Privacy Policy

Account Information

When you sign up for PayToSocial, we collect the following information through our authentication provider Clerk:

• Email address (for login and notifications)
• Name (optional, for personalization)
• Password (encrypted via Clerk, we never see your actual password)
• Account creation date and last login time

Social Media Credentials

When you connect social accounts to PayToSocial, we collect and store OAuth access tokens to enable content publishing:

• TikTok: Access tokens via TikTok's Content Posting API, account ID, username
• Other Platforms: OAuth tokens from Twitter, LinkedIn, Facebook, Instagram, YouTube, Pinterest, Snapchat
• Profile information (username, profile picture) for display purposes
• We never store your social media passwords - all authentication uses secure OAuth protocols

TikTok-Specific Data: When you connect TikTok, data shared with TikTok is governed by TikTok's Privacy Policy and Business Products (Data) Terms. We use TikTok's API solely to publish your scheduled content on your behalf.

Payment Information

When you pay for posts:

• Card information is handled by Stripe (PCI-DSS compliant)
• We store only the last 4 digits and expiry date for display
• Billing address for tax compliance

Usage Data

We collect:

• Posts scheduled and published
• Login times and IP addresses (for security)
• Device and browser type (for compatibility)

To provide the service:

• Schedule and publish your social media posts
• Process payments ($0.75 per post)
• Send email notifications (post confirmations, receipts)

To improve the product:

• Analyze usage patterns (e.g., “most users schedule posts on Mondays”)
• Fix bugs and improve performance
• Develop new features based on user behavior

To communicate with you:

• Send transactional emails (receipts, error notifications)
• Occasional product updates (you can opt out)
• Respond to support requests

For security:

• Detect and prevent fraud
• Monitor for suspicious activity
• Comply with legal obligations

We share data with:

Service providers PayToSocial uses:

• Stripe: Payment processing (PCI-DSS compliant)
• Clerk: User authentication and account management
• Supabase: Database hosting with encryption and Row Level Security
• Vercel: Application hosting and infrastructure
• Resend: Transactional emails (receipts, notifications)

Social media platforms:

• PayToSocial integrates with TikTok using TikTok's Content Posting API to publish your scheduled content. When you connect your TikTok account, we share your access tokens and post content with TikTok to enable publishing.
• We send your posts to other platforms (Twitter, LinkedIn, Facebook, Instagram, YouTube, Pinterest, Snapchat) via their respective APIs
• Each platform has its own privacy policy that governs how they handle your data:
  • TikTok: TikTok Privacy Policy and Business Products (Data) Terms
  • Other platforms: See their respective privacy policies
• Technical Data Shared: IP addresses, device information, browser type, and geographic location may be collected and shared with platforms for authentication and content delivery purposes

Legal requirements:

• If required by law (e.g., court order, subpoena)
• To protect our rights or prevent illegal activity

We NEVER:

• Sell your data to advertisers
• Share your data with third-party marketers
• Use your posts or content for AI training without consent

You have the right to:

Access your data:

• Download a copy of all your data (Settings → Export Data)

Correct your data:

• Update your email, name, or settings anytime

Delete your data:

• Delete your account (Settings → Delete Account)
• All data is permanently deleted within 30 days

Opt out of marketing:

• Unsubscribe from promotional emails (link in footer)
• You'll still receive transactional emails (receipts, confirmations)

Portability:

• Export your data in JSON format

To exercise these rights, email privacy@paytosocial.com

We protect your data with:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Secure hosting: AWS with SOC 2 Type II compliance
• Access controls: Only authorized team members can access data
• Regular audits: Security reviews every quarter
• Password hashing: Bcrypt with salt (we never see your password)

No system is 100% secure, but we take security seriously. If there's ever a breach, we'll notify you within 72 hours.

We use minimal cookies:

Essential cookies:

• Session cookie (keeps you logged in)
• CSRF token (security)

Analytics cookies:

• Anonymous usage analytics (can be disabled in settings)
• No third-party advertising cookies

You can block cookies in your browser, but some features may not work.

We may update this policy occasionally. If there are material changes, we'll:

• Email you 30 days before changes take effect
• Post a notice on the website
• Update the “Last Updated” date at the top

Continued use after changes = acceptance of new terms.