Privacy Policy

We collect the minimum needed to run the Service, store it securely, and never sell it. This page explains exactly what and why.

1. Who’s in charge of your data

The data controller is the operator of Social Media Agent. Contact: deylian@heykoop.nl.

2. What we collect

From you, directly

• Email address, name, avatar (Google OAuth or email sign-in)
• Workspace and brand voice settings
• Posts, captions, hashtags, images, videos you create or upload
• AI chat messages you send and the responses
• Connected social account metadata (handle, ID, profile name)

From platforms you connect

• OAuth access + refresh tokens (encrypted at rest with AES-256-GCM)
• Per-post performance metrics (impressions, reach, likes, comments, etc.)

Automatically

• IP address, user-agent, and last-active time for sessions (security)
• Cookieless product events (which features you use) — first-party, no third-party trackers
• Server logs (kept 30 days, then auto-deleted)

3. Why we collect it (lawful basis)

• To provide the Service — contract (GDPR Art. 6(1)(b))
• Security (session info, IPs) — legitimate interest (Art. 6(1)(f))
• Billing — contract + legal obligation (Art. 6(1)(c))
• Product analytics — legitimate interest, cookieless, opt-out anytime

We never use your content to train shared AI models.

4. Sub-processors we use

• OpenAI — AI text + image generation (your prompts + outputs)
• HeyGen — AI video generation (only when you use it)
• Stripe — billing (handles card data; we never see it)
• Hetzner — server hosting (Postgres, Redis, MinIO)
• Google — OAuth identity
• Meta / LinkedIn / X / TikTok / etc. — only when you connect them and only to publish what you asked us to publish

5. Where it lives

Primary storage is in the EU (Hetzner Falkenstein). Some sub-processors (OpenAI, HeyGen, Stripe) may process data in the US under Standard Contractual Clauses (SCCs).

6. How long we keep it

• Account data — until you delete your account
• Server logs — 30 days
• Audit trail — 12 months
• Invoices & payment records — 7 years (Dutch tax law)
• Deleted account data — purged within 30 days, except invoices

7. Your rights (GDPR)

You can, at any time:

• Export everything we hold for you — one JSON file via Privacy & data
• Delete your account and all associated data — same page
• Disconnect any social account immediately — Connected accounts
• Correct incorrect data — most fields are editable in-app; email us for anything else
• Object to processing or withdraw consent — email us
• Complainto the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we’ve mishandled your data

8. Security

• All traffic is HTTPS (TLS 1.2+, modern ciphers only).
• OAuth tokens are encrypted at rest with AES-256-GCM.
• Sessions are httpOnly, SameSite=Lax cookies. We never store the token itself — only a SHA-256 hash.
• Optional two-factor authentication (TOTP) available in Security.
• Strict Content Security Policy and rate-limiting on all endpoints.

9. Instagram & Meta data

When you connect Instagram, we use the official Instagram Login API to request only the scopes needed to publish on your behalf (instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments, instagram_business_manage_messages). We store your numeric Instagram user ID, username, display name, avatar URL, and the long-lived access token (encrypted with AES-256-GCM). We do not read Instagram messages or comments unless you explicitly use an in-app feature that requires it, and we never sell or share this data with third parties.

You can revoke access at any time from Connected accounts, or from Instagram itself under Settings → Apps and Websites. When you revoke from Instagram, Meta calls our Deauthorize endpoint and we immediately mark the account disconnected. To request full data deletion through Meta, Instagram invokes our Data Deletion endpoint — we delete every stored token, profile field, and per-account piece of metadata for that Instagram identity within minutes and return a confirmation URL Meta surfaces back to you.

10. YouTube & Google API Services data

When you connect a YouTube channel, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use the YouTube Data API Services only to perform actions you explicitly request: read your channel identity (id, title, custom URL, avatar) to display the connected account, and upload videos to that channel when you schedule or send a post. We do not use YouTube data to build user profiles, run advertising, or train models, and we do not transfer it to any third party other than the sub-processors listed above strictly to operate the Service.

Specifically, we store: your YouTube channel id and display name, the encrypted OAuth access and refresh tokens (AES-256-GCM), the platform-returned video id and URL for each post you publish, and the post’s public performance metrics. We do not store the raw video bytes after upload completes.

You can revoke our access to your YouTube channel at any time from Connected accounts in the app, or directly via https://myaccount.google.com/permissions. When you revoke, we destroy the stored tokens and channel metadata within 30 days. Use of YouTube features inside the Service is also bound by the YouTube Terms of Service and the Google Privacy Policy.

11. Children

The Service is not for users under 16. If we learn we’ve collected data on a child under 16, we delete it.

12. Changes to this policy

Material changes will be announced in-app at least 14 days before they take effect. The last-updated date at the top of this page always reflects the current version.

13. Contact

Privacy questions, data requests, or complaints: deylian@heykoop.nl.