Legal
Privacy Policy
Effective date: February 27, 2026 · Last updated: February 27, 2026
OctoSocial is operated by OctoSocial Inc., a company incorporated in Ontario, Canada ("OctoSocial," "we," "our," or "us"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have over it.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, do not use the Service.
1. What Information We Collect
1.1 Account Information
When you create an account, we collect your email address and any name or display name you provide. If you sign up via a third-party authentication provider (such as Google), we receive the profile information authorized by that provider.
1.2 Social Platform Data
When you connect a social media account (X/Twitter, Instagram, Bluesky), we receive and store:
- OAuth credentials — access tokens that authorize OctoSocial to read your posts and publish on your behalf. We store these tokens securely and never expose them outside of API calls to the respective platform.
- Post history — up to 200 of your most recent public posts from each connected account. We use this data solely to build your Voice Profile (see Section 4). This data is associated with your account and is not shared with other users.
- Account metadata — your public profile name, handle, and account identifiers from connected platforms.
1.3 Content You Create in OctoSocial
We store content you create, edit, or schedule through the Service, including draft posts, scheduled posts, and any images you attach. This content is yours and is stored to deliver the Service.
1.4 Voice Profile Data
OctoSocial builds an AI Voice Profile from your post history and the answers you provide during your onboarding interview. See Section 4 for a full description of how this data is collected and used.
1.5 Payment Information
Payments are processed by Stripe. We do not store your full card number, CVV, or banking information. We receive and store a payment token, your billing email, and your subscription status from Stripe. For details on how Stripe handles payment data, see Stripe's Privacy Policy.
1.6 Usage and Analytics Data
We collect information about how you use the Service, including pages visited, features used, buttons clicked, session duration, and similar interaction data. We also collect standard technical information: IP address, browser type and version, operating system, device type, and referral source.
1.7 Waitlist and Communications
If you join our waitlist or sign up for email updates, we collect your email address. We also retain records of support and other communications you send us.
2. How We Collect Information
We collect information in the following ways:
- Directly from you — when you create an account, complete the onboarding interview, upload content, or contact support.
- Via OAuth — when you authorize OctoSocial to access a connected social platform, that platform sends us your post history and account information within the permissions you grant.
- Automatically — through cookies, pixels, and similar technologies as you use the Service (see Section 7).
- From third parties — such as authentication providers if you choose to sign in via a third-party service.
3. How We Use Your Information
We use your information for the following purposes:
| Purpose | Data used | Legal basis (PIPEDA / GDPR) |
|---|---|---|
| Providing and operating the Service | Account info, platform data, content, payment info | Contractual necessity |
| Building and maintaining your AI Voice Profile | Post history, onboarding interview responses | Contractual necessity / consent |
| Generating content suggestions | Voice Profile, workspace preferences | Contractual necessity |
| Publishing and scheduling posts | Platform OAuth tokens, draft content | Contractual necessity |
| Processing payments and managing subscriptions | Payment info, account info | Contractual necessity / legal obligation |
| Analytics and product improvement | Usage data, device/browser info | Legitimate interest |
| Security and fraud prevention | IP address, usage patterns | Legitimate interest / legal obligation |
| Customer support and communications | Account info, communications | Contractual necessity / legitimate interest |
| Marketing and product updates (opt-in) | Email address | Consent |
| Legal compliance and dispute resolution | As required | Legal obligation / legitimate interest |
We do not sell your personal information to third parties. We do not use your data for advertising profiling or share it with data brokers.
4. AI Voice Profile — A Closer Look
The AI Voice Profile is central to how OctoSocial works. We want to be transparent about exactly what it is and how it's handled.
What it is
Your Voice Profile is a structured representation of your writing style — vocabulary, sentence length, tone, recurring themes, and audience — derived from your post history and the interview you complete during onboarding.
How it's built
When you connect a social account, we retrieve up to 200 of your most recent posts. We send this content to an AI service provider (such as OpenAI or a comparable provider) to extract style signals. The resulting Voice Profile is stored on our servers linked to your account.
How it's used
Your Voice Profile is used exclusively to generate content suggestions tailored to your style. It is not shared with other users or used to train shared AI models. When our AI service provider processes your data to generate suggestions, they act as a data processor on our behalf, subject to data processing agreements that restrict their use of your data.
AI training commitment
OctoSocial does not use your personal post history, Voice Profile data, or user-generated content to train AI models that are shared across users. Any AI processing of your data is performed solely to deliver the Service to you personally.
Deleting your Voice Profile
You may request deletion of your Voice Profile and all associated ingested post data at any time by contacting privacy@octosocial.app. Deletion will prevent OctoSocial from generating personalized suggestions until you reconnect an account and rebuild your profile.
5. Disclosure to Third Parties
We share your personal information with third parties only in the following circumstances:
5.1 Service Providers (Data Processors)
We engage third-party companies to help us operate the Service. These providers process your data only on our instructions and are bound by data processing agreements. Our current key providers include:
- Stripe — payment processing. See Stripe's Privacy Policy.
- AI service provider(s) (e.g. OpenAI or equivalent) — processing post content and generating suggestions on our behalf. We will specify the provider in use on our sub-processor list once finalized.
- Analytics provider (e.g. PostHog, Mixpanel, or Google Analytics) — collecting aggregated usage data to help us understand how the product is used and improve it.
- Email service provider (e.g. Resend, Mailchimp, or ConvertKit) — sending transactional emails (account confirmations, billing receipts) and, if you have opted in, product newsletters.
- Cloud infrastructure — hosting, databases, and storage (see Section 6 on cross-border transfers).
5.2 Third-Party Social Platforms
When you authorize OctoSocial to publish to X, Instagram, or Bluesky, we transmit your draft post content to those platforms' APIs. Once published, that content is subject to the privacy practices of those platforms, which are outside our control.
5.3 Legal Requirements
We may disclose your information if we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of OctoSocial, our users, or others.
5.4 Business Transfers
If OctoSocial is involved in a merger, acquisition, asset sale, or similar transaction, your personal information may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
5.5 With Your Consent
We may share your information with other third parties when you give us explicit permission to do so.
6. Cross-Border Data Transfers
OctoSocial is based in Ontario, Canada. Our cloud infrastructure and most of our service providers are located in the United States. By using the Service, you acknowledge that your personal information will be transferred to and processed in the United States and potentially other countries where privacy laws may differ from those in your country of residence.
For Canadian users (PIPEDA): Transfers to the United States are subject to the legal requirements of that jurisdiction, including possible access by U.S. government authorities. We take reasonable contractual and technical measures to protect your information during transfers.
For EU/EEA users (GDPR): We rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms when transferring personal data outside the EEA. You may request a copy of the relevant transfer safeguards by contacting us at privacy@octosocial.app.
7. Cookies and Analytics
We use cookies and similar tracking technologies on the Service. Here is how we use them:
| Category | Purpose | Can you opt out? |
|---|---|---|
| Essential | Authentication sessions, security tokens, CSRF protection. Required for the Service to function. | No — required for service delivery |
| Analytics | Aggregate usage tracking (pages visited, feature interactions, session data) to improve the product. | Yes — via cookie preferences or browser settings |
| Marketing | Measuring effectiveness of our own marketing pages (not for third-party ad targeting). | Yes — via cookie preferences |
You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect your ability to use parts of the Service. We do not currently respond to "Do Not Track" browser signals, as there is no accepted industry standard for doing so.
8. Data Retention
We retain your personal information for as long as necessary to provide the Service and comply with our legal obligations. The following guidelines apply:
| Data type | Retention period |
|---|---|
| Account information | Duration of your account, plus 30 days after deletion (to allow recovery) |
| Ingested social post history | Duration of your account. Deleted within 30 days of account closure or Voice Profile deletion request. |
| Voice Profile data | Duration of your account, or immediately upon deletion request. Deleted within 30 days. |
| Scheduled and published post content | Duration of your account. Deleted within 30 days of account closure. |
| Payment records and billing history | 7 years from the date of the transaction (required by Canadian tax law). |
| Analytics and usage logs | Up to 24 months in identifiable form, then aggregated or deleted. |
| Support correspondence | 3 years from last communication. |
| Waitlist email addresses | Until you unsubscribe or 2 years of inactivity, whichever comes first. |
When data is no longer required, we securely delete or anonymize it.
9. Security
We use industry-standard technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit (TLS) and at rest, access controls, regular security reviews, and data minimization practices.
No method of transmission or storage is 100% secure. If we become aware of a security incident that affects your personal information, we will notify you in accordance with applicable laws — including the mandatory breach notification requirements under PIPEDA and, where applicable, GDPR.
10. Children's Privacy
OctoSocial is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at privacy@octosocial.app.
11. Your Privacy Rights
Depending on where you are located, you may have the following rights with respect to your personal information. To exercise any of these rights, contact us at privacy@octosocial.app. We will respond within the timeframes required by applicable law (generally 30 days).
All users
- Access: Request a copy of the personal information we hold about you.
- Correction: Ask us to correct inaccurate or incomplete personal information.
- Deletion: Request that we delete your personal information, subject to legal retention requirements (see Section 8).
- Withdraw consent: Where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time without affecting prior processing. You can unsubscribe from marketing emails via the unsubscribe link in any email we send.
EU / EEA users — additional GDPR rights
- Portability: Receive your personal data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
- Restriction: Ask us to restrict processing of your data in certain circumstances (e.g. while a dispute is pending).
- Object: Object to processing based on legitimate interests, including profiling and analytics.
- Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (Data Protection Authority).
California users — CCPA rights
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to:
- Know what personal information we collect, use, disclose, and sell (we do not sell personal information).
- Delete personal information we have collected from you, subject to certain exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information. OctoSocial does not sell or share personal information for cross-context behavioral advertising.
- Non-discrimination — we will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, contact us at privacy@octosocial.app. We will verify your identity before fulfilling a request.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes — particularly those that expand how we use your data — we will provide at least 14 days' advance notice via in-app notification or email before the changes take effect.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should stop using the Service and close your account.
13. Contact and Complaints
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact our Privacy Officer:
Privacy Officer, OctoSocial Inc.Ontario, Canada
privacy@octosocial.app
Canadian users — PIPEDA complaints
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC):
Office of the Privacy Commissioner of Canadapriv.gc.ca/en/report-a-concern
EU/EEA users — GDPR complaints
EU/EEA users may also lodge a complaint with the data protection authority in their member state. A directory of EU supervisory authorities is available at edpb.europa.eu.