Privacy Policy

This Privacy Policy explains how [RearFront legal entity name](“RearFront”, “we”, “us”) collects, uses, stores, shares, and deletes information when you use the RearFront social-media management platform at [rearfront.com](the “Service”). It also describes how we handle data from the social platforms you connect (Facebook, Instagram, TikTok, X, Pinterest, and YouTube).

1. Who we are

The data controller is [RearFront legal entity], [registered address]. For privacy questions, contact [privacy@rearfront.com][Data Protection Officer / EU representative, if applicable].

2. Information we collect

• Account information — name, email, workspace and team details you provide when you create an account (authenticated via our identity provider).
• Connected social accounts — when you connect a Facebook Page, Instagram professional account, TikTok, X, Pinterest, or YouTube account, we receive the account identifier, display name, and the OAuth access and refresh tokens needed to act on your behalf.
• Content you create — posts, captions, media, schedules, approvals, comments, and campaign data you produce in the Service.
• Platform data — content, metadata, and analytics (e.g. views, engagement, audience insights) that the connected platforms return through their official APIs, only for the accounts you have explicitly connected.
• Usage and device data — log data, IP address, and basic device information used to operate and secure the Service. We do not sell this data.

3. How we use your information

• To publish, schedule, recycle, and manage content to the accounts you connect, at your direction.
• To display analytics and reporting for those accounts.
• To provide collaboration, approval, and team workspace features.
• To operate, secure, debug, and improve the Service.
• To comply with legal obligations and the connected platforms’ developer policies.

We do not use platform data for advertising, do not sell it, and do not transfer it except as needed to provide the features you request (see §6).

4. Google API Services — Limited Use

RearFront’s use of information received from Google APIs (YouTube Data API and YouTube Analytics API) adheres to the Google API Services User Data Policy, including its Limited Use requirements. We only request the youtube.upload and yt-analytics.readonlyscopes, use that data solely to provide and improve user-facing features, do not transfer it except as necessary to provide those features or for security/legal reasons, do not use it for advertising, and do not allow humans to read it unless you consent, it is necessary for security, or it is required by law. RearFront’s use of YouTube data is also subject to the YouTube Terms of Service and the Google Privacy Policy.

5. How we store and secure data

• OAuth tokens are encrypted at rest using authenticated envelope encryption (per-tenant AES-256-GCM data keys wrapped by a key-management-service master key). Tokens are decrypted only in memory at the moment they are needed to call a platform API, and never logged.
• Tenant isolation— each workspace’s data is isolated at the database level with row-level security, so one customer’s data is never visible to another.
• Data is encrypted in transit (TLS) and access is restricted and audit-logged.

6. Sharing and sub-processors

We share data only with infrastructure sub-processors that operate the Service (e.g. cloud hosting, database, object storage, our authentication provider, and the AI provider used for optional content assistance), each under contract. A current list is available at [rearfront.com/subprocessors]. We do not sell your data or share platform data for advertising.

7. Data retention

• We retain your content and account data while your account is active.
• When you revoke a connection or delete your account, we delete the associated tokens and platform data within 7 days, and complete deletion of remaining data within 30 days, except where retention is required by law.
• Authorized platform data we store is refreshed or deleted on at least a 30-day cycle.

8. Your rights and how to delete your data

Depending on your location you may have rights to access, correct, export, or delete your personal data, and to object to or restrict processing. You can disconnect any social account at any time in the Service, which immediately revokes and deletes its stored tokens. To request deletion of your data, follow the steps on our Data Deletion page, or email [privacy@rearfront.com].

9. Platform-specific notes

Your use of connected platforms remains subject to their own terms and policies, including the Meta Platform Terms, TikTok Developer Terms, the X Developer Agreement, the Pinterest Developer Guidelines, and the YouTube Terms of Service. We access only the accounts you connect and only the scopes listed at connection time.

10. Children

The Service is not directed to children under [16] and we do not knowingly collect their data.

11. Changes

We may update this policy and will post the new version here with a revised date. Material changes will be communicated in-product or by email.

12. Contact

[RearFront legal entity], [address] — [privacy@rearfront.com].