified DPO.

4.4 EU Representative

As a US-based controller processing EEA personal data, we are assessing the requirement to appoint an EU representative under GDPR Article 27 based on our processing volume. If this obligation applies, we will appoint and disclose our representative in an update to this policy. In the interim, EEA data subjects may contact us directly at privacy@prago.io.

4.5 Supervisory Authority Complaints

You have the right to lodge a complaint with your local supervisory authority if you believe we have infringed GDPR. Depending on your member state, this may be:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• Ireland / EU: Data Protection Commission (DPC) or your national DPA
• A full list of EEA supervisory authorities is available at edpb.europa.eu

We ask that you first contact us at privacy@prago.io so we can try to resolve any concerns before a formal complaint is filed.

5. How We Share Your Personal Data

We do not sell your personal data. We share data only in the following limited circumstances:

5.1 Service Providers (Processors)

We work with carefully selected vendors who process data only on our instructions. Where a service has equivalents we may evaluate or substitute, we use "or equivalent" or "including but not limited to" framing to cover current and planned integrations:

• Cloud infrastructure: Amazon Web Services (AWS), Google Cloud Platform (GCP), or equivalent cloud providers — hosting, storage, email delivery, CDN, and networking
• Authentication: Clerk or equivalent identity provider — user identity, session management, sign-in, and third-party OAuth provider connections
• AI inference: Foundation models invoked on your behalf, including but not limited to Anthropic (Claude), OpenAI, Google (Gemini), xAI (Grok), Perplexity, Meta (Llama), Mistral, and Amazon (Nova), and equivalent providers. Models are accessed via AWS Bedrock or direct vendor APIs. Under our enterprise agreements with these providers, our API inputs are not retained for their own model training.
• Payments: Stripe, Inc. or equivalent — billing, subscription management, one-time top-ups, refunds, and dispute handling
• Marketing automation: ActiveCampaign or equivalent — transactional and lifecycle email delivery, contact management, drip campaigns
• Customer support: Intercom or equivalent — inbound support routing and AI-assisted answers about plan, credits, and usage
• Product analytics: PostHog or equivalent server-side analytics — feature usage and funnel tracking (we do not use Google Analytics on our own properties)
• SEO data: DataForSEO or equivalent — SERP rank tracking and keyword research; may include providers such as Semrush, Ahrefs, and Moz for planned read-only data integrations
• Error monitoring: Sentry or equivalent — exception tracking and crash reports across our backend agents and web app
• Connected publishing platforms: Where you authorize, we publish content on your behalf to platforms including but not limited to X / Twitter, LinkedIn, Reddit, WordPress, Hashnode, Dev.to, YouTube, Meta (Facebook/Instagram), and others as made available.

We execute Data Processing Agreements (DPAs) with all vendors that process personal data.

5.2 Business Transfers

If BoringDollars, Inc. undergoes a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you by email and/or a prominent website notice before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements and Safety

We may disclose your data when required by law or in good faith belief that such action is necessary to:

• Comply with a legal obligation or valid court order
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the safety of users of the Service or the public

5.4 Affiliates

We may share personal data with subsidiaries or affiliates of BoringDollars, Inc. for the purpose of operating the Service, subject to this Privacy Policy.

6. AI Training and Your Content

We take a clear, opt-in position on AI training:

• Default: We do not use your business content (your brand copy, ad creatives, campaign data, onboarding sessions, or Brain chat conversations) to train our AI models or any third-party AI models.
• Optional opt-in: If you toggle "Help train Prago's models" ON in Settings → Privacy & data, anonymised signals from your onboarding sessions and Brain chat interactions may be used to fine-tune Prago's agents. This is strictly voluntary. You may opt out at any time; turning the toggle off stops collection going forward and does not affect historic data already in your account.
• What "anonymised" means here: direct identifiers (your email, name, company name, phone number) are stripped from the training corpus. Brand-specific metadata (industry, tone, niche) and the conversation content itself are preserved because they're what the model learns from.
• Third-party AI providers: Our AI vendor agreements (e.g., with Anthropic, OpenAI, Google) explicitly prohibit use of our API inputs for third-party model training.

6A. Session Logging and Audit Trail

To improve product quality and provide effective support, we keep an audit log of certain interactions:

• Onboarding sessions (the "terminal" flow when you first set up a brand): the full agent activity log, your chat with the setup assistant, and the resulting brand profile. Stored in our onboarding_runs table.
• Brain chat conversations (the AI CMO chat inside the dashboard): every turn of the conversation. Stored in our chat_messages table.
• Why: If you report an issue ("the wrong logo was extracted", "the agent gave a bad answer"), our support team can review the exact session to diagnose. Without this audit trail, we're flying blind.
• Who can see it: only you (via the in-app data export) and Prago's support engineers operating under strict access controls.
• How long: see Section 7 below.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts: All account and usage data is retained for the duration of your subscription.
• Audit trail (no AI-training consent): Onboarding sessions and Brain chat logs are kept for 24 months from the session date for support and debugging, then automatically purged by an internal retention cron. You can request earlier deletion at any time (see Section 8.3).
• Audit trail (with AI-training consent): Sessions for users who have opted in are retained indefinitely so we can keep improving our models, until consent is revoked or the account is deleted.
• After account deletion: We delete or anonymise your personal data within 30 days of account deletion, except where we are required to retain it by law (e.g., financial records for tax purposes — typically 7 years).
• OAuth tokens: Deleted immediately upon account deletion or integration disconnection.
• Backup systems: Encrypted backups are purged on a rolling 90-day cycle.
• Operational logs: Application logs (Lambda execution logs, ECS task logs, agent activity) are retained in Amazon CloudWatch for 30 days, then automatically purged. Logs may contain transient PII inside error payloads but are accessible only to authorised Prago engineers.
• Legal holds: If data is subject to a legal hold or ongoing investigation, we may retain it beyond these periods.

8. Your Rights and Controls

Depending on your location, you have the following rights regarding your personal data:

8.1 Access

You may request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format (JSON or CSV) within 30 days.

8.2 Correction

You may update or correct inaccurate data directly in Account Settings. For data you cannot edit yourself, contact us at privacy@prago.io.

8.3 Deletion ("Right to be Forgotten")

You may request permanent deletion of your account and all associated personal data. We will complete this within 30 days, subject to legal retention requirements. To delete your account: Account Settings → Danger Zone → Delete Account, or email privacy@prago.io.

8.4 Portability

You may request an export of your data in a structured, machine-readable format. This includes your content, campaign settings, and account information.

8.5 Restriction and Objection

You may ask us to restrict processing of your data in certain circumstances, or object to processing based on legitimate interests. Contact privacy@prago.io with your request.

8.6 Withdraw Consent

Where processing is based on your consent (e.g., AI training opt-in), you may withdraw consent at any time via Account Settings without affecting the lawfulness of prior processing.

8.7 Opt Out of Marketing Emails

Every marketing email from Prago contains an unsubscribe link. You may also opt out from Account Settings → Notifications. Note: Transactional emails (receipts, security alerts) cannot be opted out of while your account is active.

8.8 Lodge a Complaint

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with your local data protection authority. For EEA users, this is typically your national DPA. For UK users, the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

We implement administrative, technical, and physical safeguards to protect your personal data:

• Encryption in transit: All data is transmitted over HTTPS/TLS 1.3.
• Encryption at rest: Database encryption (AES-256) for all stored personal data and OAuth tokens.
• Access control: Role-based access control (RBAC); employee access to production data requires explicit authorization and is logged.
• OAuth-only authentication: We never ask for your platform passwords; all connections use OAuth 2.0.
• Penetration testing: We conduct periodic security assessments of our infrastructure.
• SOC 2 Type II: We are working toward SOC 2 certification. Current status and audit reports are available on our Security page.
• Incident response: In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware, as required by applicable law.

10. International Data Transfers

BoringDollars, Inc. is a US-based company. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on the following safeguards for international transfers:

• For EEA and UK users: Standard Contractual Clauses (SCCs) adopted by the European Commission
• For all users: Data Processing Agreements with our service providers
• Our US operations are subject to US federal and state privacy laws

11. Children's Privacy

The Prago Service is designed for business users and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will delete it promptly. If you believe a minor has provided data to us, contact privacy@prago.io.

12. Additional Disclosures for U.S. State Privacy Laws

12.1 California (CCPA / CPRA)

California residents have the right to: (i) know what personal information is collected; (ii) know whether personal information is sold or disclosed; (iii) opt out of the sale of personal information; (iv) access their personal information; (v) equal service and price when exercising privacy rights. We do not sell personal information. To exercise your rights, email privacy@prago.io with subject line "California Privacy Request."

12.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA)

Residents of these states have similar rights to access, correct, delete, and obtain a copy of personal data. To opt out of any targeted advertising or profiling (we do not currently conduct either), or to exercise any other right, email privacy@prago.io.

12.3 Do Not Track

We honor browser-level "Do Not Track" (DNT) signals. When we detect a DNT signal, we disable all non-essential data collection for that session.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by:

• Posting a notice in your Prago dashboard for 30 days before the change takes effect
• Sending an email to your registered address
• Updating the "Last updated" date at the top of this page

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not accept the changes, you must stop using the Service and may request account deletion.

14. Data Controller and Contact

The data controller for personal data processed through the Service is:

We aim to respond to all privacy-related inquiries within 5 business days and resolve requests within 30 days.