Privacy Policy

Social Agents (“we”, “our”, or “us”) operates the service available at https://socialagents.app. We build software that lets you connect your own social-media accounts and use an AI agent to draft and schedule posts and replies — subject to your explicit human approval before anything is published.

We are the data controller for the personal information described in this policy. Questions can be sent to privacy@socialagents.app.

We collect only the data necessary to operate the service:

Account identity

• Your email address — used for login and transactional notifications.
• A password hash (PBKDF2-SHA256 via Web Crypto, never the plaintext password) stored in our database.
• A session JWT (HS256, HttpOnly cookie named sa_session, 30-day TTL) stored in your browser.

Connected social-platform identities

When you connect a social account via OAuth, we store — per connected account — the platform name, your platform user ID / handle, display name, and the granted permission scopes.

OAuth access tokens and refresh tokens

We store OAuth access tokens (and refresh tokens where the platform provides them) for each connected account. These tokens allow the service to act on your behalf. We currently support:

• Reddit — access token (+ refresh token); used to submit comments and retrieve mentions.
• Instagram — access token; used to publish posts and retrieve comments/DMs on your pages.
• Facebook — access token; used to publish posts and retrieve comments/DMs on your pages.
• LinkedIn — access token (+ refresh token); used to publish posts and retrieve reactions.
• X (Twitter) — access token + refresh token; used to post, reply, and retrieve mentions.

All OAuth tokens are encrypted at rest using AES-256-GCM (authenticated encryption) before being stored in the database. The encryption key is held separately from the database and is never stored in source code.

Content data

• Posts, drafts, and approval-queue items — AI-generated draft text, edited final text, and the decision (approve / reject / skip) you make on each.
• Scheduled publications — the post text, target platform/account, and scheduling metadata.
• Inbound mentions and DMs — content fetched from connected platform APIs (comments mentioning your accounts, direct messages to your pages/profiles).

Workspace configuration

• Workspace name and brand-voice description you enter.
• Per-workspace settings (e.g., X API credentials you supply for BYO-key access, stored encrypted).

Billing data

Subscription tier and credit balance are stored in our database. Payment card data is held exclusively by Stripe (see Sub-processors below) — we never see or store raw card numbers.

Technical logs

Standard server-side logs (request paths, HTTP status codes, error messages) retained for up to 30 days. We do not log request bodies containing personal data.

• Account authentication — verifying your identity on login using the stored password hash; maintaining your session via the JWT cookie.
• Social-platform operations — using your stored OAuth tokens to post content, retrieve mentions/DMs, and refresh tokens on your behalf, exclusively as instructed by your in-app actions (scheduling, approval decisions).
• AI drafting — your brand-voice description and recent mention/post context are sent to an AI model (see Sub-processors) to generate draft replies and posts. We do not use your content to train third-party AI models.
• Billing — processing subscription payments and credit purchases via Stripe.
• Transactional email — sending receipts, approval notifications, and account notices via Resend.
• Service improvement — aggregated, de-identified analytics on feature usage to guide product decisions. Individual content or token data is never shared with third parties for marketing purposes.

Data retrieved from connected social accounts (mentions, DMs, post metadata) is used solely to power your approval queue and inbox within the service. We do not:

• Sell, share, or license platform data to third parties.
• Use platform data for advertising targeting or profiling.
• Retain platform data beyond your account lifetime (see Retention).
• Post to any platform without a confirmed human approval action.

Our use of data obtained via the Meta (Facebook/Instagram) APIs, the Reddit API, the LinkedIn API, and the X API is subject to each platform's developer policies. We comply with Meta's Platform Terms, Reddit's API Terms of Service, LinkedIn's API Terms of Use, and X's Developer Agreement.

We use the following third-party services to operate Social Agents. Each receives only the minimum data required for its function.

• OAuth tokens — retained while the connected account remains active. Immediately and permanently deleted when you disconnect a platform account or delete your user account.
• Posts, drafts, and approval-queue items — retained for the life of your account. Deleted when you delete your account.
• Account and workspace data — retained while your account is active. Deleted on account deletion.
• Server logs — retained for up to 30 days, then auto-deleted.
• Billing records — retained as required by applicable accounting and tax law (typically 7 years), even after account deletion.

• Token encryption at rest — all OAuth access and refresh tokens are encrypted with AES-256-GCM (authenticated encryption) before being written to the database. The encryption key is managed separately from the data.
• Password hashing — passwords are hashed with PBKDF2-SHA256 (100 000 iterations, random 128-bit salt) via the Web Crypto API. Plaintext passwords are never stored or logged.
• Session security — sessions use HS256-signed JWTs in an HttpOnly, Secure, SameSite=Lax cookie. The signing secret is never exposed to the browser.
• Transport security — all data is transmitted over TLS 1.2+.
• Access control — all database access uses a service-role key scoped to our backend; no direct client access to the database is permitted. Row-level security is enabled on all tables as defense-in-depth.

Depending on your location, you may have the right to access, correct, or delete personal data we hold about you, object to or restrict certain processing, and data portability.

You can exercise most rights directly in the product:

• Disconnect a platform account — removes the associated OAuth tokens immediately.
• Delete your account — erases all your personal data, OAuth tokens, posts, workspaces, and workspace members. See Your Data & Deletion for step-by-step instructions, or go directly to Account Settings.

For requests you cannot fulfill in the product, or for GDPR/CCPA inquiries, email privacy@socialagents.app. We will respond within 30 days.

We use a single first-party cookie:

• sa_session — an HttpOnly session JWT. Strictly necessary for authentication; expires after 30 days of inactivity. No third-party tracking cookies are set.

The service is not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@socialagents.app and we will delete it promptly.

We will post changes to this page and update the effective date. For material changes we will notify you by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.

For privacy questions, data-subject requests, or to report a data-related concern:

See also: Your Data & Deletion