Privacy Policy

NightShift AI is an AI business automation platform operated as a SaaS service. This Privacy Policy explains what information we collect from you, how we use it, who we share it with, and the choices you have about your personal data. By using NightShift AI you agree to the practices described here. If you do not agree, do not use the service.

We collect: (a) Account data — email address, business name, password hash (for email/password sign-in) or Google account ID (for Google sign-in), and the time of your most recent login; (b) Billing data — Stripe customer ID, subscription status, plan tier, and credit balance. Stripe collects and stores your payment card details directly; we never see or store them; (c) Usage data — which AI workers you use, credit consumption per feature, and the prompts or inputs you submit while generating content; (d) Security telemetry — IP address, user agent, login successes and failures, two-factor authentication events, and security incidents, retained for fraud prevention and platform stability; (e) Generated content — images, videos, scripts, voice clones, face clones, and chat responses that you create using our tools.

We use your information to: provide and operate the platform; authenticate you and protect your account; process payments through Stripe; debit credits and enforce plan limits; generate the AI outputs you request; send transactional emails (welcome, purchase receipts, password resets); detect and prevent fraud, abuse, and security threats; comply with legal obligations. We do not sell your personal data to anyone, ever.

When you use AI features, your prompts and inputs may be transmitted to third-party AI providers for processing. These include: Pollinations (text and image generation), HeyGen (talking-avatar videos and face cloning), Replicate (neural video generation), Vidu (AI video animation), ElevenLabs (voice cloning and text-to-speech), and Google (for Google sign-in only). Each provider has its own privacy policy governing how they handle data sent to them. We send only the information necessary to complete your request. We do not share your account credentials, billing information, or other account data with these providers.

We use cookies and browser local storage to keep you logged in, remember your preferences, and protect against cross-site request forgery during OAuth sign-in. We do not use third-party advertising cookies. We do not track you across other websites.

We share data only with: (a) Service providers who help us operate the platform — Stripe (payments), Replit (hosting), Upstash (rate-limiting cache), Resend (transactional email), and the AI providers listed above; (b) Law enforcement or regulators, when legally compelled to do so; (c) A successor company, in the event of a merger, acquisition, or asset sale, with notice to you. We do not share your data for marketing, advertising, or analytics purposes with any third party.

Account and billing data are retained for as long as your account is active and for up to 12 months after closure for legal and accounting purposes. Generated content remains in your account until you delete it. Security and stability logs are retained for up to 90 days. You can request earlier deletion at any time by emailing us (see Section 11).

Depending on your jurisdiction (including GDPR in the EU/UK and CCPA in California) you may have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; restrict or object to processing; export your data in a portable format; withdraw consent at any time; file a complaint with your local data-protection authority. To exercise any of these rights, contact us using the details in Section 11. We respond within 30 days.

We protect your data using industry-standard practices including: TLS encryption for all data in transit; bcrypt password hashing; bearer-token session authentication; rate limiting on authentication endpoints; IP-based abuse detection; honeypot endpoints to catch malicious scanners; optional two-factor authentication on your account. No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

NightShift AI is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights regarding your personal information: (a) the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; (b) the right to delete personal information we have collected from you; (c) the right to correct inaccurate personal information; (d) the right to opt-out of the sale or sharing of your personal information; (e) the right to limit use of sensitive personal information; (f) the right to non-discrimination for exercising any of these rights. NightShift AI does not sell or share personal information for cross-context behavioral advertising, and we do not sell personal information for monetary consideration. To exercise any CCPA right — including a “Do Not Sell or Share My Personal Information” request, even though we do not engage in such activity — email nightshiftai101@gmail.com with subject “CCPA Request.” We respond within 45 days.

For copyright infringement notices and counter-notices, see Section 19a of our Terms of Service. Send DMCA notices to nightshiftai101@gmail.com with subject “DMCA Takedown.”

Questions, requests, or complaints about this Privacy Policy or your personal data can be sent by email through the support address listed on our home page. We will respond within 30 days. For Terms & Conditions, see /terms.html.

We may update this Privacy Policy to reflect changes in our practices or for legal reasons. When we do, we will update the “Last updated” date at the top of this page. For material changes we will notify you by email or via a prominent notice in the platform.