Privacy Policy

Last updated: February 18, 2026

1. Introduction

OKKTOPUS ("we", "us", or "our"), operated via okktopus.com, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our social media management platform (the "Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and password when you register via Google OAuth
  • Content: Text, images, videos, and other media you create, upload, or schedule through the Service
  • Communications: Any messages or feedback you send to us

2.2 Information from Connected Social Media Platforms

When you connect your social media accounts, we collect the following information through OAuth authorization:

  • Facebook: Page ID, page name, page access token, and user ID. We request the pages_manage_posts and pages_read_engagement permissions to publish content to your Facebook Pages.
  • Instagram: Instagram business account ID, username, and access token. We request the instagram_basic and instagram_content_publish permissions to publish photos and videos to your Instagram account.
  • TikTok: Open ID, display name, avatar URL, access token, and refresh token. We request the user.info.basic and video.publish scopes to publish videos and photos to your TikTok account.
  • Twitter/X: User ID, username, and access token. We request permissions to post tweets on your behalf.

2.3 Information Collected Automatically

  • Usage data: Pages visited, features used, and actions taken within the Service
  • Device information: Browser type, operating system, and IP address
  • Cookies: Session cookies for authentication and CSRF protection

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Publish, schedule, and manage content on your connected social media accounts on your behalf
  • Generate AI-assisted content suggestions based on your input
  • Store and manage your uploaded media (images and videos)
  • Communicate with you about the Service, including updates and support
  • Detect, prevent, and address technical issues or security threats

4. How We Store and Protect Your Data

  • Database: Your account data and social media connection details are stored in a secured PostgreSQL database hosted on Supabase with encryption at rest.
  • Media storage: Uploaded images and videos are stored in Supabase Storage with access controls.
  • Access tokens: Social media access tokens and refresh tokens are stored securely in our database. We use these tokens solely to perform actions you have authorized (such as publishing content).
  • Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Token refresh: TikTok access tokens are automatically refreshed (they expire every 24 hours) using stored refresh tokens, without requiring you to re-authorize.

5. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal information. We share your data only in the following circumstances:

  • Social media platforms: When you schedule or publish content, we send your content (text, images, videos) to the respective platforms (Facebook, Instagram, TikTok, Twitter/X) using their official APIs. This data is then subject to each platform's own privacy policy.
  • AI content generation: When you use the AI content generation feature, your text prompts are sent to OpenAI's API for processing. We do not send your personal account information or social media tokens to OpenAI.
  • Authentication: We use Google OAuth for user authentication. Google receives standard OAuth data during the sign-in process.
  • Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.

6. Platform-Specific Disclosures

6.1 Facebook and Instagram (Meta)

We access your Facebook Pages and Instagram business accounts through the Meta Graph API. We only access data necessary to provide the Service (posting content, reading page information). We do not access your personal Facebook profile, private messages, friend lists, or any data beyond what is required for content publishing. You can revoke access at any time by disconnecting your account in the Service or by removing the app from your Facebook/Instagram settings.

6.2 TikTok

We access your TikTok account through the TikTok API using Login Kit and Content Posting API. We collect your basic profile information (display name, avatar, open ID) and use your authorization to publish content on your behalf. We store your access token (valid for 24 hours) and refresh token (valid for 365 days) to maintain your connection. We do not access your TikTok private messages, follower lists, or viewing history. You can revoke access by disconnecting your account in the Service or by removing the app from your TikTok authorized apps.

6.3 Twitter/X

We access your Twitter/X account through the Twitter API v2. We only use your authorization to post tweets on your behalf. We do not access your direct messages, followers, or any data beyond what is required for content publishing. You can revoke access at any time from your Twitter/X settings.

7. Data Retention

  • Your account data is retained for as long as your account is active.
  • Published post records are retained for your reference in the Service.
  • Uploaded media files are retained as long as they are associated with scheduled or published posts.
  • Social media access tokens are retained until you disconnect the account or they are revoked.
  • If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

8. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data and account
  • Disconnect: Revoke access to any connected social media account at any time through the Connections page
  • Data portability: Request your data in a portable format
  • Withdraw consent: Withdraw your consent for data processing at any time by deleting your account

To exercise any of these rights, please contact us at georgia.bucea@gmail.com.

9. Cookies

We use essential cookies only, which are necessary for the Service to function properly. These include session authentication cookies (managed by NextAuth.js) and CSRF protection state cookies used during social media OAuth flows. We do not use tracking cookies, advertising cookies, or analytics cookies.

10. Children's Privacy

The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately and we will take steps to delete such information.

11. International Data Transfers

Your data may be processed and stored in servers located in the European Union. When your content is published to social media platforms, it may be transferred to servers in other jurisdictions in accordance with each platform's data handling practices.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: georgia.bucea@gmail.com
Website: okktopus.com