Privacy Policy — Reeldrift

How Reeldrift collects, uses, stores, and protects your personal data — in plain language and in line with the GDPR.

1. Who we are

This Privacy Policy describes how APZERO sp. z o.o. (“we”, “us”, “our”), based in ul. Kijowska 44, 85-703 Bydgoszcz, Poland, processes your personal data when you use the Reeldrift service at reeldrift.pro (the “Service”).

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, APZERO sp. z o.o. is the data controller of your personal data.

Privacy questions: privacy@reeldrift.pro. General support: hello@reeldrift.pro.

2. Scope

This policy applies to the Reeldrift web application, marketing pages at reeldrift.pro, our emails, and any related tooling. It does not apply to third-party services you link (for example TikTok), which are governed by their own privacy policies — we link to the most relevant ones in section 7.

3. What data we collect

3.1 Data you provide to us

Account data. Email address, password hash (via Supabase Auth), display name, time zone, preferred language.
Brand & product information. Category, hashtags, custom prompt, product name/description you optionally enter during onboarding and in Settings.
Content you generate. Hooks, slide copy, uploaded media, post captions, schedules.
Support tickets. Subject, message, attachments when you contact us.
Billing details. Plan, billing cycle, invoice history (only if you upgrade beyond the Free tier). Card and bank details are collected and processed directly by Stripe — we never see or store them.

3.2 Data we receive from TikTok

When you connect a TikTok account via the official TikTok Content Posting API and Login Kit, TikTok sends us a limited set of data under the scopes you grant. Typical fields we receive:

TikTok open ID / user ID, username (handle), display name, avatar URL.
Follower count, video count, and aggregate profile metrics for analytics.
OAuth access token and refresh token (stored encrypted at rest), used exclusively to publish posts you approve and fetch their performance data.
Per-post metrics after publishing: views, likes, shares, bookmarks, engagement rate.

We request the minimum scopes required to operate (Reeldrift usesuser.info.basic and video.publish at a minimum; additional scopes are requested only if you enable features that need them). You can revoke our access at any time — see section 10.

3.3 Data collected automatically

Session & security. IP address, user agent, Supabase auth cookies, timestamps of sign-in and sensitive actions. Used for security, fraud prevention, and debugging.
Device & preferences. Theme, sidebar state, selected account, and onboarding progress — stored in your browser via localStorage and cookies. See our Cookie Policy.
Server logs. HTTP requests, error traces, and application logs, retained for up to 30 days for reliability and abuse detection.

4. Why we process your data (legal bases)

Purpose	Legal basis (GDPR Art. 6)
Providing the Service — publishing, scheduling, analytics, billing.	Performance of a contract (Art. 6(1)(b)).
Security, fraud prevention, abuse detection.	Legitimate interests (Art. 6(1)(f)).
Transactional emails (receipts, security alerts, onboarding steps).	Performance of a contract (Art. 6(1)(b)).
Product analytics and improvement (aggregate, pseudonymized).	Legitimate interests (Art. 6(1)(f)).
Marketing emails and newsletters (if enabled).	Your consent (Art. 6(1)(a)).
Legal compliance (tax, fraud reports, lawful requests).	Legal obligation (Art. 6(1)(c)).

5. How we use your data

To operate the Service and publish on your behalf only when you instruct us to.
To authenticate you and keep your workspace secure.
To process billing and issue invoices.
To generate hooks, slide copy, and scheduling decisions for your content.
To calculate analytics and surface insights in your dashboard.
To respond to support requests and feature feedback.
To send critical service notifications (outages, security incidents, policy changes).

We do not train AI models on your content. Generation runs through a stateless model provider (see section 7) and prompts are not retained for training beyond the request lifecycle.

6. How long we keep your data

Data	Retention
Account & workspace data	For as long as your account is active; deleted within 30 days of account deletion.
TikTok access & refresh tokens	Until you disconnect the account or delete your Reeldrift account, then immediately revoked and deleted.
Published content & analytics	Up to 24 months, or until you delete the post or the account.
Server logs	Up to 30 days.
Billing & invoices	Up to 6 years after the last transaction, as required by tax law.
Support tickets	Up to 24 months after case closure.
Backups	Rolling 30-day backups; deleted records are purged from backups within that window.

7. Third parties we share with (sub-processors)

We only share data with the companies necessary to run the Service:

Provider	Purpose	Location
Supabase	Database, authentication, storage, and managed Postgres.	EU (Frankfurt).
Hostinger	Virtual private server hosting the application runtime.	EU (Frankfurt, Germany).
Cloudflare	DNS resolution and TLS termination for the public domain.	Global edge (EU primary).
OpenAI	Stateless generation of hooks and slide copy. No training on your data (per OpenAI API data policy).	US (Standard Contractual Clauses).
TikTok (ByteDance)	Content publishing and account analytics — only on your instruction.	Global. See TikTok’s Privacy Policy.
Stripe	Payment processing and billing — only for users on paid plans. Card and bank details are collected and processed directly by Stripe; we never see or store them.	EU / US (Standard Contractual Clauses). See Stripe’s privacy center.
Resend	Transactional email delivery (sign-up confirmation, password reset, support replies).	EU / US (SCCs). See Resend’s privacy policy.

We never sell your personal data. We never share TikTok data with other advertisers or marketing brokers.

8. International transfers

Your data is primarily processed in the European Union. Where a sub-processor operates outside the EEA/UK, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where relevant, supplementary technical measures such as encryption in transit and at rest.

9. Your rights under the GDPR

You have the following rights concerning your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — ask us to delete your data (the “right to be forgotten”).
Restriction — limit how we process your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — at any time, where processing relies on consent.
Lodge a complaint — with your local supervisory authority (in Poland, the President of the Personal Data Protection Office — UODO).

To exercise any of these rights, email privacy@reeldrift.pro. We respond within 30 days, or sooner where practical.

10. Disconnecting TikTok and deleting data

You can disconnect a TikTok account from Settings → Account at any time. Disconnection immediately revokes our OAuth tokens and stops any scheduled publishing on that account.

To delete your entire Reeldrift account and all associated data, follow the steps on our Data Deletion page or email privacy@reeldrift.pro.

You can also revoke our access directly inside TikTok: TikTok app → Settings and privacy → Security → Apps and websites → Reeldrift → Remove access.

11. Security

TLS 1.2+ for all data in transit.
Encryption at rest via Supabase-managed disks.
TikTok OAuth tokens encrypted at the column level.
Row-level security (RLS) enforcing strict workspace isolation.
Principle-of-least-privilege service accounts.
Automated dependency scanning and regular security reviews.

If we discover a personal data breach, we will notify affected users and the competent supervisory authority without undue delay and in any case within 72 hours, as required by Art. 33 GDPR.

12. Children

Reeldrift is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@reeldrift.pro and we will delete it.

13. Automated decisions and AI

Reeldrift does not make decisions about you that produce legal effects or similarly significant effects based solely on automated processing. Hook generation, scheduling, and analytics are assistive — you review and approve every post before it publishes.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in the app and, where appropriate, by email. The “Last updated” date at the top of this page always reflects the current version.

15. Contact

APZERO sp. z o.o.
ul. Kijowska 44, 85-703 Bydgoszcz, Poland
Privacy & data protection: privacy@reeldrift.pro
General support: hello@reeldrift.pro