How Socials collects, uses, and protects your personal information
1. Overview
Socials ("we", "our", or "us") is a social media scheduling and cross-posting platform. This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information.
By creating an account or using Socials, you agree to the practices described in this policy.
2. Information We Collect
Account information: Your name, email address, and password. Passwords are stored as bcrypt hashes — we never store your plain-text password.
Social platform tokens: When you connect a social account (LinkedIn, Twitter/X, Instagram, Facebook, YouTube, Reddit), we store the OAuth access tokens issued by those platforms. These tokens are encrypted at rest using AES-256 before being written to our database.
Post content: Text, images, videos, and scheduling metadata you create inside Socials in order to publish them on your behalf.
Usage data: Basic analytics such as post publish status and platform-level engagement data returned by social platform APIs.
3. How We Use Your Information
- Authenticate you and maintain your session securely using short-lived JWT access tokens (15 minutes) and rotating refresh tokens.
- Publish and schedule posts to the social platforms you have connected, acting strictly on your instructions.
- Display analytics data pulled from your connected platform accounts back to you.
- Send transactional emails (e.g. email verification, password reset). We do not send marketing email without your explicit consent.
- Process payments for paid plans via Razorpay. We do not store card details — all payment data is handled directly by Razorpay.
4. Google User Data Handling
Socials' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We request access to your basic Google profile (name, email) for "Sign in with Google" authentication. For YouTube publishing, we request permission to upload videos and manage your channel content on your behalf. We do not sell or share Google user data with third parties, and we do not use it for advertising.
5. Third-Party Services
Socials integrates with the following external services to provide its core functionality:
- LinkedIn, Twitter/X, Meta (Instagram/Facebook), YouTube, Reddit — for OAuth authentication and post publishing via their official APIs.
- Google — for "Sign in with Google" authentication via OpenID Connect.
- Razorpay — for payment processing, subject to Razorpay's Privacy Policy.
- Google Gemini API — optionally used for AI-assisted content generation. Prompts you send through the AI feature are processed by Google's API.
6. Data Protection & Security
Socials protects the sensitive information we collect — including OAuth tokens for connected social platforms (Google/YouTube, LinkedIn, X/Twitter, Meta, Reddit, Threads), Google user data received via the YouTube Data API and Sign in with Google, account credentials, and post content — with the following technical and organisational measures:
- Encryption in transit: All traffic between your browser and Socials is encrypted using HTTPS with TLS 1.2 or higher. HSTS is enabled to prevent downgrade attacks. We do not accept unencrypted connections.
- Encryption at rest: OAuth access tokens, refresh tokens, and any platform-issued credentials are encrypted using AES-256 (Fernet) before being written to the database. Encryption keys are stored in an isolated secrets store, never in source control, never logged, and never transmitted to clients.
- Password hashing: User passwords are stored as bcrypt hashes with a per-password salt. Plain-text passwords are never persisted, never logged, and never recoverable — only resettable.
- Session security: User sessions use short-lived (15-minute) JWT access tokens combined with rotating refresh tokens delivered via HttpOnly, Secure, SameSite cookies. A CSRF header guards every refresh call. Sessions can be revoked server-side at any time.
- Database isolation: The production database is on a private network, accessible only to the Socials API service. It is not exposed to the public internet. Backups are encrypted and access-controlled.
- Principle of least privilege: Only a small set of named operators have access to production systems, gated by SSH key + multi-factor authentication. Access is audit-logged.
- Google user data — Limited Use: Our use of Google user data (including YouTube account data) complies with the Google API Services User Data Policy, including the Limited Use requirements. We use this data solely to deliver the user-facing features the user explicitly initiated (uploading a video, viewing analytics, etc.). We do not transfer Google user data to third parties, do not use it for advertising, and do not allow humans to read it except for security investigations, abuse prevention, or to comply with applicable law, with the user's explicit consent.
- Token scope minimisation: Each social platform OAuth integration requests only the narrowest set of scopes required for the features the user has chosen to use.
- Incident response: If we become aware of a security breach that affects your personal data, we will notify affected users without undue delay and, where required by law, notify the relevant supervisory authority.
- Third-party processors: Sub-processors we rely on (cloud hosting, payment processing via Razorpay, transactional email) are bound by data-processing agreements that require equivalent security standards.
No system is perfectly secure. We strongly recommend you use a unique, strong password for your Socials account and enable two-factor authentication on every connected social platform. Report suspected vulnerabilities to security@mysocials.in.
7. Data Retention
We retain your data for as long as your account is active. You can request deletion of your account and all associated data by contacting us. Upon deletion, OAuth tokens, post content, and personal information will be permanently removed from our systems within 30 days.
You can revoke Socials' access to any connected social account at any time through that platform's own security settings, in addition to disconnecting it inside Socials.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your account and data.
- Object to or restrict certain processing of your data.
To exercise any of these rights, contact us at the address below.
9. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the app before the changes take effect. Continued use of Socials after changes are posted constitutes your acceptance of the updated policy.
10. Contact
For privacy-related questions or to exercise your data rights, contact us at privacy@mysocials.in.