Privacy Policy

CMO.ie is a product of Howl Ltd. (trading as Howl.ie), a company registered in Ireland. For privacy purposes, Howl Ltd. is the data controller for any personal data processed through CMO.ie.

You can contact us about anything in this policy at privacy@howl.ie.

We collect three categories of data when you use CMO.ie:

• Account data: name, email, company name, hashed password (or OAuth identifier).
• Project data: brand names, website URLs, tracked prompts, competitor names, brand profiles you enter, and the AI responses we record on your behalf.
• Billing data:when you subscribe to a paid plan, Stripe processes your card details. We never see or store your card number — only Stripe's customer ID and the resulting subscription state (plan, status, period).

We don't use cookies for advertising or third-party tracking. The only cookies we set are essential session cookies for keeping you logged in.

We use account and project data to operate CMO.ie — running visibility checks against AI models, generating action plans and content briefs, and showing you the results in your dashboard. We use billing data only for billing.

We do not sell, rent, or share your data with third parties for marketing. We do not use your project data to train AI models.

Processing of account and project data happens under contract (Art. 6(1)(b)) — the data is necessary to provide the service you signed up for. Marketing emails (if you opt in) happen under consent (Art. 6(1)(a)). Fraud prevention and security logging happens under legitimate interest (Art. 6(1)(f)).

When you run a visibility check or generate an action plan, we send your prompts (and limited brand context) to AI providers — currently Anthropic, OpenAI, Google, Perplexity and xAI. These providers are based in the United States. Transfers happen under EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where the provider is certified.

We never send personal customer data to AI providers — the prompts are about your brand and category, not about identifiable individuals.

While your subscription is active, we keep project data so you can see historical visibility trends. After you cancel and don't reactivate within 90 days, we delete project data permanently. Account records are kept for 7 years after closure for tax and legal purposes (Irish Revenue requirement).

Under GDPR you have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie).

To exercise any right, email us at privacy@howl.ie. We respond within 30 days.

We host on Vercel (EU edge for serving, US for compute) and Supabase (EU region for our database). Passwords are hashed with bcrypt; in transit, all traffic is TLS 1.2+; at rest, database storage and backups are encrypted with AES-256. Access to production data is limited to named Howl Ltd. staff with audit logging.

When we change this policy materially, we'll email account holders at least 30 days before the change takes effect. The "last updated" date at the top of this page tracks the most recent revision.