Privacy Policy

2. Data We Collect

We collect the following categories of personal data when you use the Service:

• Account information: name, email address, username, password, profile photo, and account preferences.
• Payment information: Payments are processed securely by Stripe, PayPal, or Paystack on our behalf. We do not store full credit-card numbers on our systems.
• Usage information: IP address, device and browser details, pages visited, features used, and interactions inside the dashboard.
• Creator content: music, images, videos, course material, product listings, blog posts, member messages, and other media you upload.
• Communications: messages, support requests, chat transcripts, and other correspondence with us.
• Business data: customer/fan records, orders, subscriptions, email lists, social posts, event tickets, course progress, member messages, ad campaign metrics, and analytics generated by your use of the Service.
• Integration data: when you connect third-party services (e.g., Stripe, Meta/Facebook/Instagram, Google, YouTube, TikTok, X, LinkedIn, Spotify, Mailchimp), we receive tokens and the data you authorize, such as orders, audience metrics, posts, ad performance, and inbox messages.
• Automation data: scheduled posts, comment-to-DM rules, DM replies, broadcast queues, email campaign drafts, and the logs of when automations ran or failed.
• AI interaction data: the questions you ask Mira, the briefings she generates for you, the proposals you approve or reject, the inputs Mira reads from your business data, and the resulting outputs. We also keep short-lived prompt/response logs for debugging and abuse prevention (see Section 7).

3. How We Use Your Data

We process personal data to:

• Provide, operate, and maintain the Service, including all features described in our Terms of Service.
• Process payments and manage subscriptions via Stripe, PayPal, or Paystack.
• Send account-related notices, invoices, and technical updates.
• Respond to your support requests and communicate about your account.
• Detect, prevent, and address technical issues, fraud, abuse, and security incidents.
• Analyze anonymized usage data to improve the Service.
• Power the Mira AI agent: read your business data, generate the daily briefing, surface anomalies, draft emails/posts/replies, and produce proposals you can approve or reject. Details are in Section 10.
• Run the social, email, and DM automations you configure, including scheduling and delivery of posts, emails, comment-to-DM flows, and AI replies.

4. Legal Bases for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases for processing personal data:

• Performance of a contract (Art. 6(1)(b)): to provide the Service and the features you request, including the Mira AI agent and automation features that are part of your subscription.
• Legitimate interests (Art. 6(1)(f)): for platform improvement, fraud prevention, security, abuse detection, and short-lived AI prompt logs for safety and debugging.
• Consent (Art. 6(1)(a)): when you opt in to newsletters, marketing communications, non-essential cookies, or features that explicitly require consent.
• Legal obligation (Art. 6(1)(c)): where processing is required by law (tax, accounting, anti-money-laundering).

5. Data Sharing & Third Parties

We only share personal data with third parties when necessary, including:

• Stripe — payment processing provider.
• PayPal — alternative payment processing provider.
• Paystack — payment processing provider for African markets.
• Hosting and CDN providers (e.g., AWS, Cloudflare, Vercel) — service delivery and performance.
• Amazon SES — transactional email delivery.
• LiveKit — live streaming and video infrastructure.
• Crisp — customer support chat widget.
• Analytics providers (Vercel Analytics) — for anonymized usage metrics. You can opt out via the cookie consent banner.
• LLM provider — we use Anthropic (Claude models) to power the Mira AI agent. See Section 10 for details on what data is sent and how it is handled.
• Social and marketing platforms — when you connect them (e.g., Meta/Facebook/Instagram, Google/YouTube, TikTok, X, LinkedIn, Spotify, Mailchimp), we exchange data with their APIs strictly to perform the actions you authorize.

Our full sub-processor list is available in Section 12. All third parties we engage are subject to data processing agreements that require appropriate safeguards.

6. International Transfers

Some of our sub-processors (including LLM providers, payment providers, and CDN providers) are located outside the EU/EEA, primarily in the United States. Where personal data is transferred outside the EU/EEA, we implement safeguards such as Standard Contractual Clauses (SCCs), supplementary technical measures, or other lawful transfer mechanisms (Art. 46 GDPR) to ensure continued protection.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes set out in this Policy, or as required by law. Specific retention periods: - Account data: retained for the duration of your account plus 30 days after deletion request. - Transaction and order records: retained for 10 years as required by German fiscal law (Abgabenordnung, § 147). - Session and login data: up to 90 days. - Audit logs and security logs: up to 3 years. - AI prompt/response logs (Mira): up to 30 days for debugging and abuse prevention; outputs Mira saves into your account (briefings, drafts, proposals) follow the account-data retention rule above. - Marketing and analytics data: as set by the relevant cookie / consent (see Cookie Policy). When you delete your account, we will remove or anonymize your personal data within the applicable retention period.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to the processing of your personal data based on legitimate interests, including profiling by the Mira AI agent — see Section 10 on how to disable Mira.
• Right regarding automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 11.

To exercise any of these rights, please use our Data Rights Request form at https://tribenest.co/data-rights or email us at hello@tribenest.co. We will respond to your request within 30 days.

9. Cookies

For detailed information about how we use cookies and similar technologies (on both the marketing site and inside the creator dashboard), please refer to our Cookie Policy at https://tribenest.co/cookie-policy.

10. AI Processing & Profiling (Mira)

Mira is an AI agent included with paid TribeNest plans. She reads data from your TribeNest account (and any integrations you have connected) to generate a daily business briefing, draft emails and posts, surface anomalies, and propose actions for you to approve or reject. This section explains how this works in plain terms. What data Mira reads: your orders, customers, subscribers, email list, posts and post performance, comments and DMs (where you have connected social channels), course completion and lesson drop-off data, membership events, ad campaign metrics, and your direct questions to her. Mira does not read your card numbers, passwords, or the body of private end-customer support chats unless you explicitly route them to her. How Mira processes data: we use Anthropic (Claude models) as the underlying LLM provider. When Mira generates a briefing or a proposal, the relevant data is sent to the LLM provider over an encrypted connection together with a system prompt. The LLM returns text which we save into your account. No training on your data: under our agreement with the LLM provider, your inputs and outputs are not used to train their underlying models. We also do not train any TribeNest model on your business data without your explicit opt-in. Proposals vs. autonomous actions: Mira's default behavior is to propose. You see the suggestion in your dashboard and either approve, edit, or reject it. Nothing is sent to your customers, posted to your channels, or charged to your account by Mira unless (a) you explicitly approve it, or (b) you have enabled auto-approval for a specific, narrow category of action (for example, abandoned-cart recovery emails). You can disable auto-approval at any time. Disabling Mira: you can turn Mira off in your account settings. When Mira is disabled, no business data is sent to the LLM provider for AI processing. Legal basis: contract performance (Art. 6(1)(b)) for accounts where Mira is part of the subscription, plus legitimate interest (Art. 6(1)(f)) for short-lived prompt/response logs used for debugging and abuse prevention. You may object to profiling at any time (Art. 21) by disabling Mira.

11. Automated Decision-Making (Art. 22 GDPR)

Mira's outputs are proposals, not automated decisions. A human (you) reviews each proposal and decides whether to approve, edit, or reject it. Therefore, Mira's normal operation does not constitute solely automated decision-making with legal or similarly significant effects under Article 22 GDPR. Where you enable auto-approval for a specific narrow category of action (for example, sending an abandoned-cart recovery email or replying to a frequently-asked DM), you remain in control: you set the rules, you receive a log of every action Mira takes, and you can disable auto-approval at any time. We do not use Mira to make decisions that have legal or similarly significant effects on you or on your customers (such as denying service, setting prices for individual customers based on profiling, or making credit decisions). If we ever introduce such a feature, we will notify you in advance and request explicit opt-in.

12. Sub-processors

We engage the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements (Art. 28 GDPR). - Stripe Payments Europe Ltd (Ireland) — payment processing. - PayPal (Europe) S.à r.l. (Luxembourg) — payment processing. - Paystack Payments Ltd (Nigeria, with Stripe parent) — African payment processing. - Amazon Web Services EMEA SARL (Luxembourg / Frankfurt region) — hosting, storage, and SES email delivery. - Cloudflare Inc. (USA) — CDN and DDoS protection. - Vercel Inc. (USA) — frontend hosting and analytics. - LiveKit Inc. (USA) — live streaming infrastructure. - Crisp IM SAS (France) — customer support chat. - Anthropic PBC (USA) — LLM provider powering the Mira AI agent. - Endorsely — testimonials/referrals widget on the marketing site. For international transfers we rely on Standard Contractual Clauses and other safeguards as described in Section 6. We will keep this list current; material additions of sub-processors will be reflected here. If you require an up-to-date list at any point, contact hello@tribenest.co.

13. Supervisory Authority

The competent supervisory authority for data protection matters is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin, Germany. Website: https://www.datenschutz-berlin.de.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.