Privacy Policy

SocialSyncs ("we", "our", or "us"), operated by Lakshit Ukani, provides a social media scheduling and automation platform accessible at socialsyncs.co and app.socialsyncs.co (the "Service"). This Privacy Policy explains what data we collect, why we collect it, how we store and use it, and your rights regarding that data.

By using the Service you agree to the practices described in this policy. If you do not agree, please stop using the Service.

2.1 Account data

When you register we collect your name, email address, and a hashed password (or OAuth identity token if you use a third-party sign-in).

2.2 Instagram / Meta data

When you connect an Instagram Professional (Business or Creator) account we request and store:

• Instagram account ID, username, profile picture, and biography
• Access tokens issued by Meta (used to act on your behalf)
• Media objects: captions, media URLs, media type, publish timestamps
• Comment text, comment author IDs, and comment timestamps
• Direct message content, sender/recipient IDs, and message timestamps
• Story reply content and associated metadata
• Account and media insights: reach, impressions, engagement counts, follower demographics

We store this data on our servers and in our database in order to provide scheduling, automation, and analytics features.

2.3 Other social platforms

If you connect other platforms (YouTube, LinkedIn, X/Twitter, TikTok, etc.) we collect similar profile, content, and token data for those platforms.

2.4 Usage and log data

We automatically collect server logs including IP addresses, browser user-agent strings, pages visited, and timestamps. This data is used for security, debugging, and service improvement.

2.5 Payment data

Payment processing is handled by Stripe. We do not store full card numbers. We receive and store subscription status, plan type, and Stripe customer IDs.

• To provide, operate, and improve the Service
• To schedule and publish social media content on your behalf
• To execute automation workflows (DM replies, comment replies, story reply triggers)
• To display analytics and insights for your connected accounts
• To send transactional emails (account activation, password reset, billing receipts)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We do not sell your personal data or Instagram data to third parties. We do not use your Instagram data to train machine-learning models.

Your data is stored in a managed PostgreSQL database (Supabase) hosted in AWS ap-northeast-1 (Tokyo) and in Cloudflare R2 for media files. We use industry-standard encryption in transit (TLS 1.2+) and at rest.

Access tokens received from Meta and other platforms are stored encrypted. We restrict access to personal data to authorised personnel only.

No security measure is 100% effective. In the event of a data breach we will notify affected users in accordance with applicable law.

We retain your account data and connected social data for as long as your account is active. If you delete your account or disconnect a social platform we will delete the associated data within 30 days, except where we are required to retain it by law.

Log data is retained for up to 90 days for security and debugging purposes.

We share data only in the following limited circumstances:

• Service providers: Supabase (database), Cloudflare (media storage), Resend (transactional email), Stripe (payments), and Temporal (workflow orchestration). These providers process data solely to provide services to us.
• Meta Platforms: Content you schedule is published to Instagram via Meta's APIs. Meta's own privacy policy governs data on their platform.
• Legal requirements: We may disclose data if required by law, court order, or government authority.
• Business transfer: In the event of a merger or acquisition, data may be transferred to the successor entity.

Depending on your location you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your data. You may also use our Data Deletion Request page.
• Portability: Request your data in a machine-readable format.
• Objection / Restriction: Object to or restrict certain processing activities.
• Withdraw consent: Disconnect your Instagram account at any time from within the app; this revokes our access token.

To exercise any of these rights, email us at trysocialsyncs@gmail.com. We will respond within 30 days.

We use strictly necessary session cookies to keep you logged in. We do not use tracking or advertising cookies.

The Service is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from children. If you believe a child has provided us with data, contact us and we will delete it promptly.

SocialSyncs is operated globally. By using the Service you acknowledge that your data may be transferred to and processed in countries outside your own, including countries that may have different data protection laws.

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions or concerns about this policy or your data, please contact: