Privacy Policy - iMakeToday

1. Introduction & Data Controller

This Privacy Policy describes how Kraboo LLC, a United States limited liability company ("Kraboo", "we", "our", "us"), operates the iMakeToday social media management platform (the "Service") and processes personal data of users ("you", "your") of the Service.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Kraboo LLC is the data controller of personal data collected through the Service.

For any privacy-related inquiry you may contact us at privacy@imaketoday.com. We respond to all verifiable requests within 30 days.

2. Definitions

Personal Data: any information relating to an identified or identifiable natural person.
Processing: any operation performed on personal data (e.g. collection, storage, transfer, deletion).
Connected Platform: any third-party social media service you connect to the Service (e.g. TikTok, Instagram, Facebook, Pinterest, LinkedIn, X, YouTube, Reddit).
Sub-processor: a third-party service provider that processes personal data on our behalf to deliver the Service.

3. Data We Collect

We collect the following categories of personal data:

Account data: name, email address, password (stored only as a salted hash, never in plaintext), workspace and brand names, billing contact.
Authentication data from Connected Platforms: OAuth access tokens, refresh tokens, scopes granted, and platform user IDs. All tokens are encrypted at rest using AES-256-GCM before being written to our database.
Social media content: posts you create, schedule, or have published through the Service; media you upload (images, video); captions, tags, and post metadata.
Analytics & engagement data: performance metrics that the Connected Platforms expose for content you have published (impressions, reach, engagement, follower counts).
Usage data: feature usage events, login times, IP address, browser and device type, error logs, and Service performance metrics.
Billing data: if you subscribe to a paid plan, billing data is collected and processed by our payment processor (see Section 6 — Sub-processors). We never store full card numbers on our servers.
Communications: messages you send to us via email or in-app support.

We do not intentionally collect special categories of personal data (race, religion, health, sexual orientation, biometric data, etc.). Please do not upload such data through the Service.

4. How We Use Your Data & Legal Basis

We process personal data on the following legal bases (GDPR Article 6):

Performance of a contract (Art. 6(1)(b)): to create your account, authenticate you, connect your Connected Platforms, schedule and publish posts, deliver analytics, provide customer support, and process payments.
Legitimate interest (Art. 6(1)(f)): to operate, secure, monitor, and improve the Service; to detect and prevent fraud and abuse; to communicate Service updates and security notices.
Consent (Art. 6(1)(a)): for optional analytics cookies, marketing communications, and any processing that is not strictly necessary for the Service. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): to comply with applicable law (tax, accounting, lawful requests by public authorities).

We do not sell personal data and we do not use personal data for automated decision making that produces legal effects.

5. Connected Platforms

When you connect a Connected Platform to the Service, we receive an OAuth access token that allows us to perform actions on your behalf (e.g. publish a post, read analytics). We only request the scopes that are necessary for the features you choose to use, and you can revoke access at any time by disconnecting the account from the Service or from within the Connected Platform's own settings.

5.1 TikTok

When you connect a TikTok account we may access: basic profile information (open ID, avatar, display name), the ability to publish video and photo posts via the TikTok Content Posting API, and engagement metrics for posts published through the Service. Your use of TikTok through the Service is also subject to TikTok's own Privacy Policy and Terms of Service. You can disconnect your TikTok account in the Service's settings at any time; all stored TikTok tokens are then immediately deleted.

5.2 Meta (Instagram & Facebook)

When you connect an Instagram Business or Facebook Page we may access: page and Instagram Business profile information, the ability to publish content, read insights and comments, and respond to direct messages where you have granted that scope. We comply with Meta's Platform Terms and respond to deauthorize and data-deletion webhook callbacks within the timeframes Meta requires.

5.3 Pinterest

When you connect a Pinterest account we may access: profile information, board lists, and the ability to publish pins on your behalf. We comply with the Pinterest Developer Platform Policy and the Pinterest API terms. Use of Pinterest data is limited to the features you use within the Service.

5.4 Other Connected Platforms

We integrate with additional platforms including LinkedIn, X (Twitter), YouTube, Reddit, Threads, Bluesky, and Mastodon. Each integration is governed by the respective platform's API terms and only requests scopes necessary for the features you use.

6. Sub-processors

We use the following sub-processors to deliver the Service. Each sub-processor is bound by a data processing agreement that requires confidentiality, security, and GDPR compliance.

DigitalOcean, LLC (USA) — application hosting, managed PostgreSQL database (Frankfurt region), and Valkey (Redis) caching.
DigitalOcean Spaces (USA, S3-compatible object storage) — media uploads (images, video) you publish through the Service.
Sentry (Functional Software, Inc., USA) — application error monitoring and performance instrumentation.
OpenAI, L.L.C. (USA) — generative AI features (e.g. caption suggestions, content variants) when you use AI-assisted creation tools.
Stripe, Inc. (USA) — payment processing for paid subscriptions. Stripe is responsible for securely handling your full card number under PCI-DSS Level 1.
Email delivery providers (transactional email such as account verification, password reset, scheduling notifications).

We update this list when we add or change a sub-processor. The current list is authoritative; if you require advance notice of changes, contact privacy@imaketoday.com.

7. International Data Transfers

The Service is operated from the United States with primary database storage in the European Union (Frankfurt, Germany). Some sub-processors are located in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country without an adequacy decision, the transfer is protected by the Standard Contractual Clauses approved by the European Commission and, where applicable, additional supplementary measures (such as encryption in transit and at rest).

8. Cookies & Similar Technologies

We use a small number of strictly-necessary cookies to operate the Service:

Session cookies for authentication and CSRF protection.
Preference cookies for remembering UI choices (theme, language).

We may use first-party analytics to understand how the Service is used in aggregate. We do not use third-party advertising cookies and we do not share usage data with advertising networks.

9. Data Security

OAuth access and refresh tokens are encrypted at rest with AES-256-GCM before being written to the database.
All connections to the Service use HTTPS with TLS 1.2 or higher.
Passwords are stored only as salted hashes, never in plaintext.
OAuth flows use PKCE (S256) on every supported platform.
Database access is restricted to authenticated application processes and is monitored.
We follow the principle of least privilege for both staff and machine access.
Production secrets are stored in encrypted secret managers, never in source control.

No security system is absolute. If you become aware of a security issue, please contact security@imaketoday.com.

10. Data Retention

Account data — retained for as long as your account is active and for up to 90 days after account deletion to handle billing reconciliation and abuse investigation, then permanently deleted.
OAuth tokens — deleted immediately when you disconnect a Connected Platform or delete your account.
Social media content drafts — retained for as long as your account is active; published-content metadata is retained while it provides analytics value (typically 24 months) and then aggregated.
Usage and error logs — retained for a maximum of 90 days, then deleted.
Billing records — retained for 7 years to comply with US tax and accounting law.
Backups — encrypted database backups are retained for up to 30 days and overwritten on a rolling basis.

11. Your Rights

Depending on your location, you have some or all of the following rights with respect to your personal data. You can exercise any of these rights free of charge by writing to privacy@imaketoday.com. We will respond within 30 days and may need to verify your identity before acting.

11.1 European / UK users (GDPR / UK GDPR)

Right of access — receive a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your data.
Right to restrict processing — pause processing while a dispute is resolved.
Right to data portability — receive your data in a machine-readable format.
Right to object — object to processing based on legitimate interest.
Right to withdraw consent — at any time, where processing is based on consent.
Right to lodge a complaint — with your local supervisory authority.

11.2 California residents (CCPA / CPRA)

Right to know what personal information we collect, use, disclose, and (do not) sell.
Right to delete personal information we hold about you, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service.
Right to non-discrimination for exercising any of these rights.

We do not knowingly disclose personal information of consumers under 16 years of age for valuable consideration without affirmative authorization.

12. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact privacy@imaketoday.com and we will delete it. Use of certain Connected Platforms may have additional age requirements set by the platform itself.

13. Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to you, we will also notify you directly (GDPR Article 34).

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where the change materially affects your rights, notify you by email or in-app notice at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

For privacy-related inquiries, requests to exercise your rights, or questions about this Policy, contact us at privacy@imaketoday.com.

For security disclosures, use security@imaketoday.com.

Mailing address: Kraboo LLC. To request our current registered office address for service of formal legal notices, please contact legal@imaketoday.com.