Delva
Start trial

Legal

Privacy Policy

Effective May 12, 2026. We treat your data the way we'd want ours treated.

This policy explains what Delva (operated by Delva LLC, "Delva", "we") collects when you use delva.io and app.delva.io, what we do with it, who else sees it, and the choices you have. If anything here is unclear, email privacy@delva.io.

What we collect

Account information. Your name, email, agency name, and authentication details (password hash via Supabase Auth, or Google OAuth identifiers if you sign in with Google).

Payment information. Card details are collected directly by Stripe through their secure form embedded in our signup flow. Delva never sees or stores raw card numbers. We store the Stripe customer and subscription identifiers and billing history records returned to us by Stripe.

Service content. Anything you upload or generate to run campaigns: client briefs, reference images, ad copy drafts, creative variants, funnel pages, intake form responses your end clients submit.

Usage data. Standard server logs (IP, user agent, timestamps, URLs visited), product analytics on which features are used, and error reports via Sentry. We do not use third-party advertising trackers.

How we use it

  • Provide the Delva platform: generate ad copy, render creatives, push to Meta, host funnels.
  • Bill your subscription and meter API credit usage.
  • Send transactional emails (signup confirmation, billing receipts, trial expiry).
  • Debug issues you report and monitor service health.
  • Improve the product. We do not train AI models on your content; see the AI section below.

AI providers and your content

Delva uses Anthropic Claude for copy generation and Google Gemini for image generation. Your briefs, reference images, and generated outputs are sent to these providers as inputs to API calls. Both providers contractually commit (under their enterprise terms or our usage tier) not to train their foundation models on your inputs.

If you bring your own API keys, your content goes directly to your own accounts at those providers under your own terms with them.

Who we share with

We share data only with service providers that make Delva work:

  • Stripe: payment processing.
  • Supabase: database, authentication, file storage.
  • Vercel: hosting.
  • Anthropic, Google (Gemini): AI generation.
  • Meta: when you connect Meta Ads, we push ad assets to your Ad Account on your behalf.
  • Sentry: error monitoring.
  • Resend / Supabase SMTP: transactional email.

We do not sell your data. We do not share it for advertising. We do not share it with anyone for any purpose outside the list above, except when required by law (subpoena, court order) or to defend our rights.

Where data is stored

Primary database and file storage are hosted in the United States (East US region, Supabase). Subprocessors may store data in other regions per their own terms. If you are in the EEA or UK, your data crosses to the US under standard contractual clauses where applicable.

How long we keep it

Account and service content are retained for the life of your subscription. After you cancel, you have 30 days to export your data before we delete it. Billing records are retained 7 years for tax and accounting purposes. Error logs are retained 90 days. Analytics events are retained 24 months.

Your rights

Depending on where you live (California, Colorado, Connecticut, Virginia, Utah, EEA, UK, and others), you have some or all of the following rights:

  • Access: ask for a copy of your data.
  • Correct: ask us to fix inaccurate data.
  • Delete: ask us to delete your data, subject to legal retention.
  • Export: download your data in a portable format. Available self-serve under sub-account settings.
  • Object or restrict processing for certain purposes.
  • Withdraw consent where we rely on consent.

To exercise any of these, email privacy@delva.io. We respond within 30 days. We will not retaliate against you for exercising a privacy right.

Cookies

We use cookies for authentication (session cookies), CSRF protection, and to remember your impersonation state if you are a platform admin. We do not use third-party advertising cookies. End-user funnels you build on Delva may set their own cookies; that is governed by the privacy policy of the agency operating the funnel, not by Delva.

Children

Delva is a B2B tool for marketing agencies and is not directed to children. We do not knowingly collect personal information from children under 13 (or the higher age threshold applicable in your jurisdiction). Account holders must be at least 18 under our Terms. If you believe a child has provided us information, email us and we will delete it.

Security

Transport encryption with TLS 1.2+. Data at rest encrypted by our storage providers. Password hashes via Supabase Auth (bcrypt). Access to production data is limited to the Delva team and audited. In the event of a material data breach, we will notify the relevant supervisory authorities within 72 hours where required by law, and notify affected users without undue delay.

Changes to this policy

We will update this page when the policy changes and update the effective date. For material changes (new categories of data, new sharing) we will email registered users at least 30 days before the change takes effect.

Contact

Delva LLC
privacy@delva.io