AllSocials Privacy Policy
Last updated: April 2026
This Privacy Policy applies to AllSocials, also styled as “All Socials”, available at allsocials.xyz.
1. Data Controller
AllSocials ("All Socials", "we", "our", "us") is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can contact us at privacy@allsocials.xyz.
2. Data We Collect
We collect the following categories of personal data:
Account Information
- Email address and display name — provided by Google during sign-in (OAuth)
- Subscription and billing status — managed through Stripe
Brand Profile Data
- Company name, website domain, location
- Brand voice settings, content pillars, posting goals
- Website summaries generated from public pages you provide
Social Media Connections
- Platform account names and identifiers (LinkedIn, Instagram, Facebook, X, Threads)
- OAuth access tokens and refresh tokens (encrypted at rest)
Content Data
- Post drafts, scheduled posts, and published content text
- Uploaded images and videos
Usage Data
- Feature usage events (e.g. posts created, AI generations used)
- Login timestamps
3. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance — processing necessary to provide the Service you signed up for (account management, content publishing, scheduling)
- Consent — for optional features like AI content generation using your brand data
- Legitimate interest — for service improvement, security, and fraud prevention
4. How We Use Your Data
- To provide and maintain the Service
- To publish content to your connected social media accounts on your behalf
- To generate AI-powered content suggestions based on your brand profile
- To process payments and manage subscriptions
- To send service-related notifications
Support submissions
When you contact us through the in-app support widget, we collect the name, email address, and message you provide, plus the page URL you were on, your subscription plan, and the truncated /24 IP block. This is used solely to triage and respond to your support request. We retain support submissions for 18 months and then delete them automatically.
5. Third-Party Data Sharing
We share data with the following categories of third parties, solely to provide the Service:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Google (Gemini AI) | Brand profile context, post text | AI content generation and trending topic suggestions. Google Search grounding may be used for real-time data. |
| Stripe | Email, name, subscription metadata | Payment processing and subscription management |
| Social Media Platforms | Post content, media files, OAuth tokens | Publishing content to your connected accounts |
| Google Cloud Storage | Uploaded media files | Reliable media delivery to social platforms |
We do not sell your personal data. We do not use advertising or tracking cookies.
6. International Data Transfers
Your data may be processed by third-party services (Google, Stripe) that operate servers outside the European Economic Area. These providers maintain appropriate safeguards including Standard Contractual Clauses and relevant certifications to ensure your data is protected in accordance with GDPR requirements.
7. Data Security
- OAuth tokens are encrypted at rest using AES-128-CBC with HMAC-SHA256 (Fernet)
- Session cookies are signed, time-limited (14 days), and use secure flags (HttpOnly, SameSite=Lax, Secure in production)
- Sensitive tokens are not stored in browser cookies
- All connections use HTTPS in production
8. Data Retention
- Account data — retained for the lifetime of your account
- Scheduled posts — retained until you delete them or delete your account
- Uploaded media — retained on our servers until you delete the associated post or account. GCS media for social platform delivery is automatically cleaned up after 3 days.
- Usage events — retained for the lifetime of your account for billing and usage tracking
9. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — correct inaccurate data via your profile settings
- Right to erasure — permanently delete your account and all associated data from your Account page
- Right to data portability — download all your data as a JSON file from your Account page
- Right to restriction — request that we limit processing of your data
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw consent at any time where processing is based on consent
To exercise any of these rights, use the tools on your Account page or contact us at privacy@allsocials.xyz. We will respond within 30 days.
10. Cookies
We use only essential cookies required for the Service to function:
- Session cookie — keeps you logged in and stores your active profile preference. Signed, time-limited (14 days), and uses secure flags.
We do not use analytics, advertising, or third-party tracking cookies.
11. Children
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes via email. The "Last updated" date at the top of this page indicates when the latest revision was made.
13. Contact & Complaints
For privacy-related questions or to exercise your rights, contact us at privacy@allsocials.xyz.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.