Privacy Policy

1.Information We Collect

Account data

When you create an account we collect your name, email address, and a hashed password (never stored in plain text).

Client / workspace data

For each client workspace you create we store the client name, brand colours, typography settings, and any brand assets you upload (logos, fonts, images).

Instagram data

When you connect an Instagram account via OAuth we store the account's username, Instagram account ID, and an OAuth access token. This token is stored securely on our servers and is never exposed in the browser or sent to third parties other than Meta's API.

Content data

We store the posts you create inside Klip, including uploaded visuals, AI-generated descriptions, scheduled dates, and publication status.

2.How We Use Your Data

• Provide, operate and improve the Klip service
• Publish content to Instagram on your behalf, strictly when you initiate the action and have granted explicit OAuth permission
• Generate AI captions and visual copy based on your visuals and brand settings
• Contact you for account-related communications and support
• Comply with legal obligations

We do not use your data for advertising, profiling, or any purpose beyond delivering the service you signed up for.

3.Data Sharing

We never sell your data to third parties. Data is shared only with the following sub-processors, strictly to operate the service:

Each sub-processor is bound by its own privacy policy and applicable data protection regulations.

4.Instagram Data

• Klip accesses your Instagram account exclusively through Meta's official OAuth flow — we never ask for your Instagram password.
• Permissions requested: instagram_business_basic and instagram_business_content_publish.
• These permissions are used solely to display your account stats and publish posts you have approved inside Klip.
• You can revoke access at any time from your Instagram account settings under Apps & Websites.
• OAuth access tokens are stored encrypted in our database and are never exposed client-side or included in API responses to the browser.

To request immediate deletion of your Instagram data: klip-swart.vercel.app/data-deletion

5.Data Retention

• Your data is retained for as long as your account is active.
• If you delete your account, all personal data and associated content will be permanently deleted within 30 days.
• Backup copies may persist for up to 30 additional days before being purged from all systems.

6.Your Rights (GDPR)

If you are located in the European Economic Area you have the following rights regarding your personal data:

• Right of access — obtain a copy of the data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to restriction — request that we restrict processing of your data

To exercise any of these rights, contact us at martinkoch667@gmail.com. We will respond within 30 days.

To request data deletion: klip-swart.vercel.app/data-deletion

7.Security

• All data is transmitted over HTTPS / TLS
• Instagram access tokens are encrypted at rest in the database
• Row Level Security (RLS) is enforced on all database tables — each user can only access their own data
• Passwords are hashed using bcrypt via Supabase Auth — we never see your plain-text password
• File storage buckets are access-controlled by authenticated user ID

Despite our efforts, no method of transmission over the internet is 100% secure. If you discover a security vulnerability please report it to martinkoch667@gmail.com.

8.Contact & Data Controller