Privacy policy

Ontfly is operated by Alient, Inc., a Delaware corporation, doing business as "Ontfly" ("Ontfly," "we," "us"), with a registered office at c/o Corporation Service Company, 251 Little Falls Drive, Wilmington, Delaware 19808. For data you provide to operate your own Ontfly account, we act as the data controller. For the customer and visitor data that flows through the sites, ad campaigns, and payment flows we run on your behalf, we act as a data processor and you are the controller — see §11 (Data-processing terms). For privacy questions, contact privacy@ontfly.ai.

Where the GDPR or UK GDPR applies, we process personal data on these bases: performance of a contract (to deliver the service you purchased); legitimate interests (to secure the platform, prevent abuse, and improve our product); consent (where we ask for it, such as optional communications); and legal obligation (to keep tax and accounting records). You may object to or withdraw consent for processing based on those grounds as described in §8.

Primary customer data lives in Neon (Postgres) hosted on AWS in US-West-2 (Oregon). Files, brand assets, and generated image / video creatives live in Cloudflare R2. Generated sites are hosted on Vercel (default) or Render. Operational errors and traces live in Sentry. We do not move your personal data to a new region or a new class of subprocessor without updating our subprocessor list and giving prior notice as described in §15.

We share data with the subprocessors listed at /legal/subprocessors strictly to operate the service — for example, Stripe for payments, Meta for ads, Fal.ai for media generation, and our LLM inference providers for generation and analysis. We may also disclose data to comply with law, enforce our terms, or protect the rights and safety of users and the public. We do not sell, rent, or trade your personal data, and we do not share it for cross-context behavioral advertising.

The briefs, prompts, brand assets, and other inputs you submit are sent to our LLM and media-generation providers (currently DeepSeek and OpenRouter-routed models for text, Fal.ai for images and video) to produce sites, copy, and creatives. These providers process your inputs under their own terms to return outputs to us; we instruct them not to use your content to train their models where that option is available. AI output can be inaccurate, dated, or derivative — see the Terms for ownership and your responsibility as the final reviewer of anything published.

Depending on where you live, you may have the right to access, correct, export (portability), delete, or restrict the processing of your personal data, to object to certain processing, and to withdraw consent. California residents (CCPA/CPRA) additionally have the right to know, to delete, to correct, and to opt out of any "sale" or "sharing" — note that we do not sell or share personal data as those terms are defined. You can exercise most rights in the dashboard, or by emailing privacy@ontfly.ai. We respond within 30 days and will not discriminate against you for exercising a right. You may also lodge a complaint with your local data-protection authority.

Active data is kept while your account is active. After cancellation we delete operational data within 30 days, except: billing, tax, and audit-log records, which we retain for up to 7 years to meet accounting and legal obligations; and data we must keep to resolve disputes or enforce our agreements. Connected-account access tokens are deleted when you disconnect the account or close your account.

We encrypt data in transit and encrypt connected-account credentials and tokens at rest, scope each token to the minimum actions needed, and record an audit-log entry for every state-changing action so automated activity is traceable. Access to production data is limited to personnel who need it. No system is perfectly secure; if a breach affects your personal data we will notify you and the relevant authorities as required by law.

When we operate your business — running your store, ads, and payment flows — the personal data of your own customers and site visitors is processed on your behalf. For that data you are the controller and we are your processor: we process it only on your documented instructions (your use of the platform), keep it confidential, help you respond to data-subject requests, and delete or return it on termination as described in §9. If you require a separate Data Processing Agreement, request one at privacy@ontfly.ai and it will form part of your agreement with us.

We are based in, and primarily store data in, the United States. If you access Ontfly from the EEA, the UK, or Switzerland, your personal data is transferred to the United States and to subprocessors that may process it elsewhere. Where required, these transfers rely on the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss equivalents) together with supplementary safeguards.

On the Ontfly dashboard we use only strictly necessary cookies — for authentication sessions and CSRF protection. We do not run marketing or advertising cookies on this domain. The sites we generate for you may install the Meta Pixel and other tags; that tracking is under your control and must be surfaced through your own consent banner and privacy notice to your visitors.

Ontfly is for business users aged 18 and over. We do not knowingly collect personal data from anyone under 18; if you believe a minor has provided us data, contact us and we will delete it.

We may update this policy as the product and our subprocessors evolve. For material changes we will update the date above, post the revised policy, and notify account holders by email at least 30 days before the change takes effect. Continued use after the effective date means you accept the updated policy.

Privacy & data-subject requests: privacy@ontfly.ai. Legal notices: legal@ontfly.ai.