Privacy Policy

Last updated: June 4, 2026

1. Introduction

SMST ("Social Media Scheduling Tool," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social media scheduling and management platform. Please read this policy carefully. If you do not agree with its terms, please do not use our services.

This Privacy Policy applies to all users of our platform located in the United Kingdom and the European Economic Area ("EEA"), and complies with the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("GDPR"), and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal information is:

• Business Name: SMST (Social Media Scheduling Tool)
• Contact: argentjackjoshua@outlook.com
• Location: Surrey, United Kingdom

3. Information We Collect

3.1 Information You Provide Directly

We collect information you voluntarily provide when creating an account, using our services, or communicating with us:

• Account Information: Name, email address, profile picture, organization name, and other contact details
• Payment Information: If applicable, billing address and payment method details (processed securely through third-party payment providers)
• Communications: Messages, feedback, and correspondence you send to us

3.2 Content and Media

To provide our core scheduling services, we collect and process:

• User-Generated Content: Text, captions, descriptions, hashtags, and metadata for scheduled posts
• Media Files: Videos, images, thumbnails, and other media assets you upload for scheduling and publishing
• Scheduling Data: Scheduled publication dates, times, platforms, and related configurations
• Content Templates: Saved templates and preset content configurations

Important: Media files are stored securely and processed only for the purpose of scheduled publishing to your connected social media platforms. Content is deleted upon your request or account deletion unless required for legal compliance.

3.3 OAuth and Platform Connection Data

When you connect your social media accounts (TikTok, Facebook, Instagram, YouTube, etc.), we receive and store:

• Access Tokens: OAuth tokens that authorize us to publish content on your behalf
• Refresh Tokens: Tokens used to maintain platform connections
• Platform Identifiers: Your account IDs and display names on connected platforms
• Profile Information: Profile images, follower counts, and public profile data
• Analytics Data: Performance metrics, engagement data, and insights from your connected platforms

These tokens are stored encrypted and are only used to fulfill scheduled publishing operations and retrieve analytics at your request.

3.4 Automatically Collected Information

When you use our platform, we automatically collect:

• Usage Data: Features accessed, posts created, scheduling patterns, and session duration
• Device Information: Browser type, operating system, device identifiers, and IP address
• Log Data: Access times, referring URLs, error logs, and performance metrics
• Cookie Data: As described in Section 10 below

4. How We Use Your Information

We use your information for the following purposes:

• Service Provision: To provide, maintain, and improve our social media scheduling platform
• Content Publishing: To schedule and publish your content to connected social media platforms at requested times
• Authentication: To verify your identity and manage your account
• Analytics: To generate performance reports and insights about your content
• Communication: To send service-related notifications, updates, and support responses
• Security: To detect, prevent, and respond to fraud, abuse, or security threats
• Legal Compliance: To comply with applicable laws, regulations, and legal requests

5. Legal Basis for Processing (GDPR)

If you are located in the UK or EEA, we process your personal data under the following legal bases:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide our services to you
• Consent (Article 6(1)(a)): Where you have given explicit consent for specific processing activities
• Legitimate Interests (Article 6(1)(f)): Where processing serves our legitimate business interests (security, fraud prevention) without overriding your rights
• Legal Obligation (Article 6(1)(c)): Where processing is required by applicable law

6. Information Sharing and Disclosure

6.1 Platform Sharing

Your content is shared with the social media platforms you select for publishing. This includes:

• Post content, captions, and metadata
• Media files (videos, images)
• Scheduling and publishing requests

Once shared with third-party platforms, their privacy policies govern how your data is used.

6.2 Service Providers

We share information with trusted third-party service providers who assist us in operating our platform:

• Cloud Infrastructure: Vercel (hosting), providing secure cloud services
• Database Services: Prisma (database ORM) and PostgreSQL (database hosting)
• Authentication: NextAuth.js for secure authentication
• Analytics: Platform analytics APIs (YouTube Data API, TikTok API, etc.)
• Payment Processors: If applicable, for processing payments securely

These providers are bound by appropriate data processing agreements.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, privacy, safety, or property
• Prevent fraud or illegal activity
• Respond to valid requests from law enforcement

6.4 Business Transfers

If SMST undergoes a merger, acquisition, sale of assets, or insolvency proceedings, your information may be transferred as part of that transaction.

6.5 We Do Not Sell Your Data

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

7. International Data Transfers

SMST is operated from the United Kingdom. Your information may be transferred to and processed in countries outside the UK or EEA, including countries that may have different data protection laws.

When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission
• Transfers to countries with adequate data protection decisions
• Binding Corporate Rules where applicable

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption of data in transit using TLS/SSL
• Encryption of sensitive data at rest
• Regular security assessments and penetration testing
• Access controls and authentication requirements
• Employee data protection training
• Incident response procedures

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your information for the following periods:

• Account Data: Retained while your account is active and for 2 years after account deletion
• Content and Media: Deleted within 30 days of account deletion or content removal request
• OAuth Tokens: Retained until you disconnect the platform or delete your account
• Usage Logs: Retained for 1 year for security and debugging purposes
• Financial Records: Retained for 7 years as required by tax and accounting regulations
• Legal Compliance: Retained as long as necessary to comply with legal obligations

10. Cookies and Tracking Technologies

10.1 Essential Cookies

These cookies are necessary for the platform to function:

• Authentication and session management
• Security features (CSRF protection)
• Load balancing

10.2 Functional Cookies

These cookies enhance your experience:

• Remembering your preferences and settings
• Language preferences
• UI customization options

10.3 Analytics and Website Performance

We use Vercel Web Analytics to collect anonymous, aggregated statistics about page views, device types, browsers, and geographic location. This service:

• Does not set or read browser cookies
• Uses a transient server-side hash that is discarded after 24 hours
• Does not collect personal information or track individuals across sessions
• Cannot be used to reconstruct browsing activity or identify users

Under the UK Data Use and Access Act 2025, this analytics service qualifies for the statistical-purpose exemption as it does not store identifiers on your device and collects only aggregate, non-personal data. You may opt out of this analytics by contacting us at argentjackjoshua@outlook.comor by enabling "Do Not Track" in your browser settings.

11. Your Rights Under GDPR/UK GDPR

If you are located in the UK or EEA, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that significantly affect you
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO) if you believe your rights have been violated

To exercise any of these rights, contact us at argentjackjoshua@outlook.com.

12. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without verified parental consent, we will take steps to delete that information promptly.

In accordance with the UK Age Appropriate Design Code, we implement age-appropriate safeguards for our platform.

13. Automated Decision-Making

We do not make decisions about you based solely on automated processing (including profiling) that would produce legal effects or similarly significant affects you, except where:

• Necessary for entering into or performing a contract with you
• Authorized by applicable law
• Based on your explicit consent

14. Data Breach Notification

In accordance with UK GDPR and GDPR requirements:

• We will notify the ICO of reportable data breaches within 72 hours of becoming aware
• If the breach is likely to result in high risk to your rights and freedoms, we will notify affected users directly
• Notifications will describe the nature of the breach, likely consequences, and measures taken or proposed

15. Third-Party Platform Disclaimers

Our platform integrates with third-party social media platforms (TikTok, Facebook, Instagram, YouTube, etc.). We are not responsible for:

• The privacy practices of these platforms
• How they collect, use, or protect your data
• Changes to their APIs or services that may affect our platform
• Content moderation decisions made by these platforms

Your use of connected platforms is subject to their respective privacy policies and terms of service.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes
• Providing prominent notice through our platform

Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

17. Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:

• Email: argentjackjoshua@outlook.com
• Location: Surrey, United Kingdom

For data protection inquiries, we aim to respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.

18. UK Specific Provisions

This Privacy Policy complies with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Age Appropriate Design Code