Privacy Policy

1. Introduction

SocialCannon is a service operated by Tiny Red Pixel Ltd ("we," "us," or "our"). We operate a headless social media publishing API and related services, including a web dashboard, REST API, MCP server, and OpenClaw skill (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

By using SocialCannon, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account or API client, we collect your name, email address, and authentication credentials. API client secrets are hashed with bcrypt before storage and are never stored in plaintext.

2.2 Social Media Account Data

When you connect a social media account, we receive and store:

• Your platform username, display name, and account identifier
• OAuth access tokens and refresh tokens required to publish on your behalf
• Token expiration timestamps and granted permission scopes

Token encryption: All social platform tokens (access and refresh) are encrypted with AES-256-GCM before being stored in our database. Tokens are decrypted only in server memory at the moment an API call is made to the respective platform and are never exposed in API responses.

2.3 Content You Create

We store the content you create through the Service, including post text, media URLs, scheduling preferences, thread items, A/B test variants, and platform-specific options. This data is necessary to provide the publishing, scheduling, and analytics features of the Service.

2.4 Analytics and Engagement Data

We fetch and store engagement metrics (likes, comments, shares, impressions, reach, clicks) and comments/replies from connected social platforms for posts published through the Service. This data is used to provide analytics dashboards, A/B test winner determination, and timing suggestions.

2.5 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment instrument data on our servers. We receive and store your Stripe customer ID, subscription status, and billing period information to enforce subscription tier limits.

2.6 Automatically Collected Information

Our OAuth connect flows use temporary, httpOnly cookies to maintain state during the authorization process (e.g., CSRF tokens and PKCE code verifiers). These cookies expire after 10 minutes and are deleted upon completion of the OAuth flow. We do not use tracking cookies, advertising pixels, or third-party analytics scripts.

2.7 AI Content Repurposing Data

If you use the AI-powered content repurposing feature, the source content you provide is sent to Google's Gemini API (Google Generative AI) for processing. We do not store the model's responses beyond returning them to you. Please refer to Google's Privacy Policy for details on how they handle data.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Publish, schedule, and manage social media posts on your behalf
• Fetch and display engagement analytics from connected platforms
• Process A/B tests and determine winning content variants
• Generate posting time recommendations from your historical data
• Process payments and enforce subscription tier limits
• Send transactional communications related to your account
• Detect, investigate, and prevent fraudulent or unauthorized access
• Comply with legal obligations

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. How We Share Your Information

We share your information only in the following circumstances:

• Social media platforms: We transmit your content and media to the social media platforms you have connected to publish posts on your behalf. This is the core function of the Service.
• Payment processor: Stripe processes your payment information. See Stripe's Privacy Policy.
• Infrastructure providers: We use Google Cloud / Firebase for database hosting and file storage. Data is stored in accordance with Google Cloud's Data Processing terms.
• LLM provider: If you use content repurposing, your source content is sent to Google (Gemini API) for processing.
• Legal requirements: We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.1 Government and Law Enforcement Requests

We may receive requests from government, regulatory, or law enforcement authorities for the personal data of users. When we receive such a request, we apply the following processes:

• Legality review: We review the legality and validity of every request and only comply with requests that are lawful and properly issued.
• Challenging unlawful requests: Where we consider a request unlawful, overbroad, or improper, we will push back on or challenge it before responding.
• Data minimization: We disclose only the minimum information necessary to respond to a valid request.
• Documentation: We document each request we receive, our response, the legal basis relied upon, and the parties involved.

Where permitted by law, we will notify affected users of a request relating to their data.

5. Data Security

We implement the following security measures to protect your data:

• Encryption at rest: Social platform OAuth tokens are encrypted with AES-256-GCM before database storage. Each encrypted value includes a unique initialization vector (IV) and authentication tag.
• Secret hashing: API client secrets are hashed with bcrypt and cannot be recovered after initial creation.
• Authentication: All API access requires JWT Bearer tokens with scoped permissions, issued via OAuth2 client_credentials flow.
• Multi-tenant isolation: Every database query is filtered by client ID, ensuring complete data isolation between API clients.
• Rate limiting: Tiered rate limiting protects against abuse (30 requests/minute for Free, 300 for Pro).
• Transport encryption: All data in transit is encrypted via HTTPS/TLS.

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your data as follows:

• Account data: Retained for the duration of your account. You can delete your account and all associated data yourself at any time — see User Data Deletion Instructions. Residual media files are removed by lifecycle policy within 30 days.
• Social account tokens: Retained while the social account is connected. Tokens are deleted when you disconnect the account.
• Post content and analytics: Retained for the duration of your account or until you delete individual posts.
• Engagement data: Retained for the duration of your account. Engagement records are associated with specific posts and are deleted when the parent post is deleted.
• Payment records: Retained as required by applicable tax and financial regulations.
• OAuth cookies: Automatically expire after 10 minutes.

7. Your Rights

7.1 General Rights

Regardless of your location, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Disconnect your social media accounts at any time
• Export your data in a portable format via the API
• Withdraw consent for data processing

7.2 European Economic Area (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Right to data portability
• Right to restrict processing
• Right to object to processing
• Right to not be subject to automated decision-making
• Right to lodge a complaint with a supervisory authority

Our legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) legitimate interests (security, fraud prevention), and (c) your consent (connecting social accounts, using AI features).

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your privacy rights.

8. Third-Party Services

The Service integrates with the following third-party services. Each has its own privacy policy governing how it handles your data:

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. International Data Transfers

Your data may be processed and stored in countries other than your own. We use service providers that participate in recognized data transfer mechanisms (such as EU Standard Contractual Clauses) to ensure your data receives an adequate level of protection regardless of where it is processed.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Privacy: privacy@socialcannon.app

Support: support@socialcannon.app