← Pharlo

Privacy Policy

Last Updated: April 22, 2026

This Privacy Policy (the "Policy") explains how ADME (CY) LTD ("PHARLO", "we", "us", or "our") collects, uses, discloses, and otherwise processes personal data when you access or use the PHARLO service, including the REST API, the Model Context Protocol (MCP) server, the management console, technical documentation, and all related websites, applications, tools, and programmatic interfaces made available by us (collectively, the "Service"), made available through the platform at: https://pharlo.io

This Policy applies to personal data processed in connection with your use of the Service, your interactions with us (including through support channels, communications, and marketing activities), and any other activities described in this Policy.

This Policy should be read together with our Terms of Use, available at https://pharlo.io, which govern your access to and use of the Service, and our Cookie Notice, which explains how we use cookies and similar technologies in connection with the management console and related web interfaces. Capitalized terms not defined in this Policy have the meanings given to them in the Terms of Use.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not access or use the Service.

1. Data Controller and Scope of This Policy

1.1. For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR), the data controller responsible for the processing of personal data under this Policy is:

ADME (CY) LTD is a private limited liability company incorporated under the laws of the Republic of Cyprus, company registration number: HE347617, registered address: 62, Agiou Athanasiou, “BG WAYWIN PLAZA”, 4th floor, office 402, 4102, Limassol, Cyprus.

1.2. This Policy applies to the processing of personal data in connection with your access to and use of the Service, including, without limitation:

1.3. The Service is offered to users worldwide. This Policy is primarily governed by and drafted in accordance with European Union data protection laws, including the GDPR, and applies to the processing of personal data of individuals located in the European Economic Area (EEA) or UK. Where you access or use the Service from outside the EEA or UK, your personal data may nevertheless be processed in accordance with this Policy and applicable international data protection requirements.

1.4. We may update or modify this Policy from time to time to reflect changes in our data processing practices, the Service, or applicable legal requirements. Any updated version of this Policy will be made available through the Service and will be identified by an updated "Last Updated" at the top of this document. Where required by applicable law, or where changes materially affect your rights or the manner in which we process personal data, we may provide additional notice, such as through in-Service notifications or other reasonable means. Your continued use of the Service after the effective date of an updated Policy constitutes your acknowledgment of the updated Policy.

2. Personal Data We Collect

2.1. We collect and process different categories of personal data depending on how you access or use the Service, the features you use, and your interactions with us. The Service is primarily a business-to-business technical interface; personal data processing is limited to engaged developers, administrators, and other authorized users acting on behalf of an organization or API client. The categories of personal data we may collect are described below:

2.1.1. Account and Contact Information

When you create an Account, register an API client, or are added as an authorized user of an existing API client, we may collect account and contact information, including your name, username, email address, login credentials (stored in hashed or encrypted form), organization or workspace membership, role or permissions, and account preferences or settings. This information is required to create and administer your Account, authenticate you, and provide access to the Service.

2.1.2. Subscription and Billing Information

If you subscribe to a paid plan or otherwise make purchases through the Service, we may collect information related to your subscription and billing status, such as your selected subscription plan, billing cycle, credit balance and allowance, overage top-up history, invoice information, transaction references, and payment status. We do not store full payment card numbers or other complete payment instrument details on our systems.

2.1.3. Payment Processing Data

Payments for subscriptions, credit top-ups, and other paid features of the Service are processed by third-party payment service providers. These providers collect and process your payment information in accordance with their own terms and privacy policies. PHARLO receives only limited information necessary to confirm and administer the transaction, such as payment confirmation, transaction identifiers, billing status, and related metadata.

2.1.4. API Credentials and Third-Party Platform Connections

The Service is accessed using API keys, MCP access tokens, and OAuth credentials issued to you or your API client. In order to enable publication and content distribution to third-party platforms (such as YouTube and Meta), you may authorize PHARLO to hold long-lived OAuth access and refresh tokens on your behalf for such platforms. These tokens are held in encrypted form and are used solely to carry out the actions you request through the Service (for example, publishing an assignment to a channel you have connected) and to maintain those connections.

2.1.5. Request, Assignment and User Content Data

When you use the Service, you may submit content and metadata for programmatic processing and distribution. This may include:

Inputs and Outputs may contain personal data to the extent that such information is included by you (for example, names, likenesses, voices, or contact details appearing in media you submit, or in metadata you provide). You are responsible for ensuring that you do not submit personal data of third parties or any sensitive personal data unless you have a valid legal basis and all required permissions to do so, and for complying with the policies of any third-party platform to which content is distributed.

2.1.6. Technical, Usage and Log Data

We automatically collect technical and usage information when you access or use the Service. This may include your IP address, device identifiers, browser type and version, operating system, log files, access times, API request and response metadata (such as endpoint, HTTP method, status code, response time, and rate-limit headers), MCP tool invocation metadata, webhook delivery attempts and outcomes, credit transaction records, error reports, and performance or diagnostic data.

2.1.7. Cookies and Similar Technologies

We use cookies and similar technologies in the management console and related web interfaces to operate and improve those surfaces, enable core functionality, analyse usage, and, where applicable, support optional features. The REST API and MCP server do not rely on cookies for authentication or state. Further information about our use of cookies and similar technologies is provided in our Cookie Notice.

2.1.8. Communications

If you contact us or otherwise communicate with us, we may collect and process the information you provide, such as support requests, emails, messages, feedback, survey responses, or other communications.

2.1.9. Data from Third Parties

In certain cases, we may receive personal data from third parties, such as identity or single sign-on providers (where you choose to use such functionality), third-party platforms to which you have connected (for example, basic channel or page profile data returned by YouTube or Meta as part of an OAuth connection), service providers acting on our behalf, or publicly available sources, to the extent relevant and permitted by applicable law.

2.1.10. Data About Other Individuals

The Service may allow you to invite or refer other individuals to your workspace or API client. In such cases, we may process limited contact information relating to those individuals solely for the purpose of delivering the invitation or facilitating the relevant feature, and only where you have obtained the necessary permissions to share such information.

3. How We Use Personal Data

3.1. We process personal data for the purposes described below, depending on how you access or use the Service, the features you use, and your interactions with us:

3.1.1. Service Provision and Operation

We use personal data to provide, operate, and maintain the Service, including to create and manage Accounts and API clients, authenticate users, issue and rotate API credentials, manage third-party platform connections, process Inputs, execute assignments and other API operations, deliver Outputs (including webhook notifications and analytics results), and ensure the proper functioning and availability of the Service.

3.1.2. Account, Subscription and Credit Management

We use personal data to administer user Accounts and subscriptions, including to manage billing cycles, grant monthly credit allowances, meter credit consumption, process overage top-ups, process renewals and cancellations, send account-related notifications, and provide customer support and assistance.

3.1.3. Payments and Accounting

We process personal data as necessary to facilitate transactions, issue invoices and receipts, maintain financial records, and comply with applicable accounting, tax, and financial reporting obligations.

3.1.4. Security, Abuse Prevention, and Compliance

We use personal data to protect the security and integrity of the Service, prevent and detect fraud, abuse, and unauthorized activities, enforce usage limits and rate limits, enforce our Terms of Use and the terms of third-party platforms to which the Service connects, investigate potential violations, and comply with applicable legal and regulatory requirements.

3.1.5. Analytics and Service Improvement

We use personal data to analyse how the Service is used, monitor API and MCP performance, diagnose technical issues, plan capacity, and improve the functionality, reliability, and user experience of the Service. Where possible, such analysis is performed using aggregated or de-identified data. PHARLO does not use the content you submit (Inputs) or the content we return to you (Outputs) to train, develop, or improve artificial intelligence or machine learning models.

3.1.6. Marketing and Communications

Where permitted by applicable law, we may use personal data to send you product updates, service-related announcements, security notices, and promotional communications. You may opt out of receiving marketing communications at any time by following the unsubscribe instructions provided in such communications or by contacting us.

3.1.7. Legal Obligations

We process personal data as necessary to comply with applicable laws, lawful requests from public authorities, regulatory requirements, and to establish, exercise, or defend legal claims and protect our rights and the rights of others.

3.1.8. Aggregated and De-Identified Data

We may create and use aggregated, anonymized, or de-identified data derived from personal data for statistical, analytical, and business purposes. Such data does not identify you and is not considered personal data under applicable data protection laws.

4. Legal Bases for Processing

4.1. For individuals located in the European Union, the EEA or UK, personal data is processed in accordance with the GDPR and on one or more applicable legal bases, as set out below, depending on the purpose of processing.

4.2. Contract Performance

We process personal data where such processing is necessary to provide the Service in accordance with the Terms of Use accepted by you or by the legal entity on whose behalf you act. This includes, for example, enabling access to the Service, creating and managing Accounts and API clients, issuing API credentials, processing subscriptions and credits, executing API and MCP operations, producing and delivering Outputs, and providing customer support.

4.3. Consent

We process personal data based on your consent where required by applicable law. This may include, for example, sending marketing communications, using non-essential cookies or similar technologies in the management console, or, where applicable, authorizing PHARLO to connect to your third-party platform accounts via OAuth. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.

4.4. Legitimate Interests

We process personal data where such processing is necessary for our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. These legitimate interests may include operating and improving the Service, ensuring its security and integrity, preventing fraud and abuse, enforcing the Terms of Use, metering and billing credit consumption, and conducting internal business operations.

4.5. Legal Obligations

We process personal data where such processing is necessary to comply with a legal obligation to which we are subject, including obligations relating to accounting, taxation, regulatory compliance, and responses to lawful requests from public authorities.

5. Automated Decision-Making and Profiling

PHARLO does not apply automated decision-making or profiling that produces legal or similarly significant effects in relation to personal data. Automated technical decisions that are necessary to operate the Service — such as denying an API request that exceeds a rate limit or a credit balance, pausing connections that return persistent authentication errors, or rejecting requests that fail validation — are carried out solely for operational purposes and do not constitute automated decision-making within the meaning of applicable data protection laws.

6. Data Breaches

We have implemented appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify affected individuals and the relevant supervisory authority in accordance with applicable data protection laws.

7. How We Share Personal Data

7.1. We may share personal data with trusted third-party service providers that process data on our behalf for the purpose of operating, maintaining, and improving the Service. This may include providers of hosting and cloud infrastructure, object storage and content delivery, technical and customer support tools, analytics services, error-monitoring and observability services, security services, and email or communication delivery platforms. Such service providers act as data processors and are contractually required to process personal data only in accordance with our instructions and applicable data protection laws.

7.2. Payments for subscriptions, credits, and other paid features of the Service are processed by independent third-party payment providers. These providers process personal data under their own terms and privacy policies and act as separate data controllers in relation to payment data. PHARLO does not control and is not responsible for the data processing practices of such payment providers, beyond receiving limited transaction confirmations and billing metadata necessary for accounting and subscription administration.

7.3. The Service distributes content to third-party platforms that you have connected (such as YouTube and Meta). When you instruct the Service to publish, update, delete, or retrieve information about content on such platforms, Inputs (including any media files and associated metadata) and OAuth tokens issued to you by those platforms are transmitted to them solely for the purpose of executing your instructions. Those platforms act as independent data controllers in relation to any personal data they receive and are governed by their own terms of service and privacy policies. Users are strongly advised not to include personal data of third parties or any sensitive personal data in their Inputs, and to ensure that their use of third-party platforms complies with those platforms’ terms. PHARLO does not control how third-party platforms process data once it has been delivered to them.

7.4. We may disclose personal data where required to do so by applicable law, regulation, court order, or other legally binding request, or where disclosure is necessary to protect the rights, property, or safety of PHARLO, our users, or third parties. This may include disclosures to courts, regulators, law enforcement authorities, or other competent public bodies.

7.5. Personal data may be disclosed in connection with actual or contemplated corporate transactions, such as mergers, acquisitions, reorganizations, asset sales, financing, or similar business transfers. In such cases, personal data may be shared with relevant counterparties and advisers subject to appropriate confidentiality and data protection safeguards, and in accordance with applicable law.

8. International Data Transfers

If personal data is transferred outside the EEA or the UK, PHARLO will ensure that such transfer is carried out in accordance with applicable data protection laws and subject to appropriate safeguards providing an adequate level of protection. Where content is published to third-party platforms, such transfers are carried out based on your instructions and the legal framework applicable to those platforms.

9. Data Retention

9.1. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and processed, as described in this Policy, and to comply with applicable legal, accounting, tax, and regulatory requirements.

9.2. The retention period for personal data depends on the category of data, the purpose of processing, and applicable legal obligations. In particular:

9.2.1. Account and Contact Data

Account and contact information is generally retained for as long as your Account or API client remains active. Following account termination, such data may be retained for a limited period where necessary for account administration, dispute resolution, enforcement of the Terms of Use, or compliance with legal obligations.

9.2.2. Subscription, Credit, Billing, and Tax Records

Billing information, invoices, credit transaction ledgers, transaction references, and related financial records are retained for the period required under applicable accounting, tax, and financial reporting laws.

9.2.3. Technical, API and Security Logs

Technical logs, API and MCP request and response metadata, webhook delivery records, usage data, and security-related information may be retained for limited periods to ensure the security and integrity of the Service, monitor performance, investigate incidents, meter credit consumption, and prevent fraud or abuse.

9.2.4. User Content

User Content, including Inputs and Outputs held transiently or durably by the Service in the course of executing assignments and related operations, is retained for as long as necessary to provide the Service and in accordance with the configuration of your API client. Upon account termination, User Content may be deleted or anonymized, subject to technical constraints and legal or regulatory retention requirements. Content that has been published to third-party platforms remains subject to the retention policies of those platforms.

9.2.5. API Credentials and Third-Party Platform Tokens

API keys, MCP access tokens, and OAuth tokens for third-party platforms are retained for as long as the associated Account, API client, or connection remains active. Revoked, rotated, or expired credentials and tokens are deleted or rendered unusable within a reasonable period in accordance with our security practices.

9.2.6. Other personal data

Personal data collected through communications, customer support interactions, referrals or invitations, cookies, similar technologies, or received from third parties is retained only for as long as necessary to fulfil the purposes for which it was collected, to provide the relevant feature or interaction, or to comply with applicable legal or operational requirements.

9.3. Where personal data is no longer required for the purposes for which it was collected, and where no legal obligation requires further retention, such data will be deleted, anonymized, or otherwise securely disposed of in accordance with applicable data protection laws.

10. User Rights

10.1. Subject to applicable data protection laws, you have certain rights in relation to the personal data we process about you, as described below. These rights may apply depending on your location and the circumstances of the processing.

10.2. Right of Access

You have the right to request confirmation as to whether we process personal data relating to you and, where that is the case, to request access to such personal data and certain information about how it is processed.

10.3. Right to Rectification

You have the right to request the correction or updating of inaccurate or incomplete personal data concerning you.

10.4. Right to Erasure

You have the right to request the deletion of your personal data where permitted by applicable law, including where the data is no longer necessary for the purposes for which it was collected, or where processing is based on consent that has been withdrawn and no other legal basis applies.

10.5. Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or object to the processing and verification is pending.

10.6. Right to Object

You have the right to object to the processing of your personal data where such processing is based on our legitimate interests. Where you object, we will stop processing your personal data unless we demonstrate compelling legitimate grounds for the processing or the processing is required for the establishment, exercise, or defence of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes.

10.7. Right to Data Portability

Where processing is based on your consent or on the performance of the Terms of Use and is carried out by automated means, you have the right to request to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to request that such data be transmitted to another controller where technically feasible.

10.8. Right to Withdraw Consent

Where we process personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal. Where you have authorized connections to third-party platforms via OAuth, you may revoke such authorization at any time through the management console or the settings of the relevant third-party platform.

10.9. Right to Submit a Complaint

Complaints relating to the processing of any personal data may be communicated electronically at support@pharlo.io. Complaints may also be lodged before the supervisory authority responsible for the protection of personal data, in the country of your habitual residence, place of work, or place of the alleged infringement of your personal data. More information about how to contact the supervisory authorities across the EEA can be found on the European Data Protection Board’s website at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

10.10. You may exercise your rights by contacting us through the contact details provided in this Policy. We may request additional information to verify your identity before responding to a request. We will respond to your request within the timeframes required by applicable law. Where permitted by law, we may refuse or limit requests that are manifestly unfounded, excessive, or otherwise not required to be fulfilled.

11. Cookies and Tracking Controls

You can manage cookies and similar tracking technologies in the management console and related web interfaces through your browser settings or other available consent management tools. Most browsers allow you to control cookies, including blocking or deleting existing cookies, and to configure preferences for future cookie usage. Please note that disabling certain cookies may affect the functionality or availability of some features of the management console. The REST API and MCP server do not rely on cookies and are not affected by such settings.

Further information about the types of cookies we use, their purposes, and how you can manage your preferences is provided in our Cookie Notice, which forms an integral part of this Policy.

12. Data Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption of API keys, MCP access tokens, and OAuth tokens at rest, encryption of data in transit, access controls, and monitoring of our infrastructure. These measures are intended to ensure a level of security appropriate to the risks associated with the processing of personal data, taking into account the nature of the data and the state of the art.

However, no system or method of transmission over the internet or electronic storage is completely secure. While we strive to protect personal data, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your API keys and other credentials issued to you.

13. Children’s Data

The Service is not intended for use by children under the age of 18. We do not knowingly collect or process personal data of children under 18 without appropriate parental or legal guardian consent, where such consent is required by applicable law.

If you are a parent or legal guardian and believe that a child has provided personal data to us without the required consent, please contact us. Upon becoming aware that personal data of a child has been collected in violation of applicable law, we will take reasonable steps to delete such data as soon as practicable.

14. Contact Information

If you have any questions, requests, or concerns regarding this Policy or the processing of personal data, you may contact us using the details below:

Email: support@pharlo.io

Registered address: ADME (CY) LTD, 62, Agiou Athanasiou, “BG WAYWIN PLAZA”, 4th floor, office 402, 4102, Limassol, Cyprus