Do we need deep integration with our CRM or core systems?

Not initially. OpenWay AI can operate using your existing web assets, campaign outputs, and structured business inputs. This allows teams to start quickly without modifying core infrastructure. Deeper integrations with CRM, analytics, or internal systems can be added gradually once the initial value is proven.

How difficult is it to get started in an enterprise environment?

Most enterprise teams begin with a focused pilot. Typically this includes one product line, one landing area, and one growth loop. This allows organizations to validate measurable impact without a large deployment project or complex IT integration.

How do you handle data security and governance?

Enterprise deployments include isolated environments, encrypted data handling, role-based access control, and optional regional data residency. Your business data is never used to train shared models. Organizations maintain full control over how their data is stored, processed, and accessed.

Can this scale across multiple brands or business units?

Yes. Each brand, team, or business unit operates with its own context, memory, and growth loops while still allowing centralized governance. This allows organizations to run independent experiments across teams while maintaining a unified strategic view.

How is this different from traditional growth hacking?

Traditional growth hacking relies on people manually designing and running experiments. OpenWay AI operationalizes growth hacking. The system continuously runs structured growth loops, measures outcomes, and applies improvements automatically. Each interaction becomes part of a learning system that improves future decisions.

How does OpenWay AI reduce time-to-market in practice?

By generating launch assets instantly and testing them with real users. Landing pages, positioning variants, and go-to-market tests can be deployed within hours instead of weeks. Teams receive real market feedback quickly, allowing them to validate demand and refine positioning before committing large budgets.

Privacy Policy

Last updated: May 8, 2026 · Effective: May 8, 2026

1. Introduction

OpenWay AI, Inc. ("OpenWay AI", "we", "our", or "us") respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered marketing platform (the "Service"), including any related websites, applications, and integrations.

This Privacy Policy applies to all users of the Service, including users who access the Service through integrations with third-party platforms such as Google Workspace, Google Ads, Meta (Facebook, Instagram, WhatsApp), and other connected services.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, you must not use the Service.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide Directly

Account information: name, email address, password (stored as a salted hash), telephone number (optional).
Company information: company name, role, industry, billing address, tax identifier where applicable.
Payment information: processed through PCI-DSS compliant third-party payment processors (e.g., Stripe). We do not store full card numbers on our servers.
User Content: marketing campaigns, landing pages, ad creatives, audience descriptions, business documents, prompts, and any other content you create, upload, or generate within the platform.
Communications: support tickets, feedback, survey responses, and correspondence with us.

2.2 Information Collected Automatically

Usage data: pages visited, features used, clicks, session duration, referral sources.
Device and technical data: IP address, browser type and version, operating system, device identifiers, timezone, language preferences.
Cookies and similar technologies: see Section 12 (Cookies).
Log data: server logs, error reports, performance metrics.

2.3 Information from Google APIs

If you choose to connect your Google account, we may access the following data, only after you grant explicit OAuth consent for each scope:

Basic profile information: name, email address, profile picture, Google account ID.
Google Drive files: only those files explicitly authorized by you (e.g., files you select for analysis or content generation). We never request broad-scope access where narrower scope would suffice.
Gmail data: only if you grant permission for specific scopes related to operational features (such as sending campaign-related emails on your behalf or analyzing campaign performance from designated mailboxes).
Google Ads data: campaign metadata, performance metrics, audience configurations — only if you connect a Google Ads account and only via documented Google Ads APIs.
Google Analytics / Google Search Console data: if you connect such accounts, we access read-only metrics relevant to marketing analysis.

We request only the minimum scopes necessary to provide the features you have enabled. We use incremental authorization wherever possible so that you can grant permissions in context, at the moment a specific feature requires them.

2.4 Information from Meta (Facebook, Instagram, WhatsApp) APIs

If you choose to connect your Meta account or Meta Business account, we may access:

Basic profile information: name, email, Facebook user ID (app-scoped), profile picture.
Business and Page data: Pages you administer, Ad Accounts, Business Manager assets, Pixel and Conversions API data — only those explicitly authorized by you.
Marketing API data: campaigns, ad sets, ads, audiences, performance metrics from connected Ad Accounts.
Instagram and WhatsApp business data: only if you connect the relevant assets and grant the necessary permissions.

We use only the permissions approved through Meta's App Review process and only for the specific use cases declared and approved by Meta.

2.5 Information from Other Third-Party Integrations

If you connect other services (e.g., LinkedIn Ads, TikTok Ads, HubSpot, Salesforce, Shopify), we collect the data necessary to provide the integration as described in the relevant in-product disclosures and the third party's authorization screen.

2.6 Information from Third Parties

We may receive information about you from:

Service providers (analytics, fraud prevention, identity verification).
Publicly available sources, where lawful.
Business partners and referrers.

2.7 Sensitive Data

We do not knowingly collect sensitive personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation). You agree not to upload such data to the Service unless explicitly required and lawful under applicable law.

3. How We Use Information

We use collected information for the following purposes, each based on a legal basis identified in Section 4:

Provide the Service: authenticate you, host User Content, deliver requested features (content generation, campaign management, analytics).
Generate marketing outputs: produce ad creatives, landing pages, copy, recommendations, and business insights you request.
Personalize your experience: remember preferences, recommend templates, surface relevant features.
Improve and develop the Service: analyze platform performance, identify bugs, develop new features.
Communicate with you: send service notifications, respond to support requests, send transactional emails. With your separate consent, send marketing communications (you may opt out at any time).
Bill and process payments: issue invoices, collect fees, prevent fraud.
Ensure security and prevent abuse: detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
Comply with legal obligations: respond to lawful requests, enforce our Terms, protect our rights.

3.1 Use of AI and Machine Learning

The Service uses artificial intelligence and machine learning ("AI/ML") to generate outputs and recommendations. The following applies to AI/ML processing:

Content you generate within the Service is processed by AI models we operate or that we obtain through our AI subprocessors (e.g., foundation model providers). These subprocessors are bound by confidentiality and data-use restrictions consistent with this Privacy Policy.
We do not use Google user data, Meta user data, or any data obtained via Google APIs or Meta APIs to train, fine-tune, or otherwise develop generalized or non-personalized AI/ML models. This restriction also applies to data aggregated, anonymized, or derived from such data.
For data not subject to the Google or Meta data-use restrictions, we may use aggregated or de-identified data to improve our Service. You may opt out of having your User Content used to improve our models in your account settings, where applicable.

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): to provide the Service you have requested.
Legitimate interests (Art. 6(1)(f) GDPR): to improve the Service, ensure security, prevent fraud, and conduct direct marketing to existing customers (subject to your right to object).
Consent (Art. 6(1)(a) GDPR): for cookies that are not strictly necessary, marketing communications to prospects, and access to data covered by OAuth scopes you grant. You may withdraw your consent at any time.
Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable law, including tax, accounting, and law-enforcement requirements.

5. Google API Services — User Data Policy and Limited Use

OpenWay AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google Workspace APIs. Where applicable, OpenWay AI's use of information received from Google Workspace APIs will adhere to the Google Workspace API User Data and Developer Policy, including the Limited Use requirements.

In particular:

User-facing features only. We use Google user data solely to provide or improve user-facing features that are prominent in the OpenWay AI user interface. We do not use Google user data for any other purpose.
No advertising. We do not use Google user data — including data aggregated, anonymized, or derived from Google user data — for serving advertisements, including retargeting, personalized, or interest-based advertising.
No sale or transfer. We do not sell, transfer, or license Google user data to third parties, except: to provide or improve user-facing features that are visible in the OpenWay AI interface and only with your consent; for security purposes (e.g., investigating abuse); to comply with applicable law; or as part of a merger, acquisition, or sale of assets, after obtaining your explicit prior consent.
No human access. We do not allow humans to read Google user data, except: with your explicit affirmative agreement to view specific messages, files, or other data (for example, when you submit a support request that requires us to view a specific item); when necessary for security purposes (such as investigating a bug or abuse); when required by applicable law; or when the data has been aggregated and anonymized for internal operations consistent with applicable privacy law.
No AI/ML training. We do not use Google user data — including any aggregated, anonymized, or derived data — to train, fine-tune, or develop generalized or non-personalized AI/ML models. Google user data is processed only for the user-facing feature for which you authorized it.
No data brokerage or profiling. Google user data is never used for data brokerage, advertising profiling, or any profiling unrelated to the Service.

If we change the way our Service uses Google user data, we will notify you and prompt you to consent to an updated Privacy Policy before processing Google user data in the new way.

You can review and revoke OpenWay AI's access to your Google data at any time at https://myaccount.google.com/permissions. If you disconnect your Google account, we will stop accessing your Google data immediately and delete it within thirty (30) days, except where retention is required by law.

6. Meta Platform — Data Use and Compliance

OpenWay AI complies with the Meta Platform Terms and Meta Developer Policies when accessing Meta Platform Data (including data from Facebook, Instagram, WhatsApp Business, and Meta Marketing API).

In particular:

We process Meta Platform Data only as described in this Privacy Policy and only for the user-facing features you have enabled.
We do not sell, license, or purchase Meta Platform Data.
We do not use Meta Platform Data to build or augment user profiles without valid user consent.
We do not use Meta Platform Data for surveillance, eligibility determinations (such as housing, employment, insurance, credit, or government benefits), or discriminatory purposes.
We do not transfer Meta Platform Data except as permitted by the Meta Platform Terms (to Service Providers under contract, when legally required, or with your express consent).
We delete Meta Platform Data as soon as it is no longer necessary for the legitimate business purpose for which it was obtained, when you stop using the relevant feature, when you or Meta request deletion, or when required by law.

You may request deletion of Meta Platform Data we hold about you at any time. See Section 9 (User Rights and Data Deletion) and our separate User Data Deletion Instructions.

7. How We Share Information

We do not sell your personal data.

We may disclose your information in the following limited circumstances:

7.1 Service Providers (Subprocessors)

We share data with vetted third-party service providers ("subprocessors") who help us operate the Service, including:

Cloud hosting and infrastructure (e.g., Amazon Web Services, Google Cloud Platform).
Database and storage providers.
AI/ML model providers under contractual confidentiality and zero-retention or limited-retention terms where available.
Payment processors (e.g., Stripe).
Analytics and product telemetry providers.
Customer support and communication tools.
Email delivery services.
Security and fraud-prevention vendors.

All subprocessors are bound by written contracts requiring them to: (i) process data only on our documented instructions; (ii) maintain confidentiality; (iii) implement appropriate technical and organizational security measures; and (iv) comply with applicable data protection laws. A current list of subprocessors is available on request at the contact address below.

7.2 Third-Party Integrations You Authorize

When you connect a third-party service (Google, Meta, LinkedIn, etc.), data flows to and from that service per your authorization. The third party's privacy policy governs its handling of your data.

7.3 Legal Requirements

We may disclose information when required by law, subpoena, court order, or other legal process, or to protect our rights, property, or safety, or the rights, property, or safety of our users or the public.

7.4 Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred. We will notify you and obtain your explicit consent before any such transfer involving Google user data, as required by the Google API Services User Data Policy.

7.5 With Your Consent

We may share information with other parties when you direct or consent to the sharing.

8. Data Storage, Security, and Retention

8.1 Security Measures

We implement administrative, technical, and physical safeguards designed to meet or exceed industry standards, including:

Encryption in transit using TLS 1.2 or higher.
Encryption at rest using AES-256 for stored data and credentials.
Access controls based on least-privilege and role-based access; multi-factor authentication for employee access.
Network security: firewalls, intrusion detection, segmented production environments.
Vulnerability management: regular security testing, dependency scanning, and patching.
Personnel: background checks where lawful, mandatory security training, confidentiality agreements.
Audit logging of access to production systems and personal data.
Incident response plan with defined notification procedures.

We have an easily accessible way for users and security researchers to report vulnerabilities — see Section 14.

8.2 Retention Periods

We retain personal data only as long as necessary for the purposes described in this Privacy Policy:

Account information — for the duration of your account, plus up to 90 days after account closure.
User Content (campaigns, creatives, generated outputs) — for the duration of your account, plus up to 30 days after deletion request, unless you export beforehand.
Google user data — only for as long as necessary to provide the user-facing feature you authorized; deleted within 30 days of disconnection or deletion request.
Meta Platform Data — only as long as necessary for the authorized purpose; deleted promptly upon your request, account closure, or when no longer necessary.
Billing and tax records — up to 7 years (as required by tax law).
Server logs — up to 12 months.
Security and audit logs — up to 24 months.
Marketing communications data — until you unsubscribe, plus suppression-list retention.
Legal hold data — as required to comply with legal obligations.

When the retention period ends, we will delete or irreversibly anonymize the data, unless retention is required by law.

8.3 Data Breach Notification

If we become aware of a personal data breach affecting your information, we will:

Notify the relevant supervisory authority without undue delay, and where feasible no later than 72 hours after becoming aware of the breach (where required by GDPR or analogous law).
Notify affected users without undue delay, where the breach is likely to result in a high risk to your rights and freedoms or where required by applicable law.
Notify Meta as soon as practicable through the Meta incident reporting form, where Platform Data is affected, in accordance with Meta Platform Terms.
Notify Google as required by the Google API Services User Data Policy, where Google user data is affected.

9. User Rights and Data Deletion

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

9.1 GDPR / UK GDPR Rights (EEA, UK, Switzerland)

Right of access: obtain a copy of your personal data.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your personal data.
Right to restriction: restrict processing in certain circumstances.
Right to data portability: receive your data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on our legitimate interests, including profiling and direct marketing.
Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint with your local data protection authority.

9.2 CCPA / CPRA Rights (California Residents)

Right to know what personal information we collect, use, disclose, and sell or share.
Right to delete personal information.
Right to correct inaccurate personal information.
Right to opt out of "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising).
Right to limit use of sensitive personal information.
Right to non-discrimination for exercising your rights.

We do not knowingly sell or share personal information of consumers under 16 years of age.

9.3 Other Jurisdictions

Users in other jurisdictions may have similar rights under applicable local laws (e.g., LGPD in Brazil, PIPEDA in Canada, POPIA in South Africa, APPI in Japan). We honor verifiable rights requests in accordance with applicable law.

9.4 How to Exercise Your Rights

To exercise any of the above rights, contact us at team@openway.ai or through the in-product Settings → Privacy menu.

We will respond within the timeframes required by applicable law (typically 30 days for GDPR; 45 days for CCPA, extendable once by 45 days where reasonably necessary). To protect you, we will verify your identity before fulfilling certain requests.

You may also authorize an agent to make a request on your behalf, subject to applicable verification requirements.

For complete instructions on requesting deletion of your data — including data accessed via Google APIs and Meta APIs — see our User Data Deletion Instructions.

9.5 Disconnection of Third-Party Accounts

If you disconnect a Google, Meta, or other third-party account, we will stop accessing data via that connection immediately. Cached data will be deleted within 30 days, except where retention is required by law or for legitimate security purposes (in which case data is segregated and access-controlled).

10. International Data Transfers

OpenWay AI is headquartered in the United States. Your information may be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate, which may have data protection laws different from those of your country.

Where we transfer personal data out of the EEA, UK, or Switzerland to a country that does not have an adequacy decision, we rely on appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission (Module 1 controller-to-controller, Module 2 controller-to-processor, as applicable).
UK International Data Transfer Addendum to the SCCs, where applicable.
Supplementary technical and organizational measures (encryption, access controls, transparency reports).
Where applicable, the EU-U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. Data Privacy Framework.

A copy of the SCCs is available on request.

11. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. The Service is not intended for individuals under the age of 13, and we comply with the Children's Online Privacy Protection Act ("COPPA"). If we become aware that we have collected personal data from a child without appropriate consent, we will delete it.

If you believe a child has provided us with personal data, please contact us at team@openway.ai.

12. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, analyze usage, and (with your consent) for marketing.

Categories of cookies we use:

Strictly necessary cookies (always active): authentication, security, load balancing.
Functional cookies (with consent where required): remember preferences, language, UI state.
Analytics cookies (with consent where required): understand how the Service is used.
Marketing cookies (with explicit consent): measure ad performance, attribution.

You can manage cookie preferences through our cookie banner or through your browser settings. For more details, see our Cookie Policy (in your account settings).

13. Third-Party Services and Links

The Service may integrate with or link to third-party platforms (including Google, Meta, LinkedIn, payment processors, and others). We are not responsible for the privacy practices of third parties. Please review the privacy policies of any third-party service you interact with.

14. Security Vulnerability Reporting

If you discover a security vulnerability in the Service, please report it to team@openway.ai. We commit to acknowledging your report and addressing identified deficiencies promptly. We do not pursue legal action against good-faith security researchers acting in accordance with our responsible disclosure guidelines.

15. Updates to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision.

For material changes, we will provide at least 30 days' advance notice by email and/or in-product notification before the changes take effect, and (where required) we will request your renewed consent. Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

For changes that affect Google user data, we will notify you and prompt you to consent before processing Google user data in the new way.

16. Contact Information

Data Controller

OpenWay AI, Inc.
901 N Market Street, Suite #100
Wilmington, Delaware, 19801
United States of America

General privacy inquiries: team@openway.ai
Data deletion requests: team@openway.ai (or use the in-product flow)
Security reports: team@openway.ai
Data Protection Officer (where applicable): team@openway.ai

EU / UK Representative (if appointed under GDPR Art. 27 / UK GDPR): contact details will be published here once appointed.

For complaints, you may also contact your local data protection authority.