Overview
SocialScale ("we," "our," or "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what information we collect when you use SocialScale — our autonomous social media management platform, website at socialscale.zuhabul.com, API, and related services (collectively, the "Service") — how we use it, who we share it with, and what rights you have over your data.
This policy applies to all users of our Service globally. Additional rights may apply depending on your jurisdiction — see Section 9 (GDPR) and Section 10 (California CCPA/CPRA).
Information We Collect
We collect information you provide directly, data generated automatically, and data received from connected third-party platforms.
2.1 Account & Profile Data
When you create an account we collect:
- Name and email address
- Password (stored as a bcrypt hash — we never store your plaintext password)
- Organisation/workspace name
- Profile photo (optional)
- Timezone and locale preferences
- Account tier and subscription plan
2.2 Billing & Payment Data
Payment processing is handled by our third-party payment processor (Stripe, Inc.). We do not store full card numbers or bank account details. We retain:
- Subscription plan, billing cycle, and pricing tier
- Billing address and VAT/tax ID (if provided)
- Payment method metadata (last 4 digits, card brand, expiry month/year)
- Invoice history and transaction IDs
2.3 Connected Social Media Platform Data
When you connect social media accounts, we receive and store OAuth 2.0 access tokens and refresh tokens provided by those platforms. We use these tokens solely to publish, schedule, and retrieve analytics on your behalf. Depending on the platform and permissions granted, we may also store or process:
- Published and scheduled post content, media attachments, and metadata
- Platform analytics: reach, impressions, engagement, follower counts
- Inbox messages and comments you choose to manage through SocialScale
- Ad campaign data (budgets, performance, creatives) for connected ad accounts
- Trend and hashtag data fetched from platform APIs
We access only the data necessary for the features you enable. OAuth tokens are encrypted at rest using AES-256.
2.4 Content You Create
- Post drafts, approved content, and brand voice guidelines you define
- Content templates, hashtag sets, and tone-of-voice configurations
- Crisis response rules and policy engine configurations
- Prompts and instructions provided to AI agents
2.5 AI & LLM Interaction Data
SocialScale routes content generation requests to large language model (LLM) providers (e.g., Anthropic Claude, OpenAI GPT, Google Gemini, MiniMax, Ollama for self-hosted). We transmit only the minimum data required — typically content prompts and brand context — to generate output. We do not send your OAuth tokens, billing information, or passwords to LLM providers. See Section 5 for processor details.
2.6 Usage & Log Data
We automatically collect operational data when you use our Service:
- IP address, browser type and version, operating system
- Device identifiers (for mobile apps)
- Pages visited, features used, button clicks, and navigation paths
- API requests, response times, and error codes
- Session duration and frequency of use
- Agent activity logs (which agents ran, what actions they took, timestamps)
2.7 Communications
- Email or chat messages you send to our support team
- Survey responses and product feedback
- Bug reports and feature requests
How We Use Your Data
| Purpose | Data Used |
|---|---|
| Provide and operate the Service | Account data, OAuth tokens, content, usage data |
| Authentication and account security | Email, password hash, IP address, session tokens |
| Process payments and manage subscriptions | Billing data, email, subscription plan |
| Power AI agents (content generation, scheduling, analytics) | Brand guidelines, content prompts, platform analytics |
| Send transactional emails (invoices, security alerts, agent reports) | Email address, subscription data |
| Improve and debug the Service | Log data, usage data, error reports |
| Send product updates and marketing (with consent or legitimate interest) | Email, subscription tier |
| Enforce our Terms of Service and detect abuse | Usage data, log data, IP address |
| Comply with legal obligations | Any data required by applicable law |
| Anonymised analytics and product research | Aggregated, non-identifiable usage patterns |
We do not use your data to train external AI models. We do not sell your data to any third party.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following lawful bases under GDPR Article 6:
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Operating AI agents on connected platforms | Contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Product improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails (for existing customers) | Legitimate interests (Art. 6(1)(f)) |
| Marketing emails (for prospects) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted a balancing test to confirm that our interests do not override your rights and freedoms. You may request a copy of this assessment by contacting us at legal@socialscale.zuhabul.com.
How We Share Your Data
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
5.1 Service Providers & Data Processors
We engage sub-processors who act on our instructions:
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | USA (Privacy Shield / SCCs) |
| Anthropic, PBC | LLM inference for AI content generation | USA (SCCs) |
| OpenAI, L.L.C. | LLM inference (optional, user-configured) | USA (SCCs) |
| Google (Gemini API) | LLM inference (optional, user-configured) | USA (SCCs) |
| Cloud infrastructure provider | Hosting, storage, database | EU / configurable |
| Plausible Analytics | Privacy-preserving website analytics (no cookies) | EU (Germany) |
| Postmark / SendGrid | Transactional email delivery | USA (SCCs) |
All processors are bound by Data Processing Agreements (DPAs) requiring them to process data only on our instructions and in compliance with applicable data protection law.
5.2 Connected Social Media Platforms
When you connect social media accounts, content and data is transmitted to and from those platforms (e.g., Meta, X Corp, LinkedIn, TikTok, Google). Each platform has its own privacy policy and data practices. SocialScale acts as a data processor on your behalf when publishing to these platforms.
5.3 Business Transfers
If SocialScale is involved in a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will provide 30 days' prior notice by email and in-app notification. You will have the option to delete your account before any transfer.
5.4 Legal Requirements
We may disclose your data if required by law, court order, or government authority, or where necessary to protect the rights, property, or safety of SocialScale, our users, or the public. We will notify you of such requests unless legally prohibited from doing so.
5.5 With Your Consent
We may share data with other parties with your explicit consent, which you may withdraw at any time.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account profile data | Duration of account + 30 days after deletion request |
| Billing records and invoices | 7 years (legal / tax obligation) |
| OAuth tokens for connected platforms | Until revoked by user or token expires |
| Published and scheduled content | Duration of account, exportable on request |
| Agent activity logs | 90 days (rolling), then anonymised |
| Access and server logs (IP, requests) | 30 days |
| Support communications | 3 years from last interaction |
| Anonymised analytics data | Indefinite (cannot be re-identified) |
When you delete your account, we begin deletion within 30 days. Some data may be retained longer where required by law (e.g., billing records). You may request immediate deletion of all non-legally-required data by emailing legal@socialscale.zuhabul.com.
Data Security
We implement industry-standard security measures appropriate to the sensitivity of the data we process:
- Encryption at rest: All sensitive data (OAuth tokens, passwords hashes, personal data) encrypted using AES-256
- Encryption in transit: All communications protected via TLS 1.2+ (HTTPS enforced via HSTS)
- Access controls: Role-based access control (RBAC), least-privilege principles, multi-factor authentication for staff
- Password security: Passwords hashed with bcrypt (cost factor ≥ 12); plaintext passwords are never stored or logged
- Dependency scanning: Automated vulnerability scanning of all dependencies and Docker images
- Audit logging: All administrative access and data modifications are logged immutably
- WASM plugin sandboxing: Third-party plugins run in isolated WebAssembly sandboxes with no access to your credentials or other tenants' data
- Penetration testing: Annual third-party penetration tests
Despite our best efforts, no system is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.
International Data Transfers
SocialScale is operated from servers that may be located outside your country. If you are based in the EEA, UK, or Switzerland, personal data may be transferred to countries that the European Commission has not deemed to provide an adequate level of protection.
In such cases, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs incorporated into all DPAs with US-based sub-processors
- UK IDTA: International Data Transfer Agreements for UK transfers post-Brexit
- Adequacy decisions: Where available (e.g., UK → EU transfers)
You may request a copy of the applicable transfer mechanisms by emailing legal@socialscale.zuhabul.com.
Your Rights
Depending on your location, you have the following rights over your personal data. EEA, UK, and Swiss residents have these rights under GDPR / UK GDPR:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your personal data | Settings → Export Data, or email us |
| Rectification | Correct inaccurate or incomplete data | Settings → Profile, or email us |
| Erasure ("right to be forgotten") | Request deletion of your personal data | Settings → Delete Account, or email us |
| Portability | Receive your data in a machine-readable format | Settings → Export Data (JSON / CSV) |
| Restriction | Request we limit processing in certain circumstances | Email us |
| Objection | Object to processing based on legitimate interests | Email us |
| Withdraw consent | Withdraw previously given consent at any time | Email preferences or email us |
| Lodge a complaint | Complain to your national supervisory authority | See below for authority links |
We will respond to all requests within 30 days. We may need to verify your identity before processing requests. Responses are free; we may charge a reasonable fee for manifestly unfounded or excessive requests.
Supervisory Authorities
- EU: Your national Data Protection Authority (DPA) — EDPB Member List
- UK: Information Commissioner's Office (ICO) — ico.org.uk
California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights.
Categories of Personal Information Collected
We collect the following categories as defined by CCPA:
- Identifiers (name, email address, IP address, account ID)
- Commercial information (subscription and billing records)
- Internet or other electronic network activity (usage logs, feature interactions)
- Professional or employment-related information (organisation name — if provided)
- Inferences drawn from other data (account health, product usage patterns)
We Do Not Sell or Share Your Personal Information
SocialScale does not sell personal information to third parties, nor do we share it for cross-context behavioural advertising. You do not need to opt out because we do not engage in these practices.
Your CCPA Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of the sale or sharing of personal information (not applicable as we do not sell/share)
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise CCPA rights, email us at legal@socialscale.zuhabul.com with subject line "CCPA Request." We will respond within 45 days. We may verify your identity before processing.
Cookies & Tracking Technologies
We use the following types of cookies and similar technologies:
| Type | Purpose | Can You Opt Out? |
|---|---|---|
| Strictly necessary | Session management, authentication, CSRF protection. Required for the Service to function. | No (essential) |
| Functional | Remember your preferences (language, timezone, UI layout). | Yes |
| Analytics (Plausible) | Privacy-preserving, cookieless analytics. No personal identifiers, no cross-site tracking. | Yes (block via browser) |
We do not use advertising cookies, tracking pixels, or third-party remarketing technologies on our marketing website. The Plausible analytics script we use is GDPR-compliant by design and does not require a cookie consent banner under most interpretations of European law.
You can control cookies via your browser settings. Disabling strictly necessary cookies will prevent you from logging in to the Service.
Children's Privacy
SocialScale is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately at legal@socialscale.zuhabul.com and we will promptly delete the information.
Third-Party Services & Links
SocialScale integrates with many third-party social media platforms and APIs. When you connect these services, their own privacy policies govern their handling of your data. We encourage you to review the privacy policies of each connected platform, including:
- Meta (Facebook, Instagram, Threads)
- X Corp (Twitter / X)
- LinkedIn Corporation
- TikTok (ByteDance Ltd.)
- Google LLC (YouTube, Google Business)
- Bluesky Social PBC
- Mastodon (decentralised; varies by instance)
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites.
Self-Hosted Deployments
This policy applies to the following data even for self-hosted users:
- Your account registration on our managed portal (portal.socialscale.zuhabul.com)
- License key validation requests (which include a hashed instance identifier)
- Crash reports if you opt in to telemetry (opt-out available in
socialscale.toml) - Update checks (version number and instance hash only)
You may disable all telemetry and update checks by setting telemetry = false
in your socialscale.toml configuration file. In air-gapped deployments, no
outbound data is transmitted.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users at least 14 days before the change takes effect
- Display an in-app notification on your next login
Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with material changes, you may delete your account before the effective date.
Previous versions of this policy are available on request by emailing legal@socialscale.zuhabul.com.
Contact & Data Protection Officer
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
SocialScale
Privacy & Legal Team
Email: legal@socialscale.zuhabul.com
Website: https://socialscale.zuhabul.com
Response time: within 30 days (72 hours for security incidents)
If you are an EEA or UK resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. You can find a list of EU data protection authorities at edpb.europa.eu.