Privacy Policy

We collect information you provide directly to us:

• Account data — name, email address, and password (stored as a bcrypt hash).
• Creator profile — content topics, style preferences, audience description, and sample posts you provide to seed AI generation.
• Platform credentials — OAuth tokens for connected social media accounts, stored encrypted at rest using AES-256 (Fernet).
• Content — posts, ideas, media files, and related metadata you create within the platform.

We also collect data automatically when you use our service:

• IP address and browser user-agent (for security and abuse prevention).
• Usage logs and audit events (actions you perform inside the app).
• Analytics data returned by connected social platforms (likes, impressions, reach).

• To provide, operate, and improve the Social UGC service.
• To generate and publish content on your behalf on the platforms you connect.
• To enforce security measures such as account lockout and multi-factor authentication.
• To send transactional notifications (e.g., post published, token expiring soon).
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data to third parties.

We integrate with the following third-party services to provide core functionality:

• OpenAI / Anthropic — AI content generation. Your creator profile and content briefs are sent to their APIs. Review their respective privacy policies.
• Social platforms (Twitter/X, LinkedIn, Instagram, Facebook, TikTok, YouTube, Threads) — publishing and analytics access via OAuth. Each platform’s own privacy policy governs data held by them.
• Stripe — payment processing. We do not store payment card details; Stripe handles all billing data.
• Sentry — error monitoring. Crash reports may include sanitized request metadata.
• Cloudflare R2 / AWS S3 — media storage (if configured). Files are stored in your configured bucket.

We retain your data for as long as your account is active. You may request deletion at any time (see Your Rights below). On deletion, all personal identifiers are anonymized; audit log rows are retained in anonymized form for legal compliance.

Refresh tokens expire after 30 days and are automatically purged. OAuth tokens are stored only while you maintain the platform connection and are deleted when you disconnect.

Depending on where you reside, you may have the following rights:

• Access — request a copy of all data we hold about you. Use the Export Data feature in your account settings or call GET /api/auth/export-data.
• Erasure — permanently delete your account and anonymize all associated data. Use Delete Account in your account settings or call POST /api/auth/delete-account.
• Rectification — update inaccurate personal information via your profile page.
• Portability — receive your data in a machine-readable JSON format via the export endpoint above.
• Objection / Restriction — contact us to restrict certain processing activities.

To exercise any right not covered by the self-service tools above, email us at the address in the Contact section.

We apply industry-standard security practices: encrypted storage of credentials and secrets, bcrypt password hashing, JWT session management with rotation, TOTP multi-factor authentication for privileged accounts, account lockout after failed login attempts, and HTTPS-only transport.

No system is completely secure. If you discover a vulnerability please disclose it responsibly by contacting us directly.

Social UGC is a single-page application that stores JWTs in localStorage. We do not use third-party tracking cookies. If you use our marketing landing page, standard server access logs are collected.

For privacy-related questions or to exercise a right not available through self-service tools, please contact us at:

privacy@socialucg.com