Fibonacci, Inc. — Privacy Policy

Last Updated: May 12, 2026

This Privacy Policy describes how Fibonacci, Inc. and its affiliated companies (collectively, “Fibonacci,” “we,” “our,” or “us”) collect, store, use, disclose, and otherwise process personally identifiable information (“Personal Information”) in the course of our business, including our website located at percuity.ai (the “Website”), our Leo platform for AI-powered paid advertising management (“Leo” or the “Platform”), and all other Fibonacci services, technology, data, programs, and materials. The Website, Leo, and our other services and related offerings are collectively called the “Services.”

Your privacy matters to us. We are committed to making our practices regarding your Personal Information fair and transparent. Please read this Privacy Policy carefully. By accessing and using the Services, you acknowledge that you have read this Privacy Policy and agree to its terms. If you do not agree, please do not access or use the Services.

Capitalized terms that we do not define in this Privacy Policy have the meaning set forth in our Terms of Service at percuity.ai/terms (the “Agreement”), which also governs your access and use of the Services.

1. Who This Policy Applies To

This Privacy Policy applies to three types of individuals:

Visitors to our Website, including people who browse percuity.ai or interact with our marketing materials.
Users of Leo, including our direct customers (“Clients”) and the individuals they authorize to access Leo on their behalf (“Additional Users”).
Individuals whose Personal Information is contained in data that Clients process through Leo, such as audience lists, customer email addresses, or other data from Client Ad Accounts.

Our role and responsibilities differ depending on which group you belong to. We explain this in Section 3 (Controller and Processor Roles).

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, subscribe to our Services, request a demo, register for a Leo University event, subscribe to our newsletter, or otherwise communicate with us, we may collect:

Contact information such as name, email address, phone number, job title, and company.
Account credentials such as username and password (stored in hashed form).
Billing information such as billing address and limited payment details. Full payment card numbers are processed by our payment provider (see Section 8 on Sub-Processors) and we do not store them on our systems.
Communications, including messages you send to support, feedback, survey responses, and content you post in our community forums.

2.2 Information We Collect Automatically

When you use our Services, we may automatically collect:

Device and connection information, such as IP address, browser type and version, operating system, device identifiers, and referring URLs.
Usage information, such as pages visited, features used, actions taken in Leo, time spent, and diagnostic data.
Cookies and similar tracking technologies, as described in Section 9 (Cookies).

2.3 Information From Ad Networks

When Clients connect their advertising accounts on Meta, Facebook, Instagram, Google, LinkedIn, TikTok, the Microsoft Audience Network, Reddit, or other third-party advertising platforms (each an “Ad Network”) to Leo, we receive data from those Ad Networks on behalf of the Client. This may include campaign performance data, audience data, creative assets, account structure, and, in some cases, Personal Information contained in Client audience lists or custom audiences.

When we receive this data, we act as the Client’s service provider (under CCPA) or processor (under GDPR). We process this data only as the Client directs and as necessary to provide the Services. We do not sell, share, or use this data for our own independent marketing purposes.

2.4 Information From Third Parties

We may receive information about you from third-party sources such as identity verification services, fraud prevention services, data enrichment providers, analytics providers, and our business partners. We use this information to verify your identity, prevent fraud, improve our Services, and personalize your experience.

3. Controller and Processor Roles

Data protection laws such as the GDPR distinguish between a “controller” (who decides how and why Personal Information is processed) and a “processor” (who processes Personal Information on behalf of a controller). Our role depends on the context.

When we are the controller: We act as the controller for Personal Information that relates to our direct relationship with you, such as information provided during account registration, billing information, support communications, marketing interactions, and Website analytics. We decide how and why to process this information, in accordance with this Privacy Policy.

When we are the processor (or service provider): We act as the processor (or, under CCPA, as a service provider) for Personal Information contained in data that Clients process through Leo, including data we ingest from Client Ad Accounts. Clients determine the purposes of processing; we process this data only as instructed by the Client, pursuant to the Agreement and, where applicable, a Data Processing Addendum (“DPA”) between the Client and Fibonacci. If you are an individual whose information is in this category and you wish to exercise your rights, please contact the Client directly; we will assist the Client in responding to your request.

4. How We Use Information

We use Personal Information for the following purposes:

To provide, maintain, operate, and support the Services, including to authenticate users, manage accounts, process transactions, communicate with you, and respond to requests.
To improve, troubleshoot, secure, and develop the Services, including to analyze usage patterns, test new features, fix bugs, prevent fraud and abuse, and enforce our policies.
To generate Aggregated Insights (as defined in the Agreement) — de-identified and aggregated outputs derived from Client Data that cannot reasonably be used to identify any Client or individual, and that we use to train, test, validate, and improve Leo Intelligence and the Services, produce benchmarks and analytical content, and provide consultative content (including through Leo University). We explain this in more detail in Section 5 (AI, Machine Learning, and Aggregated Insights).
To communicate with you about the Services, including to send administrative messages, product updates, newsletters, marketing communications (subject to your preferences), and to invite you to Leo University webinars and events.
To comply with legal obligations, respond to lawful requests, enforce our agreements, protect our rights and property, and protect against legal liability.

We will only process your Personal Information where we have a lawful basis to do so, including: (i) your consent, (ii) performance of a contract with you, (iii) compliance with a legal obligation, or (iv) our legitimate interests (such as operating and improving the Services, marketing, and fraud prevention), where not overridden by your rights.

5. AI, Machine Learning, and Aggregated Insights

Leo is an artificial intelligence platform for paid advertising. To build, improve, and operate Leo Intelligence — the AI models, agents, tools, data science pipelines, databases, and infrastructure that power the Services — we use Client Data in two ways:

5.1 To operate the Services for the Client directly.

We process Client Data to make decisions, generate recommendations, and execute actions on the Client’s Ad Accounts. This use is necessary to deliver the Services the Client has subscribed to, and the Client retains ownership of its Client Data.

5.2 To generate Aggregated Insights.

We may use Client Data, in an anonymized and aggregated form, to:

Train, test, validate, and improve Leo Intelligence and the Services.
Develop new features, models, products, and services.
Produce benchmarks, trend analyses, case studies, and other analytical content.
Provide consultative and advisory content through the Services and Leo University.

Before Client Data is used to generate Aggregated Insights, we apply de-identification and aggregation techniques to remove direct identifiers and combine data across Clients, such that the resulting Aggregated Insights cannot reasonably be used to identify any Client, Additional User, or individual. We will not attempt to re-identify Aggregated Insights or trace them back to any individual Client account after aggregation.

Fibonacci owns all right, title, and interest in and to Aggregated Insights, as set forth in the Agreement.

5.3 Automated Decision-Making.

Leo uses automated processing, including machine learning models and AI agents, to analyze Client Data and make recommendations or execute actions (such as allocating ad spend, pausing campaigns, or adjusting bids). These actions operate on the Client’s advertising accounts and do not produce legal or similarly significant effects on individual consumers. Clients remain in control of their Ad Accounts and may override or reverse automated actions through the Services. California residents have the right to request information about our use of automated decision-making technology under the CCPA, as described in Section 12.

We do not sell your Personal Information, and we do not “share” your Personal Information for cross- context behavioral advertising as those terms are defined under the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). In the prior 12 months, we have not sold or shared Personal Information in these senses.

We may disclose Personal Information in the following circumstances:

To our sub-processors and service providers (see Section 8) who process data on our behalf under contractual obligations of confidentiality and data protection.
At the Client’s direction, to Ad Networks and other third-party services that the Client has connected to Leo. When Leo pushes data (such as a custom audience) to an Ad Network on behalf of a Client, Fibonacci is acting as the Client’s processor executing the Client’s instructions; this is not a “sale” or “share” of Personal Information by Fibonacci.
To our affiliates and corporate group members for the purposes described in this Privacy Policy.
In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, subject to standard confidentiality protections.
To comply with legal obligations, including responding to subpoenas, court orders, or lawful requests from public authorities.
To protect the rights, property, or safety of Fibonacci, our Clients, or others, including enforcing our agreements and policies, and investigating fraud or security incidents.
With your consent or at your direction.

7. International Transfers

Fibonacci is headquartered in the United States, and we process Personal Information in the United States and other countries where we and our sub-processors operate. Data protection laws in these countries may differ from those in your country. Where required by applicable law, we implement appropriate safeguards for international data transfers.

8. Sub-Processors

To provide the Services, we engage trusted sub-processors such as cloud infrastructure providers, AI and machine learning providers, payment processors, email service providers, analytics providers, and customer support tools. We enter into written agreements with our sub-processors requiring them to maintain appropriate confidentiality and security safeguards and to process Personal Information only as necessary to provide their services to us.

A current list of our sub-processors is available upon request. We will provide notice of material changes to this list as required by applicable law and by our Agreement with Clients.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Website and in Leo to operate the Services, remember your preferences, analyze how the Services are used, and improve your experience. Cookies are small text files stored on your device.

Most browsers allow you to block or delete cookies through their settings. Blocking essential cookies may affect the functionality of the Services.

We may update our cookie practices from time to time. Where required by applicable law, we will provide additional notice or obtain your consent before setting non-essential cookies.

10. Data Retention

We retain Personal Information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes. Specifically:

Account information (such as Client contact details, billing information, and login credentials) is retained for the duration of the Client’s Subscription and for a reasonable period thereafter (typically up to 7 years) for audit, accounting, and legal-defense purposes.
Client Data ingested from Ad Accounts is retained for as long as the Client maintains an active Subscription, or as otherwise specified in the Agreement or the Client’s instructions. Following termination of the Agreement, we will delete raw Client Data from our active systems within 90 days, except for data retained on standard backup media (which will be deleted in the ordinary course) or as required by law. For the avoidance of doubt, this deletion obligation applies to raw Client Data; it does not apply to Aggregated Insights or other de-identified outputs previously derived from Client Data, which are no longer Personal Information.
Aggregated Insights are retained indefinitely. Because Aggregated Insights have been de-identified and aggregated such that they cannot reasonably be used to identify any Client or individual, they are no longer Personal Information and are not subject to deletion upon termination.
Usage data and security logs are retained for as long as needed for security, fraud prevention, and improvement of the Services, typically up to 24 months.

We may retain information for longer periods where required or permitted by law.

11. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, access controls, security monitoring, and employee training.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect Personal Information, we cannot guarantee absolute security.

If we become aware of a Security Incident affecting your Personal Information, we will notify affected Clients and, where required by law, affected individuals, in accordance with applicable law and our Agreement.

12. Your Rights

Subject to applicable law, you have the following rights in relation to your Personal Information:

Right to access: Request a copy of the Personal Information we hold about you.
Right to correction: Request that we correct inaccurate or incomplete information.
Right to deletion: Request that we delete your Personal Information, subject to exceptions (for example, information we must retain for legal reasons).
Right to portability: Request that we provide your Personal Information in a structured, commonly used, machine-readable format, or transmit it to another provider.
Right to object or restrict processing: Object to or request restriction of certain processing activities.
Right to withdraw consent: Withdraw consent where we rely on consent as the lawful basis for processing.
Right to opt-out of sale or sharing: Although we do not sell or share Personal Information (as those terms are defined under CCPA/CPRA), you may confirm this at any time.
Right to opt-out of automated decision-making and profiling, to the extent applicable.
Right to non-discrimination: You have the right not to receive discriminatory treatment for exercising your rights.
Right to lodge a complaint: If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority.

How to exercise your rights: To exercise any of these rights, email privacy@percuity.ai from the email address associated with your account (or the individual whose information is at issue). We will respond within the timeframes required by applicable law (typically within 45 days under CCPA, extendable by an additional 45 days where reasonably necessary, and within one month under GDPR).

If the information at issue was provided by a Client and we are acting as a processor or service provider, we will forward your request to the Client and assist them in responding.

We may request information to verify your identity before processing your request. We will not charge a fee unless your request is manifestly unfounded or excessive.

13. California Privacy Rights

This section applies to California residents and supplements the rights described in Section 12. The categories of Personal Information we have collected in the past 12 months, the sources from which we collected it, and the purposes for which we collected it are described throughout this Privacy Policy (see Sections 2 and 4).

Categories of Personal Information we collect:

Identifiers (such as name, email address, IP address, and account identifiers).
Contact and account information (such as billing address, phone number, and company).
Commercial information (such as records of Subscriptions, products purchased, and transaction history).
Internet or network activity (such as pages visited, features used, and interactions with our Services).
Geolocation data (approximate, based on IP address).
Professional or employment-related information (such as job title and company).
Inferences drawn from the above (such as preferences and usage patterns).

We do not knowingly collect Sensitive Personal Information as defined under the CPRA, except for account login credentials, which we use only for authentication and security purposes.

We do not sell or share Personal Information in the senses defined under CCPA/CPRA. We have not sold or shared Personal Information of minors under 16 years of age.

California residents may exercise their rights by emailing privacy@percuity.ai. Authorized agents may submit requests on a consumer’s behalf, subject to verification.

California residents have the right not to receive discriminatory treatment for exercising their CCPA/CPRA rights.

14. Children’s Privacy

The Services are intended for business users 18 years of age and older. We do not knowingly collect Personal Information from anyone under 18. If you learn that a child has provided Personal Information to us, please contact us at privacy@percuity.ai and we will promptly take steps to delete it.

15. Links to Third-Party Services

The Services may contain links to third-party websites and applications, including Ad Networks. We do not control these third-party services and are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party service before providing Personal Information to it.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you as required by applicable law — for example, by email or by posting a prominent notice on the Services — and update the “Last Updated” date at the top of this Privacy Policy. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

17. Contact Us

If you have questions, comments, or complaints about this Privacy Policy or our privacy practices, please contact us at:

Fibonacci, Inc. c/o StartX 2627 Hanover Street Palo Alto, CA 94304

Email: privacy@percuity.ai Web: percuity.ai

For matters unrelated to privacy, you may also contact contact@percuity.ai.