# Privacy Policy **Last Updated: 1 November 2025** ## 1. Introduction Welcome to SocialGummy ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered social media content creation and management platform (the "Service"). By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service. **Contact Information:** Email: TinyGiantTech@gmail.com **Governing Law:** This Privacy Policy is governed by the laws of England and Wales and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. --- ## 2. Information We Collect ### 2.1 Information You Provide Directly **Account Information:** - Email address (required for account creation) - Display name (optional) - Avatar/profile picture (optional) - Password (encrypted and never stored in plain text) **Payment Information:** - Payment card details (processed securely by our payment processor) - Billing address - Transaction history - Subscription tier and credit balance **Content Data:** - Text content you create or generate (tweets, LinkedIn posts, Reddit posts, blog articles) - Images you upload or generate using AI - Videos you upload or create - Audio files you upload - Templates you create or customize - Scheduled posts and calendar data - Social media captions and hashtags **Social Media Connections:** - OAuth tokens for connected platforms (Twitter, LinkedIn, Reddit, TikTok, Instagram, Pinterest) - Social media account names and IDs - Platform-specific credentials (encrypted) - Token expiration dates **Lead Hunter Data:** - Product/service descriptions you provide - Subreddit preferences - Lead search queries - Generated replies and engagement data ### 2.2 Information Collected Automatically **Usage Data:** - Features you use and how often - Credits consumed per feature - Content generation requests and results - Time spent on different pages - Click patterns and navigation paths - Feature adoption and engagement metrics **Technical Data:** - IP address - Browser type and version - Device type and operating system - Screen resolution - Referring website - Pages visited and time stamps - Cookies and similar tracking technologies **Performance Data:** - API response times - Error logs and debugging information - System performance metrics - Feature success/failure rates ### 2.3 Information from Third Parties **Social Media Platforms:** - Public profile information from connected accounts - Post performance data (when available via APIs) - Platform-specific metadata **AI Service Providers:** - Usage statistics from OpenRouter, Google Gemini, ElevenLabs, Fal.ai, and Submagic - Processing results and metadata - Error reports and logs **Payment Processors:** - Payment confirmation - Fraud detection data - Transaction status --- ## 3. How We Use Your Information ### 3.1 To Provide and Improve the Service - **Account Management:** Create and maintain your account, authenticate your identity, and manage your subscription - **Content Generation:** Process your requests to generate text, images, videos, and other content using AI - **Social Media Integration:** Connect to your social media accounts and post content on your behalf - **Lead Generation:** Discover relevant leads on Reddit and generate contextual replies - **Scheduling:** Store and execute scheduled posts at your specified times - **Credit System:** Track your credit balance and deduct credits for feature usage - **Customer Support:** Respond to your inquiries and provide technical assistance ### 3.2 To Improve and Optimize - **Service Enhancement:** Analyze usage patterns to improve features and user experience - **AI Model Training:** Use anonymized, aggregated data to improve our AI models (we never use your personal content for training without explicit consent) - **Performance Optimization:** Monitor system performance and identify areas for improvement - **Bug Fixes:** Identify and resolve technical issues - **Feature Development:** Understand which features are most valuable to users ### 3.3 To Communicate with You - **Service Updates:** Notify you of new features, updates, and changes to the Service - **Account Notifications:** Send important account-related messages (password resets, subscription changes, credit balance alerts) - **Marketing Communications:** Send promotional emails about new features or offers (you can opt out at any time) - **Support Messages:** Respond to your support requests and inquiries ### 3.4 For Security and Compliance - **Fraud Prevention:** Detect and prevent fraudulent activities, abuse, and unauthorized access - **Security Monitoring:** Monitor for security threats and vulnerabilities - **Legal Compliance:** Comply with legal obligations, court orders, and regulatory requirements - **Terms Enforcement:** Enforce our Terms of Service and other policies - **Abuse Prevention:** Detect patterns of abuse such as multiple free account signups --- ## 4. Legal Basis for Processing (UK GDPR) We process your personal data under the following legal bases: ### 4.1 Contractual Necessity Processing is necessary to perform our contract with you (Terms of Service), including: - Providing access to the Service - Processing payments - Delivering features you request - Managing your account ### 4.2 Legitimate Interests We have legitimate interests in: - Improving and optimizing the Service - Preventing fraud and abuse - Ensuring security and system integrity - Analyzing usage patterns - Developing new features ### 4.3 Consent We obtain your explicit consent for: - Marketing communications - Connecting social media accounts - Using cookies and tracking technologies - Processing sensitive content (if applicable) ### 4.4 Legal Obligations We process data to comply with: - Tax and accounting requirements - Legal requests from authorities - Regulatory obligations - Court orders and legal proceedings --- ## 5. How We Share Your Information ### 5.1 We Do Not Sell Your Data We do not sell, rent, or trade your personal information to third parties for their marketing purposes. ### 5.2 Service Providers We share data with trusted third-party service providers who assist us in operating the Service: **Infrastructure and Hosting:** - **Supabase:** Database hosting, authentication, and storage (PostgreSQL, Row-Level Security) - **Vercel:** Application hosting and deployment - **CDN Providers:** Content delivery for faster performance **AI and Processing Services:** - **OpenRouter:** AI content generation (Gemini, Claude, GPT-4) - **Google Gemini:** Image generation and text processing - **ElevenLabs:** Text-to-speech voice synthesis - **Fal.ai:** UGC video creation - **Submagic:** Video captioning and enhancement **Payment Processing:** - **Payment Processors:** Secure payment processing (we do not store full credit card details) **Analytics and Monitoring:** - **Vercel Analytics:** Usage analytics and performance monitoring - **Vercel Speed Insights:** Performance optimization All service providers are contractually obligated to protect your data and use it only for the purposes we specify. ### 5.3 Social Media Platforms When you connect social media accounts and authorize posting: - We share content you create with the respective platforms (Twitter, LinkedIn, Reddit, etc.) - We transmit OAuth tokens to authenticate your requests - Platforms may collect their own data according to their privacy policies ### 5.4 Legal Requirements We may disclose your information if required to: - Comply with legal obligations, court orders, or subpoenas - Protect our rights, property, or safety - Investigate fraud, security issues, or Terms violations - Respond to government or regulatory requests - Enforce our Terms of Service ### 5.5 Business Transfers If we are involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data. --- ## 6. Data Security ### 6.1 Security Measures We implement industry-standard security measures to protect your data: **Technical Safeguards:** - **Encryption:** All data transmitted over HTTPS/TLS encryption - **Database Security:** Row-Level Security (RLS) ensures users can only access their own data - **Token Encryption:** OAuth tokens and sensitive credentials are encrypted at rest - **Authentication:** Secure authentication via Supabase Auth with JWT tokens - **Access Controls:** Role-based access controls and principle of least privilege - **API Security:** Rate limiting, input validation, and CORS policies **Organizational Safeguards:** - Regular security audits and vulnerability assessments - Employee training on data protection - Incident response procedures - Regular backups and disaster recovery plans - Monitoring and logging of security events ### 6.2 Data Breach Notification In the event of a data breach that affects your personal information, we will: - Notify you within 72 hours of becoming aware of the breach - Inform relevant supervisory authorities as required by law - Provide details about the breach and steps we are taking - Offer guidance on protecting yourself from potential harm ### 6.3 Your Responsibility You are responsible for: - Maintaining the confidentiality of your account credentials - Using strong, unique passwords - Enabling two-factor authentication (if available) - Reporting suspicious activity immediately - Keeping your contact information up to date --- ## 7. Data Retention ### 7.1 Active Accounts We retain your data while your account is active and for as long as necessary to provide the Service: - **Account Information:** Retained while account is active - **Content Data:** Retained until you delete it or close your account - **Usage Logs:** Retained for 12 months for analytics and debugging - **Payment Records:** Retained for 7 years for tax and accounting purposes ### 7.2 Account Deletion You can request deletion of your account at any time through Settings → Account. **30-Day Grace Period:** When you request account deletion: - Your account will be scheduled for deletion in 30 days - During this grace period, your account remains active - You can cancel the deletion request at any time - You can continue using all features normally - After 30 days, deletion is automatic and irreversible **What Will Be Permanently Deleted:** After the 30-day grace period, the following data will be permanently deleted: - ✅ **Social Accounts**: All connected social media accounts (Instagram, TikTok, YouTube, LinkedIn, Pinterest, Reddit, Twitter) - ✅ **Access Tokens**: All OAuth tokens and refresh tokens for connected platforms - ✅ **Posting History**: All records of posts made to any platform - ✅ **Scheduled Posts**: All posts in the queue waiting to be published - ✅ **Video Metadata**: All video names, tags, captions, and custom metadata - ✅ **Video Jobs**: All processing jobs and queue positions - ✅ **Storage Files**: All videos in your storage (both raw and processed) - ✅ **User Account**: Your authentication account and all personal data **What We Keep (For Compliance):** - Audit logs of the deletion request (date, time, no personal data) - Billing records (if required by law, typically 7 years for tax purposes) - Anonymized, aggregated analytics data **How to Cancel:** To cancel a deletion request during the 30-day grace period: - Go to Settings → Account and click "Cancel Deletion Request" - Or email us at TinyGiantTech@gmail.com with "Cancel Account Deletion" in the subject line **Important Notes:** - This action cannot be undone after the 30-day grace period - We recommend downloading your data before requesting deletion - Your subscription will be cancelled automatically - You will not be charged after deletion ### 7.3 Specific Data Types - **OAuth Tokens:** Deleted immediately when you disconnect a social account - **Generated Content:** Deleted when you delete it or within 30 days of account closure - **Templates:** Public templates may remain available to other users - **Transaction Records:** Retained for 7 years for legal and tax purposes - **Support Communications:** Retained for 3 years --- ## 8. Your Rights (UK GDPR) Under UK GDPR, you have the following rights: ### 8.1 Right of Access You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format. ### 8.2 Right to Rectification You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings. ### 8.3 Right to Erasure ("Right to be Forgotten") You have the right to request deletion of your personal data in certain circumstances: - The data is no longer necessary for the purposes it was collected - You withdraw consent and there is no other legal basis for processing - You object to processing and there are no overriding legitimate grounds - The data has been unlawfully processed ### 8.4 Right to Restriction of Processing You have the right to request that we restrict processing of your personal data in certain circumstances: - You contest the accuracy of the data - Processing is unlawful but you don't want the data erased - We no longer need the data but you need it for legal claims - You have objected to processing pending verification ### 8.5 Right to Data Portability You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. ### 8.6 Right to Object You have the right to object to processing based on legitimate interests or for direct marketing purposes. ### 8.7 Right to Withdraw Consent Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal. ### 8.8 Right to Lodge a Complaint You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your data properly: - **ICO Website:** https://ico.org.uk/ - **ICO Helpline:** 0303 123 1113 ### 8.9 Exercising Your Rights To exercise any of these rights, contact us at: - **Email:** TinyGiantTech@gmail.com - **Subject Line:** "Data Subject Rights Request" We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request. --- ## 9. Cookies and Tracking Technologies ### 9.1 What Are Cookies? Cookies are small text files stored on your device that help us provide and improve the Service. We use cookies and similar technologies for authentication, preferences, analytics, and security. ### 9.2 Types of Cookies We Use **Essential Cookies (Required):** - Authentication cookies to keep you logged in - Session cookies to maintain your session state - Security cookies to prevent fraud and abuse - Load balancing cookies for performance **Functional Cookies (Optional):** - Preference cookies to remember your settings (theme, language) - Feature cookies to enable specific functionality - Analytics cookies to understand usage patterns **Analytics Cookies (Optional):** - Vercel Analytics to measure performance and usage - Vercel Speed Insights for performance optimization - Aggregated, anonymized usage statistics ### 9.3 Third-Party Cookies We may use third-party cookies from: - Supabase (authentication and database) - Vercel (hosting and analytics) - Payment processors (fraud prevention) ### 9.4 Managing Cookies You can control cookies through: - **Browser Settings:** Most browsers allow you to refuse or delete cookies - **Opt-Out Tools:** Use browser extensions or privacy tools - **Do Not Track:** We respect Do Not Track signals where technically feasible Note: Disabling essential cookies may prevent you from using certain features of the Service. ### 9.5 Local Storage We use browser local storage to: - Cache session data for better performance - Store temporary content while you work - Remember your preferences - Enable offline functionality (where applicable) --- ## 10. International Data Transfers ### 10.1 Data Location Your data is primarily stored and processed in: - **Primary Region:** European Union (Supabase EU region) - **Backup Region:** Additional EU data centers for redundancy ### 10.2 Transfers Outside the UK/EU Some of our service providers may process data outside the UK/EU: - **United States:** OpenRouter, ElevenLabs, Fal.ai, Submagic - **Global CDN:** Content delivery networks for performance ### 10.3 Safeguards for International Transfers When we transfer data internationally, we ensure adequate protection through: - **Standard Contractual Clauses (SCCs):** EU-approved data transfer agreements - **Adequacy Decisions:** Transfers to countries with adequate data protection - **Binding Corporate Rules:** For transfers within corporate groups - **Your Explicit Consent:** Where required by law --- ## 11. Children's Privacy ### 11.1 Age Restriction The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. ### 11.2 Parental Notice If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at TinyGiantTech@gmail.com. We will delete such information promptly. --- ## 12. AI and Automated Decision-Making ### 12.1 AI Content Generation We use AI systems to generate content based on your inputs. These systems: - Process your prompts and preferences - Generate text, images, videos, and other content - Provide suggestions and recommendations - Score and qualify leads ### 12.2 No Automated Decisions with Legal Effect We do not use automated decision-making that produces legal effects or similarly significantly affects you, except: - **Credit Deduction:** Automated credit deduction based on feature usage (you can contest charges) - **Abuse Detection:** Automated flagging of suspicious activity (subject to human review) ### 12.3 Your Rights You have the right to: - Understand how AI decisions are made - Contest automated decisions - Request human review of automated decisions - Opt out of certain automated processing --- ## 13. Public Templates and User-Generated Content ### 13.1 Public Templates When you create a template and mark it as "public": - The template becomes visible to all users - Other users can use your template in their content - Your username may be displayed as the template creator - You grant other users a license to use the template within the Service ### 13.2 Template Licenses - **Public Templates:** Licensed under a Creative Commons-style license for use within the Service - **Private Templates:** Accessible only to you - **Platform Templates:** Provided by us for all users ### 13.3 User Responsibility You are responsible for ensuring that public templates: - Do not contain copyrighted materials without permission - Do not violate third-party rights - Comply with our Terms of Service - Are appropriate for public sharing --- ## 14. Third-Party Links and Services ### 14.1 External Links The Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies. ### 14.2 Social Media Platforms When you connect social media accounts: - Each platform has its own privacy policy - Platforms may collect data about your use of their services - We are not responsible for platform privacy practices - You should review each platform's privacy policy ### 14.3 Third-Party Integrations We integrate with third-party services: - **AI Providers:** OpenRouter, Google Gemini, ElevenLabs, Fal.ai, Submagic - **Social Platforms:** Twitter, LinkedIn, Reddit, TikTok, Instagram, Pinterest - **Infrastructure:** Supabase, Vercel Each service has its own privacy policy and data practices. --- ## 15. California Privacy Rights (CCPA) If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): ### 15.1 Right to Know You have the right to know what personal information we collect, use, disclose, and sell. ### 15.2 Right to Delete You have the right to request deletion of your personal information, subject to certain exceptions. ### 15.3 Right to Opt-Out You have the right to opt out of the sale of your personal information. **We do not sell personal information.** ### 15.4 Right to Non-Discrimination You have the right not to be discriminated against for exercising your CCPA rights. ### 15.5 Exercising CCPA Rights To exercise your CCPA rights, contact us at TinyGiantTech@gmail.com with "CCPA Request" in the subject line. --- ## 16. Changes to This Privacy Policy ### 16.1 Updates We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: - Posting the updated Privacy Policy on our website - Sending an email to your registered email address - Displaying a notice in the Service ### 16.2 Effective Date The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. ### 16.3 Review We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. --- ## 17. Contact Us If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: **Email:** TinyGiantTech@gmail.com **Subject Line:** "Privacy Inquiry" **Data Protection Officer:** For data protection inquiries, contact: TinyGiantTech@gmail.com **Supervisory Authority:** Information Commissioner's Office (ICO) Website: https://ico.org.uk/ Helpline: 0303 123 1113 --- ## 18. Summary of Key Points - **Data Collection:** We collect account information, content data, usage data, and technical data - **Data Use:** We use data to provide the Service, improve features, and communicate with you - **Data Sharing:** We share data with service providers but never sell it - **Data Security:** We implement strong security measures including encryption and RLS - **Your Rights:** You have rights to access, rectify, erase, and port your data - **Cookies:** We use essential and optional cookies; you can manage preferences - **International Transfers:** Data may be transferred internationally with appropriate safeguards - **Children:** Service is not for users under 13 - **Contact:** Email TinyGiantTech@gmail.com for privacy inquiries --- **By using SocialGummy, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.**