First Concepts Privacy Policy
Last Updated: 01 April 2026
First Concepts Creative Ltd ("First Concepts," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Platform.
1. Scope
This Privacy Policy applies to all users of the First Concepts platform, accessible at firstconcepts.co, including our browser-based application and browser extension (collectively, the "Platform").
2. Data Controller and Data Processor
Data Controller: When you create an account and manage your subscription, First Concepts acts as a data controller for your account information.
Data Processor: For Customer Content that you create, upload, or process through the Platform, First Concepts acts as a data processor on your behalf. You (the Customer) are the data controller for such content and are responsible for ensuring you have appropriate legal bases for processing any personal data contained in Customer Content.
3. Data We Collect
We collect and process the following categories of data:
3.1 Customer Content
All content, materials, data, files, and information that you and your Authorised Users create, upload, or submit through the Platform. We do not use Customer Content to train AI models or any machine learning systems.
3.2 Account Data
Name and email address
Company name and business details
Account credentials (passwords are encrypted)
User preferences and settings
3.3 Usage Data
Log data (IP addresses, browser type, device information)
Feature usage and interaction patterns
Performance metrics and error logs
Analytics data about how you use the Platform
3.4 Payment Data
Payment information is collected and processed by our payment processor, Stripe. We do not store your full payment card details. We receive from Stripe only: subscription status, payment method type (e.g., Visa ending in 1234), and transaction history.
4. How We Use Your Data
We process your data for the following purposes:
4.1 Providing the Service
To operate and deliver the Platform functionality
To process Customer Content using AI models for inference and creative assistance only (not for training)
To authenticate users and manage accounts
To process payments and manage subscriptions
4.2 Service Improvement
To analyze usage patterns and improve Platform features
To diagnose technical issues and optimize performance
To develop new features and functionality
4.3 Communications
To send service-related notifications and updates
To respond to your inquiries and support requests
To send occasional product updates (you may opt out)
4.4 Legal and Security
To comply with legal obligations
To prevent fraud and abuse
To enforce our Terms of Service
To protect the security and integrity of the Platform
5. Legal Bases for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
Contract Performance (Article 6(1)(b)): Processing necessary to provide the Platform services under our Terms of Service
Legitimate Interests (Article 6(1)(f)): Service improvement, security, fraud prevention, and internal analytics
Legal Obligation (Article 6(1)(c)): Compliance with applicable laws and regulations
Consent (Article 6(1)(a)): Where you have provided explicit consent, such as for marketing communications
6. AI Processing and Training
Important clarification:
Customer Content is NEVER used to train any AI models - neither our own models (if we develop them) nor any third-party models
We use AI services (listed below) only for inference - to process your content and generate outputs in response to your requests
AI providers process Customer Content solely to deliver the service; they do not retain or use it to train public or shared models (we have appropriate data processing agreements in place)
Usage Data (aggregated, anonymized) may be used internally to improve the Platform, but this is separate from Customer Content
7. Sub-Processors and Third-Party Services
We engage the following sub-processors to help deliver the Platform:
Sub-Processor
Purpose
Location
Convex
Database and backend infrastructure
United States
Clerk
Authentication and user management
United States
PostHog
Product analytics
EU
Fivetran
Data pipeline (analytics)
United States
Mistral AI
AI inference
France (EU)
Perplexity
AI search and inference
United States
OpenAI
AI inference
United States
Anthropic
AI inference
United States
Cerebras
AI inference
United States
Fal.ai
AI media processing
United States
Hetzner
Cloud hosting infrastructure
Germany (EU)
Stripe
Payment processing
United States / Global
Sentry
Error tracking and monitoring
United States
Datadog
Log management and monitoring
EU
We have data processing agreements or appropriate contractual terms in place with all sub-processors to ensure they handle your data in compliance with GDPR and other applicable data protection laws.
Sub-Processor Changes: We may update our list of sub-processors from time to time. We will provide notice of material changes to our sub-processor list through our website or by email. If you object to a new sub-processor, you may terminate your subscription by providing written notice within 30 days of notification.
8. Data Storage and Retention
Storage Location: Your data is primarily stored on servers located in the European Union (Germany via Hetzner) and the United States (via our sub-processors).
Retention Periods:
Account Data: Retained while your account is active and for up to 12 months after account closure for legal and accounting purposes
Customer Content: Retained while your subscription is active. After termination, retained for 30 days to allow data export, then deleted from active systems. Backup copies are purged within 90 days of termination.
Usage Data: Aggregated analytics data may be retained indefinitely in anonymized form. Raw usage data linked to your account is deleted alongside Account Data.
Payment Records: Retained for 7 years to comply with tax and accounting obligations
You may request earlier deletion of your data subject to legal and contractual obligations.
9. Access Controls and Multi-Tenancy
The Platform is a multi-tenant system where multiple customers share the same infrastructure with strict logical separation:
Customer Content is isolated using database-level access controls
Each customer's data is logically separated and cannot be accessed by other customers
Authorised Users can only access their own organization's data
Role-based access controls limit what each user can view or modify within their organization
10. Internal Access
First Concepts employees have limited access to your data:
Customer Content: Accessed only when necessary for technical support, debugging, or responding to your specific support request (with your permission)
Account Data: Accessed by customer support and technical teams as needed to operate the Platform
Usage Data: Accessed by engineering and product teams for analytics and service improvement
All employees with data access are bound by confidentiality obligations and receive data protection training.
11. International Data Transfers
Some of our sub-processors operate outside the UK and EEA (primarily in the United States). Where personal data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) and appropriate contractual safeguards to ensure your data remains protected.
12. Your Rights Under GDPR
Under UK GDPR, you have the right to access, correct, delete, port, restrict, or object to the processing of your personal data. You may also withdraw consent at any time where processing is consent-based.
To exercise any of these rights, contact us at conor@firstconcepts.co. We will respond within 30 days.
If you are unsatisfied with our response, you may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
13. Cookies and Tracking Technologies
The Platform uses a limited number of cookies and similar technologies:
Essential Cookies: Required for authentication, session management, and core Platform functionality. These cannot be disabled.
Analytics and Session Recording: We use PostHog for product analytics, to understand how the Platform is used and to improve it. PostHog may set cookies to distinguish users and sessions. Session recordings capture user interactions with the Platform interface to help us identify usability issues and improve the product. Analytics data is not used for advertising or shared with third parties for marketing purposes.
We do not use advertising cookies or third-party tracking pixels. We do not sell or share cookie data with third parties.
You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly.
14. Security Measures
We implement industry-standard security measures to protect your data, including:
Encryption in transit (TLS/HTTPS) and at rest
Regular security audits and vulnerability assessments
Access controls and authentication mechanisms
Logging and monitoring for suspicious activity
Employee training on data protection and security