Privacy Policy
What we collect, how we use it, who we share it with — and your rights.
Effective: 2026-05-16 · v1.0
Controller (account data): itligt
Processor (customer content): itligt (acting on behalf of business customers as their data processor)
Contact: privacy [at] solvgent [dot] com
This Privacy Policy explains how itligt ("Solvgent", "we", "us") collects, uses, and protects personal data in connection with the Solvgent platform at solvgent.com and solvgent.app (the "Service"). It is written for our business customers ("Customers"), their authorized users, and visitors to our public website.
For data that Customers upload or instruct us to process in the course of using the Service (such as content drafts, brand voice samples, or end-audience metrics), we act as a processor on behalf of the Customer. For data we collect to operate our business directly (account credentials, billing, marketing-site visits) we act as a controller. The Data Processing Agreement governs our processor role; this Privacy Policy governs our controller role and explains both for transparency.
1. Who We Are
itligt operates the Solvgent platform from West Jordan, Utah, USA. For all privacy inquiries, contact privacy [at] solvgent [dot] com .
A Data Protection Officer ("DPO") is not currently required under Article 37 GDPR given our processing scope. We may voluntarily appoint one as our EU customer base grows. Until appointed, our internal privacy lead serves as the primary privacy contact via the address above.
2. What We Collect
2.1 Account data (controller)
- Name, job title, email address
- Hashed password (we never store plaintext passwords)
- Organization name and domain
- Country and time zone
- IP address and browser/device metadata captured at signup
- Profile picture (if uploaded)
- MFA credentials and backup codes (hashed)
- API tokens and OAuth tokens for connected platforms (encrypted at rest)
2.2 Billing data (controller, via Stripe)
- Billing name, address, country, VAT-ID where applicable
- Payment-method type and last four digits of card (full card numbers stored only by Stripe)
- Invoice history, plan tier, renewal date
2.3 Usage data (controller)
- Pages/features viewed, buttons clicked, forms submitted
- Approximate location (IP-derived, city-level)
- Device type, OS, browser, session timestamps
- Error events with stack traces
- API request logs
Collected via PostHog (EU instance) for product analytics and Sentry for error tracking. PII is scrubbed from error stack traces where feasible.
2.4 Customer content (processor)
- Brand profiles, brand voice samples, tone-of-voice guidelines
- Content drafts, captions, hashtags, images and video assets
- Approval / rejection feedback used to train the per-tenant brand brain
- Scheduling preferences, posting calendars
- Connected Third-Party Platform metadata (account names, follower counts, post analytics)
- Comments, replies, inbox content from Third-Party Platforms (if enabled)
- Competitor accounts the Customer chooses to monitor (public-figure context)
We process Customer Content only on documented Customer instruction. We do not use it to train cross-tenant AI models.
2.5 Marketing-site data (controller)
- Form submissions (newsletter, contact, demo request)
- UTM parameters, referrer, landing-page URL
- Cookies set by consent-management tools where required
2.6 Support communications (controller)
Emails, chat messages, and call recordings (recordings only with explicit consent).
3. Why We Collect (Legal Bases)
| Purpose | Legal Basis |
|---|---|
| Creating and operating Customer accounts | Contract (Art. 6(1)(b)) |
| Processing payments and tax compliance | Contract + Legal obligation (Art. 6(1)(b), (c)) |
| Generating AI content under Customer instruction | Contract (processor role under DPA) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Product analytics on aggregated usage | Legitimate interest + consent for non-essential cookies |
| Marketing emails to existing customers | Legitimate interest with easy opt-out |
| Marketing emails to non-customer prospects | Consent (Art. 6(1)(a)) |
| Compliance with court orders, subpoenas | Legal obligation (Art. 6(1)(c)) |
| Defense of legal claims | Legitimate interest |
4. How We Use Personal Data
We do not sell personal data and do not "share" personal data for cross-context behavioral advertising under CPRA. We use personal data only to:
- Provide the Service — authentication, content generation, scheduling, publishing, analytics, brand-brain training inside the Customer's tenant.
- Billing and account management — process payments, send invoices, manage subscriptions, handle refunds and disputes.
- Customer support — respond to questions, troubleshoot issues, handle data-subject requests.
- Product improvement — aggregated, anonymized analytics. We do not use identifiable Customer Content for cross-tenant model training.
- Security and abuse prevention — monitor for unauthorized access, brute-force attempts, anomalous API usage.
- Compliance — tax reporting, sanctions screening (primary KYC handled by Stripe), responding to lawful requests.
- Marketing — newsletters and product announcements to subscribers who opted in. Every marketing email contains a one-click unsubscribe.
5. Sub-processors
A current and complete sub-processor list is published at solvgent.com/legal/sub-processors. We notify customers at least 30 days before adding or replacing a sub-processor. Customers may object under the terms of the DPA.
6. International Transfers
Solvgent operates from the United States. Personal data may be transferred from the EU/EEA, UK, or Switzerland to the United States or to other jurisdictions where our sub-processors operate. We rely on:
- EU–US Data Privacy Framework (DPF), UK Extension, and Swiss-US DPF, where the recipient is self-certified;
- EU Standard Contractual Clauses (SCCs) Module 2 and Module 3 where DPF does not apply, supplemented by transfer-impact assessments and additional safeguards;
- UK International Data Transfer Addendum to the EU SCCs for UK transfers;
- Swiss-specific SCC modifications for Swiss transfers.
Copies of the SCCs in force are available on request at privacy [at] solvgent [dot] com .
7. Data Retention
| Category | Retention |
|---|---|
| Account profile data | For the lifetime of the account + 90 days after cancellation, then deleted or anonymized |
| Billing records | 10 years (US tax/audit requirement) |
| Customer Content (processor) | As instructed by the Customer; deleted within 90 days of account termination unless legal hold applies |
| Brand-brain training data | Coterminous with Customer's tenant; deleted within 90 days post-termination |
| Application & audit logs | 90 days |
| Error logs (Sentry) | 90 days |
| Product analytics events (PostHog) | 12 months identifiable, then anonymized aggregates |
| Marketing-list email addresses | Until unsubscribe + 6 months on a suppression list |
| Support communications | 3 years |
| Backups | 30 days rolling, encrypted |
8. Your Rights
If you are in the EU/EEA, UK, Switzerland, California, Colorado, Connecticut, Virginia, Utah, or a jurisdiction with comparable rights, you have the following rights regarding your personal data:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — ask us to delete personal data, subject to legal-retention exceptions
- Restriction — limit our processing in certain cases
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest, including direct marketing
- Withdraw consent at any time, without affecting prior lawful processing
- Not be subject to solely automated decisions with legal or similarly significant effects (we do not engage in such decision-making)
- Lodge a complaint with a supervisory authority (EU: your local DPA; UK: ICO; CA: CPPA)
To exercise any right, email privacy [at] solvgent [dot] com from the email address associated with your account. We will respond within 30 days (extendable by 60 days where reasonably necessary, with notice to you).
9. Cookies and Similar Technologies
See our dedicated Cookie Policy. Briefly: we use only essential first-party cookies for authentication and security. We use PostHog in cookieless mode for anonymized product analytics where consent permits. No third-party advertising cookies.
10. Children
The Service is intended exclusively for business use by individuals aged 18 or older (16 or older where local law permits a business user from age 16). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy [at] solvgent [dot] com and we will delete it promptly.
11. Security
- TLS 1.2+ in transit; AES-256 at rest
- Role-based access control with least-privilege defaults
- Multi-factor authentication for all administrative access
- Audit logs for sensitive operations
- Annual access reviews
- Encrypted backups with 30-day rolling retention
- Sub-processor vendor due diligence
- Incident response plan with 72-hour breach notification commitment
12. Changes to This Policy
Material changes will be communicated by email to the Account's primary contact and by a banner on solvgent.com at least 30 days before they take effect.
13. Contact
Privacy:
privacy [at] solvgent [dot] com
General: itligt — 7533 S Center View Ct Ste N, West Jordan, UT 84084, USA
Postal correspondence may be addressed in care of the contact email
above; a postal channel will be added once an EU Article 27
Representative is appointed.
14. EU Representative (Article 27 GDPR)
As a US-based company offering services to data subjects in the EU/EEA, Solvgent is required under Article 27 GDPR to designate an EU Representative once we have paying customers in the EU. An EU Representative will be appointed through a third-party service (VeraSafe, EDPB Europe, or comparable) prior to or concurrent with onboarding the first paying EU customer. The Representative's contact details will be published at solvgent.com/legal/eu-representative when appointed.
Until appointed, EU data subjects may contact us directly at privacy [at] solvgent [dot] com for any matter that would otherwise be directed to the Representative. We will respond within the timelines required by GDPR Art. 12(3).