sosocontentsosocontent.ai

Privacy Policy

Effective date: May 17, 2026

This Privacy Policy describes how Digicraft ("Digicraft", "we", "us", or "our") collects, uses, and shares personal data in connection with the sosocontent.ai service (the "Service"). By using the Service, you consent to the practices described below.

1. Information We Collect

Account information

When you create an account, we collect your email address and authentication metadata (such as Google OAuth identifiers if you sign in with Google).

Brand and content data

We collect the brand profiles, prompts, and inputs you provide to the Service, along with the AI-generated content produced for you (text, images, audio, video).

Third-party integration tokens

When you connect a third-party account (for example, Canva or Google), we store the OAuth access and refresh tokens necessary to perform the actions you initiate. These tokens are stored in a service-role-only database table and are never exposed to client-side code.

Usage and technical data

We collect basic usage telemetry such as feature interactions, credit usage, timestamps, and error logs to operate and improve the Service.

Payment data

Payments are processed by Stripe. We do not store your full payment card number; we retain only the Stripe customer identifier and subscription metadata required for billing.

2. How We Use Your Information

  • To provide and operate the Service (generate content, save your work, deliver subscription features);
  • To authenticate you and protect your account;
  • To process payments and manage subscriptions;
  • To communicate with you about service updates, security issues, and support requests;
  • To improve the Service through aggregated, non-identifying analytics;
  • To detect, investigate, and prevent abuse or violations of our Terms of Service.

We do not use your brand data or generated content to train AI models, and we do not sell your personal data to third parties.

3. How We Share Your Information

We share personal data only with service providers necessary to operate the Service, and only to the extent required for them to perform their function:

  • Supabase — application database and object storage (AWS);
  • Vercel — application hosting (AWS);
  • Railway — background workers (e.g., digital human video rendering);
  • Anthropic (Claude API) — AI text generation;
  • Replicate — AI image generation;
  • Azure Speech Services — Cantonese text-to-speech;
  • Hedra / D-ID — digital human video generation (only when you initiate);
  • Stripe — payment processing;
  • Canva — only when you explicitly connect Canva and click Export, we send the generated PPTX to Canva on your behalf;
  • Google — only when you sign in with Google or initiate a Google Slides export.

We may also disclose personal data when required by law, to protect our rights, or in the event of a merger or acquisition of Digicraft.

4. Data Storage and Security

  • The application database is Supabase Postgres, with Row-Level Security (RLS) enforced so that each user can access only their own data;
  • Generated media is stored in private Supabase Storage buckets, accessible only via short-lived signed URLs;
  • OAuth tokens for third-party integrations are stored in a service-role-only Postgres table, never exposed to the client;
  • Application secrets (API keys, third-party client secrets) are stored as encrypted environment variables in Vercel;
  • Traffic to the Service is encrypted in transit using TLS.

5. Data Retention and Deletion

We retain your data for as long as your account is active. Specifically:

  • Account deletion: When you request account deletion, all your personal data (account, brand profiles, generated content, tokens) is purged within 30 days.
  • Third-party integration disconnect: When you disconnect a third-party integration (such as Canva), we immediately revoke our OAuth refresh token at the third party and delete the stored tokens from our database.
  • Inactive accounts: Accounts with no login activity for more than 24 months may be reviewed annually for purge as part of our data minimization practice.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate data;
  • Request deletion of your data;
  • Object to or restrict certain processing;
  • Request portability of your data in a machine-readable format.

To exercise any of these rights, please email hello@digicraft.academy.

7. International Data Transfers

Our infrastructure providers (Supabase, Vercel) primarily host data in AWS data centers in the United States. By using the Service, you consent to the transfer of your data outside your country of residence for the purposes described in this Policy.

8. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.

9. Security Disclosures

If you believe you have discovered a security vulnerability in the Service, please email hello@digicraft.academy with the subject line "[Security]". We aim to acknowledge reports within 48 hours.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-product notice. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance.

11. Contact

For any privacy-related questions, please contact hello@digicraft.academy.