Privacy Policy

The data controller for personal information processed via the Service is Kolorfirst LLC, Illinois, USA. For privacy questions, requests, or complaints, reach us at privacy@socialeyes.co.

We collect the following categories of personal information:

• Account information — your name, email address, password hash (argon2id; we never store plaintext passwords), workspace name, role, and timezone.
• Workspace metadata — workspace settings, white-label configuration (logo, custom domain), billing plan, and audit log entries for actions you take.
• Authentication tokens — when you connect a social platform, we store the OAuth access and refresh tokens encrypted at rest. See §3 below.
• Content you create — posts you compose, captions, media uploads, schedule details, drafts, comments and replies you send via SOCIALEYES.
• Usage data — pages visited, features used, performance metrics, and error reports — used only to operate and improve the Service.
• Device and log data — IP address, browser type, timestamps. Used for security, rate-limiting, and abuse detection.
• Billing data — handled entirely by Stripe. Card data never touches our servers; we receive only Stripe customer IDs and invoice metadata.

When you connect a social media account, you authorize SOCIALEYES via the platform's official OAuth flow. We never receive your platform password. We request only the scopes necessary to deliver the features you enable.

What we access per platform (typical):

• LinkedIn — basic profile (name, photo, user URN), list of LinkedIn Pages you administer, organization details, and permission to read and write posts and engagement on Pages you have authorized.
• Facebook & Instagram (Meta) — page list, page-management permissions, post insights, comments, and direct messages for the Pages and Instagram Business accounts you connect.
• Google (YouTube, Google Business Profile) — channel metadata, video upload permission, analytics, location/profile data for GBP locations you administer.
• X (Twitter) — basic profile, tweet read/write, and direct message read/write where you have authorized.
• TikTok, Pinterest, Threads, Bluesky, Tumblr — scopes required to compose, schedule, and analyze content you create via SOCIALEYES.

How we store these tokens. OAuth tokens are encrypted at rest using AES-256-GCM envelope encryption with keys managed by AWS Key Management Service (KMS). Each token ciphertext is bound to its account ID via Additional Authenticated Data so a ciphertext cannot be re-used across accounts. The keys never leave KMS; plaintext tokens exist only in process memory during a request.

How long we keep tokens. Tokens are retained for as long as your account remains connected. When you disconnect an account in the SOCIALEYES UI, or revoke access from the platform's own settings, we delete the encrypted token within 24 hours. We do not retain platform data after disconnection except as required for the audit log (which records the disconnection event, not the data itself).

Platform-specific compliance. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our use of LinkedIn data adheres to the LinkedIn API Terms of Use. Our use of Meta platforms adheres to the Meta Platform Terms.

We use personal information to:

• Provide, operate, and maintain the Service.
• Publish posts and replies to your connected social accounts at the times and audiences you instruct.
• Pull and present analytics, reports, and insights about the social accounts you have connected.
• Authenticate your users, prevent fraud and abuse, and rate-limit.
• Respond to support requests and communicate service updates.
• Process payments through Stripe and manage your subscription.
• Improve the Service through aggregated, de-identified usage analysis. We do not sell personal information.

We do not use the content of your posts, messages, or analytics for advertising, profiling unrelated users, or training machine-learning models that are exposed to other customers.

If you are in the European Economic Area or the UK, our legal bases for processing are:

• Contract — providing the Service you signed up for.
• Legitimate interests — security, fraud prevention, and improving the Service.
• Consent — for optional features such as the connection of a specific social platform; you can withdraw at any time by disconnecting the account.
• Legal obligation — when retention or disclosure is required by law.

We share personal information only as follows:

• Social platforms — when you instruct us to publish, reply, or fetch data, we transmit the relevant content to that platform via its official API.
• Sub-processors — for hosting (OVH, AWS), database (PostgreSQL on our managed servers), email (Resend), error monitoring (Sentry), and payments (Stripe). A current list is available on request.
• Workspace members — content within a workspace is visible to the members of that workspace consistent with their roles and scoped-account assignments.
• Legal compliance — to comply with valid legal process. We will challenge overly broad requests and notify you unless prohibited by law.
• Business transfers — in connection with a merger, acquisition, or asset sale, in which case any successor will be bound by terms no less protective than this policy.

We do not sell personal information.

We retain account and workspace data for as long as your subscription is active and for up to 30 days after cancellation, then we delete or irreversibly anonymize it. Audit log entries are retained for up to 7 years to support security investigations and regulatory obligations. OAuth tokens are deleted within 24 hours of disconnection.

We use industry-standard safeguards:

• Encryption at rest — OAuth tokens via AES-256-GCM envelope encryption with AWS KMS-managed keys. Databases are encrypted at the volume level.
• Encryption in transit — TLS 1.2+ on every endpoint, HSTS preload, secure cookies.
• Access controls — multi-tenant isolation enforced at the ORM and database (row-level security) layers.
• Audit logging — every workspace mutation is recorded with actor, action, and before/after snapshots.
• Card data — handled exclusively by Stripe, a PCI DSS Level 1 service provider. We never see card numbers.

No system is perfect. If you suspect a security issue, please email security@socialeyes.co.

Depending on your jurisdiction, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal data.
• Export your data in a portable format (workspace settings, audit log, member roster, and content references).
• Object to or restrict certain processing.
• Withdraw consent for any platform connection at any time.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@socialeyes.co from the address associated with your account. We respond within 30 days.

SOCIALEYES is operated from the United States. If you are accessing the Service from outside the U.S., your data will be transferred to and processed in the U.S. and other jurisdictions where our sub-processors operate. We rely on Standard Contractual Clauses and equivalent safeguards for transfers from the EEA, UK, and Switzerland.

We use a minimal set of cookies: a session cookie for authentication, a CSRF token, and (optionally) a single first-party analytics cookie to count page visits. We do not run third-party advertising trackers. You can clear or block cookies in your browser settings; if you do, parts of the Service may not function.

The Service is not directed to children under 16 and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, email privacy@socialeyes.co and we will delete it.

We may update this policy from time to time. When we do, we will revise the “Effective” date above and, for material changes, notify you by email or an in-product banner at least 14 days before the change takes effect.

For any privacy question, request, or complaint:

Kolorfirst LLC
Illinois, USA
Email: privacy@socialeyes.co