Summit Automates

Last updated: 2026-05-19

Privacy Policy

This Privacy Policy describes how Summit Automates ("we", "us", or "Summit"), a product operated by Summit Systems (Private) Limited, a private limited company incorporated in Pakistan (Corporate Unique Identification Number 0324466) with registered office at Office # 3, First Floor, Mughal Market, Al-Rehman Arcade, Sector G-13/2, Islamabad, Pakistan, collects, stores, processes, and discloses information when you use the service available at summitautomates.com and app.summitautomates.com (the "Service").

1. Information we collect

1.1 Account information

When you sign up, we collect:

  • Your email address
  • An encrypted password hash (we never store the plaintext)
  • A workspace name and any other configuration you provide

1.2 Bring-your-own AI provider keys

Summit Automates is a bring-your-own-key (BYOK) service. You provide API keys for the AI providers you choose to use (OpenAI, ElevenLabs, Pexels, Google Gemini, etc.). These keys are encrypted at rest using AES-128-CBC + HMAC-SHA256 (via the Fernet token scheme) and are only decrypted at the moment a job runs. We never display, log, or transmit your plaintext keys to anyone — including ourselves.

1.3 Social platform OAuth tokens

When you connect a social platform (Instagram, Facebook, YouTube, TikTok, LinkedIn), we receive OAuth access and refresh tokens scoped to the permissions you grant on that platform's consent screen. We store these tokens encrypted using the same Fernet scheme as above. We do not request or receive your social account passwords at any point.

1.4 Content data from connected platforms

For each social account you connect, we may read the following data only in service of the features you have explicitly enabled:

  • Account metadata: account handle, account ID, channel title, page name. Used to display the connection in your admin panel.
  • Connected Instagram Business / Creator account information: for Meta connections, we read the Instagram account's Business/Creator details so we can publish posts on your behalf via the Instagram Graph API.

We do not collect or store: private messages, direct messages, contacts/followers lists for marketing, audience analytics, or any post engagement data beyond what is necessary to confirm a publish succeeded.

1.5 Content you generate

Generated content (videos, captions, hashtags, narrative scripts, thumbnail images) is stored in your workspace and on your media storage. We retain these so you can review, edit, or republish.

1.6 Usage data

Every external API call made on your behalf is logged as a usage event containing the provider name, model identifier, token / unit counts, and computed cost in USD. We use this to power the cost dashboard inside your workspace. We do not share this data with any third party.

1.7 Payment information

Payments are processed by Whop Inc. (whop.com) acting as the merchant of record. Summit Automates does not receive, store, or have access to your credit card or bank account information. We receive only:

  • A Whop membership ID linking your subscription
  • Your billing email (used to authenticate you into Summit)
  • Subscription lifecycle events (created, renewed, cancelled, refunded)

Whop's own privacy policy applies to payment data. See whop.com/legal/privacy.

1.8 Logs

We log server-side errors, request paths, and HTTP status codes for the purpose of operating and debugging the Service. Request logs do not include the contents of your generated posts or your API keys.

2. How we use your data

We process the data described above solely to:

  • Run the content-generation pipeline you have configured
  • Publish posts to the social platforms you have connected, on your behalf
  • Show you the status, cost, and history of those operations
  • Bill you via Whop and surface your subscription state in the Service
  • Send transactional emails (magic-link login, trial expiration, post failure notices)
  • Diagnose and fix bugs

We do not use your data for:

  • Advertising or behavioral profiling
  • Training any machine learning model
  • Selling or renting to data brokers
  • Any purpose other than operating the Service for you

3. Sub-processors

We use the following sub-processors to operate the Service. Where you bring your own keys, your traffic goes directly to the provider; in other cases data passes through us first.

  • Whop Inc. — payment processing and subscription management
  • Railway (railway.com) — application hosting, PostgreSQL database, media storage
  • Resend (resend.com) — transactional email delivery
  • AI providers you choose— OpenAI, Anthropic, Google (Gemini), ElevenLabs, Pexels, Unsplash. Calls are made with the keys you provide; data sent is subject to each provider's privacy policy.
  • Social platforms you connect— Meta (Instagram + Facebook), Google (YouTube), TikTok, LinkedIn. Data sent is subject to each platform's policy.

4. Data retention

We retain your workspace data for as long as your account is active. If you cancel your subscription, we retain your workspace data for 30 days so you can resubscribe without data loss. After 30 days, all workspace data — including encrypted API keys, OAuth tokens, generated posts, and usage events — is permanently deleted.

You may request immediate deletion at any time. See the Data Deletion Instructions.

5. Your rights

You have the right to:

  • Access all data we hold about you (available from your admin panel and on request)
  • Correct any inaccurate information about you
  • Delete your data (see Data Deletion Instructions)
  • Export a machine-readable copy of your workspace data on request
  • Revoke social platform access at any time by disconnecting the account in the admin panel or by revoking the permission on the platform itself

6. Security

We follow industry-standard practices, including TLS for all data in transit, Fernet (authenticated AES) encryption for sensitive data at rest, bcrypt password hashing, JWT-based authentication, and least-privilege access controls on our infrastructure. No system is impenetrable; we will notify affected users without undue delay if we learn of a security incident impacting your data.

7. Children

The Service is not directed to children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children. If we learn we have, we will delete it.

8. International transfers

We operate from Pakistan and use sub-processors located in the United States and Europe. By using the Service you consent to your data being transferred to and processed in those jurisdictions.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email to your registered address. Continued use of the Service after a change takes effect constitutes acceptance.

10. Contact us

Questions about this policy or about your data? admin@summitautomates.com.