Privacy Policy

We collect information in the following categories:

Account Information — Your name, email address, workspace name, and payment details (processed securely through Stripe) when you register for and maintain a Virlo account.

Usage Data — Information about how you interact with the platform — including features used, searches performed, niches tracked, exports generated, API endpoints called, and integrations configured.

Technical Data — Your IP address, browser type and version, operating system, device identifiers, mobile app version, and session timestamps collected automatically when you access the platform.

User-Generated Content — Content you create within Virlo, including custom niche configurations, saved reports, content briefs, prompts submitted to AI features, and any other assets generated through the platform.

Public Social Media Data — Publicly available content, metrics, and metadata collected from TikTok, Instagram, YouTube, and Meta in response to your queries.

We use the information we collect to:

• Provide, operate, and improve the Virlo platform and its features
• Process payments, manage your subscription, and send billing-related communications
• Authenticate API requests and meter credit-based usage
• Send product updates, feature announcements, and important service notices
• Detect, investigate, and prevent abuse, fraud, or unauthorized access to the platform
• Analyze aggregate and anonymized usage patterns to inform product decisions and improve performance
• Respond to support requests and troubleshoot technical issues
• Comply with legal obligations and respond to lawful requests

We do not sell your personal data. We do not use your private workspace content to train our own AI models, and our subprocessors are contractually prohibited from training their models on your content.

We rely on a limited set of trusted vendors (“subprocessors”) to operate Virlo. Each subprocessor is bound by a written data processing agreement and may only use your data to perform services on our behalf.

Current subprocessors include:

• Stripe — payment processing and fraud prevention (United States / Ireland)
• Supabase — application database, authentication, and storage (United States / European Union)
• Vercel — hosting and edge delivery for our web properties (United States)
• PostHog — product analytics and session insights (United States)
• Resend — transactional email delivery (United States)
• Anthropic — large-language-model processing for AI features (United States)
• OpenAI — large-language-model and image-generation processing for AI features (United States)
• OpenRouter — routing of LLM requests across approved model providers (United States)
• Apple Inc. — App Store distribution and in-app purchase processing (for iOS users only)

We may also disclose your information in the following limited circumstances:

• Legal requirements: If required to do so by law, regulation, or valid legal process, or to protect the rights, property, or safety of Virlo, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all assets of Red Lab, LLC, your information may be transferred. We will notify you via email or prominent in-app notice before your data becomes subject to a different privacy policy.

Virlo is operated from the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other jurisdictions where our subprocessors operate.

For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), or equivalent safeguards as appropriate.

We retain your account data for as long as your account remains active or as needed to provide you with our services. If you close your account, we will delete or anonymize your personal data within 90 days of the account deletion date, except where we are required to retain it for legal, accounting, or regulatory purposes.

Aggregated, anonymized data derived from your usage may be retained indefinitely for platform analytics purposes, as it can no longer be used to identify you. Billing records are retained for at least 7 years to comply with tax and accounting obligations.

You have the following rights with respect to your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request that we correct inaccurate or incomplete information.
• Deletion — Request that we delete your personal data, subject to certain legal exceptions.
• Portability — Request a machine-readable export of your data where technically feasible.
• Objection / Restriction — Object to or request that we restrict certain types of processing.
• Withdraw consent — Where we rely on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info@virlo.ai. We will respond to all verified requests within 30 days.

EU and UK users: If you are located in the European Union, the European Economic Area, or the United Kingdom, you have additional rights under the GDPR and UK GDPR, including the right to lodge a complaint with your local supervisory authority. Red Lab, LLC processes EU/UK personal data on the legal bases of contract performance, legitimate interest, and consent where applicable.

California residents: Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you have the right to know what personal information we collect, the right to delete it, the right to correct it, the right to limit the use of sensitive personal information, and the right to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA.

Virlo uses cookies and similar tracking technologies to operate the platform. We use:

• Essential cookies — Required for authentication, session management, and core platform functionality. These cannot be disabled without breaking the service.
• Analytics cookies — Used to understand how users interact with the platform so we can improve it. Data collected is aggregated and anonymized where possible.
• Preference cookies — Remember settings such as your dashboard layout and theme.

For full details on the cookies we set, their purpose, and how to control them, please see our Cookie Policy.

We take the security of your data seriously. Virlo employs industry-standard measures to protect your information, including:

• Encryption of data in transit using TLS 1.2+ and at rest using AES-256
• Access controls limiting employee access to personal data on a strict need-to-know basis
• API keys hashed at rest and rotatable at any time from your dashboard
• Regular security reviews, dependency audits, and vulnerability assessments

No system is 100% secure. We cannot guarantee absolute security, and we encourage you to use a strong, unique password, enable two-factor authentication where available, and notify us immediately at info@virlo.ai if you suspect any unauthorized access or breach.

If you use the Virlo iOS app, additional information may be collected by Apple in connection with App Store distribution, in-app purchases, and push notifications, in accordance with Apple’s privacy practices.

The mobile app may request optional permissions (camera, photo library, notifications). You can grant or revoke these at any time in your device settings without affecting your ability to use the core platform.

Virlo is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected information from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at info@virlo.ai.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Sending an email to the address associated with your account, and/or
• Displaying a prominent notice within the Virlo platform

The updated policy will be effective as of the “Last updated” date shown at the top of this page. Your continued use of Virlo after that date constitutes acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out to us at info@virlo.ai.

Data Controller: Red Lab, LLC (Delaware, United States)