Privacy Policy

1. Introduction

Socialweb ("we," "our," or "us") is a social media scheduling and management platform operated by Choice OMG, based in Edmonton, Alberta, Canada. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use our service at socialweb.choice.zone ("the Service").

This Privacy Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and other applicable Canadian privacy legislation. It also satisfies the privacy policy requirements of Meta (Facebook/Instagram), Google (including YouTube API Services), and other third-party platforms whose APIs we use.

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Accountability

Choice OMG is responsible for the personal information under our control. Questions, concerns, or complaints about our privacy practices should be directed to:

• Privacy Officer
• Choice OMG
• 10060 Jasper Avenue, Suite 2020
• Edmonton, Alberta T5J 3R8, Canada
• Email: admin@choice.marketing

If you are unsatisfied with our response to a privacy complaint, you may file a complaint with the Office of the Information and Privacy Commissioner of Alberta (for matters under Alberta PIPA) or the Office of the Privacy Commissioner of Canada (for matters under PIPEDA).

3. Information We Collect

3.1 Account Information

When you create an account via Google OAuth, we collect:

• Email address
• Full name (as provided by Google)
• Profile picture URL (from your Google account)
• Google account identifier (unique ID for authentication)

3.2 Connected Social Media Accounts

When you connect social media accounts through OAuth authorization, we collect and store:

• OAuth access tokens and refresh tokens (used to publish content and retrieve data on your behalf)
• Token expiration dates
• Your username, display name, and handle on each platform
• Your profile picture URL from each platform
• Platform-specific account and page identifiers

3.3 Content You Create

We store:

• Post content (text, captions, descriptions)
• Uploaded images, videos, and other media files
• Scheduling dates and times
• Post status (draft, scheduled, published, failed)
• Error messages and logs related to failed posts
• Tags and organizational metadata

3.4 Analytics Data

We retrieve analytics and engagement data from your connected social media platforms via their APIs, including impressions, likes, comments, shares, follower counts, and engagement rates. This data is cached temporarily (up to 1 hour) to improve performance. Google Business Profile data is retained for no more than 30 calendar days in compliance with Google's API terms.

3.5 Technical Data

We automatically collect:

• IP address (at registration and login)
• Browser type and user agent string
• Timezone preference
• Session identifiers

4. Purposes of Collection

We collect and use your personal information for the following identified purposes:

• Authentication and account management: To verify your identity, create your account, and maintain your session
• Service delivery: To publish scheduled content to your connected social media accounts on your behalf
• Analytics display: To retrieve and present engagement metrics and analytics from your connected accounts
• Notifications: To inform you about post status (success, failure, scheduling confirmations)
• Service improvement: To maintain, debug, and improve the reliability of the Service
• Security: To detect and prevent unauthorized access, fraud, and abuse
• Legal compliance: To comply with applicable laws, regulations, and legal processes

We will not use your personal information for purposes beyond those identified above without first obtaining your consent, except where required by law.

5. Consent

We rely on different forms of consent depending on the sensitivity of the information:

• Express consent (opt-in): For sensitive information such as social media OAuth tokens and credentials, you provide express consent through each platform's OAuth authorization flow, which clearly describes the permissions being granted before you authorize.
• Implied consent: For less sensitive technical data (IP address, browser type, session identifiers), consent is implied through your use of the Service.

When you connect a social media account, you are asked to authorize specific permissions through that platform's OAuth flow. You may review and revoke these permissions at any time through the respective platform's account settings.

You should be aware that when your data is transmitted to third-party platforms, it becomes subject to their privacy practices and the laws of their jurisdictions. Data transferred outside of Canada may be accessible to foreign governments and law enforcement under local laws.

You may withdraw your consent at any time by disconnecting your social accounts, deleting your content, or requesting account deletion. Withdrawal of consent may affect our ability to provide the Service to you.

6. Disclosure and Sharing of Information

6.1 Third-Party Platforms

When you schedule and publish posts, we transmit your content (text, media, metadata) to the social media platforms you have connected. Each platform processes this data according to its own privacy policy and terms of service.

Third-party platforms we integrate with include:

• Meta Platforms: Facebook, Instagram, Threads ( Meta Privacy Policy)
• Google: Google Business Profile, YouTube ( Google Privacy Policy)
• X Corp: X/Twitter ( X Privacy Policy)
• Microsoft: LinkedIn ( LinkedIn Privacy Policy)
• ByteDance: TikTok ( TikTok Privacy Policy)
• Pinterest: Pinterest ( Pinterest Privacy Policy)
• Reddit: Reddit ( Reddit Privacy Policy)
• Other platforms: Bluesky, Mastodon, Discord, Slack (refer to each platform's respective privacy policy)

6.2 What We Do NOT Do With Your Data

• We do not sell, license, rent, or trade your personal information to any third party
• We do not use your data for advertising, ad targeting, retargeting, or marketing profiling
• We do not share your data with data brokers, information resellers, or advertising platforms
• We do not use platform data for surveillance, law enforcement, or national security purposes
• We do not use data to make decisions about housing, employment, credit, insurance, or immigration
• We do not reverse engineer, decode, or de-anonymize any data received from third-party platforms
• We do not build or augment user profiles beyond what is necessary to provide the Service

6.3 Service Providers

We may share limited data with service providers who assist in operating the Service (e.g., hosting infrastructure, error monitoring). Any service provider that processes personal information on our behalf is contractually required to protect your data, use it only for the purposes we specify, and comply with the applicable platform terms (including Meta Platform Terms and Google API Services Terms) consistent with this Privacy Policy. We remain accountable for your personal information while it is in the hands of our service providers.

6.4 Legal Disclosure

We may disclose your personal information if required to do so by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Cross-Border Data Transfers

The Service is hosted in Canada. However, when you publish content to third-party social media platforms, your data is transmitted to and processed by those platforms in jurisdictions outside of Canada, including but not limited to the United States and the European Union.

Third-party services that may process your data outside of Canada include:

• Meta Platforms (USA): Facebook, Instagram, and Threads publishing
• Google (USA): Google OAuth authentication, Google Business Profile, and YouTube
• X Corp (USA): X/Twitter publishing
• Microsoft/LinkedIn (USA): LinkedIn publishing
• ByteDance (Singapore/USA): TikTok publishing
• Reddit (USA), Pinterest (USA), Discord (USA), Slack (USA): Publishing to respective platforms
• Sentry (USA): Application error monitoring and reporting

When your data is transferred outside of Canada, it may be subject to the laws of the receiving jurisdiction, including laws that may permit access by government authorities. We take reasonable contractual and technical measures to ensure your data receives a comparable level of protection as it would in Canada.

8. Data Storage and Security

8.1 Where Data is Stored

Your data is stored on our self-hosted infrastructure located in Edmonton, Alberta, Canada, in a PostgreSQL database and Redis cache. Media files are stored on local server storage.

8.2 Security Measures

We implement administrative, physical, and technical safeguards to protect your personal information, including:

• HTTPS/TLS encryption for all data in transit
• AES-256-GCM encryption for stored OAuth tokens and credentials
• Secure session management with HTTP-only cookies
• Firewall protection and intrusion detection (fail2ban)
• SSH key-based authentication for server access (password authentication disabled)
• Regular security updates and patching
• Access restricted to authorized administrators only

8.3 Breach Notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will:

• Notify the Office of the Privacy Commissioner of Canada (under PIPEDA) and the Office of the Information and Privacy Commissioner of Alberta (under PIPA) as soon as feasible
• Notify affected individuals with a description of the breach, types of personal information involved, steps we have taken to reduce harm, and steps you can take to protect yourself
• Notify any other organizations that may be able to reduce the risk of harm
• Report security incidents involving Meta platform data to Meta in accordance with the Meta Platform Terms

We maintain records of all data breaches (whether or not they meet the reporting threshold) for at least 24 months as required by law.

9. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days.
• Post content and media: Retained for as long as your account is active. Deleted posts are soft-deleted (marked as deleted) and permanently purged within 90 days.
• OAuth tokens: Retained while the social account is connected. Tokens are deleted when you disconnect an account.
• Analytics data (cached): Temporarily cached for up to 1 hour. Google Business Profile data is retained for no more than 30 calendar days.
• Technical logs: Server logs are retained for up to 90 days for debugging and security purposes.

We do not retain personal information longer than necessary for the purposes for which it was collected, except as required by law.

10. Your Rights

Under PIPEDA, Alberta PIPA, and applicable Canadian privacy law, you have the following rights regarding your personal information:

10.1 Right of Access

You may request access to the personal information we hold about you. Access requests are provided at no cost. We will respond to your request within 30 days.

10.2 Right of Correction and Data Accuracy

You may request correction of inaccurate or incomplete personal information. You can update your profile information directly through your account settings. We take reasonable steps to ensure that personal information used to make decisions about you is accurate, complete, and up-to-date. Profile data sourced from third-party platforms is refreshed when you reconnect or re-authorize your accounts.

10.3 Right to Withdraw Consent

You may withdraw your consent to the collection and use of your personal information at any time, subject to legal or contractual restrictions. You can:

• Disconnect social media accounts through your Socialweb settings
• Revoke Socialweb's access through each platform's account settings (e.g., Facebook Apps and Websites, Google Account Permissions)
• Request full account deletion

10.4 Right to Deletion

You may request deletion of your personal information by:

• Using the in-app controls to disconnect accounts and delete content
• Visiting our Data Deletion Request page
• Through Facebook's Apps and Websites settings (for Facebook/Instagram data)
• Emailing admin@choice.marketing

Data deletion requests are processed within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (e.g., breach records).

10.5 Right to Complain

If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer at admin@choice.marketing. We will acknowledge your complaint within 10 business days and provide a substantive response within 30 days. If you are unsatisfied with our response, you may escalate your complaint to the Office of the Information and Privacy Commissioner of Alberta or the Office of the Privacy Commissioner of Canada.

11. Meta Platform Data

This section specifically addresses data obtained through Meta's APIs (Facebook, Instagram, and Threads):

• We access Meta platform data only through official Meta APIs and only with your explicit authorization via OAuth
• Data obtained from Meta is used solely to provide the Service (scheduling posts, displaying analytics)
• We do not sell, license, or sublicense any Meta platform data
• We do not use Meta data for advertising, surveillance, or profiling purposes
• We do not transfer Meta data to data brokers or advertising platforms
• Meta platform data is deleted when: you disconnect your Meta account; you request deletion; your account is terminated; Meta requests deletion; the data is no longer needed to provide the Service; we discontinue the Service; or upon any Meta enforcement action
• We implement security measures that meet or exceed industry standards to protect Meta platform data
• Security incidents involving Meta platform data are reported to Meta as required by the Meta Platform Terms

For instructions on revoking Socialweb's access to your Facebook or Instagram data, visit Facebook's Apps and Websites settings.

12. Google User Data

This section specifically addresses data obtained through Google's APIs (Google OAuth, Google Business Profile, YouTube). This application uses YouTube API Services.

• Socialweb's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements
• We use Google data only to provide and improve user-facing features of the Service that are prominent and visible to users
• We do not transfer Google user data to third parties except: (a) with your consent, as necessary to provide or improve user-facing features; (b) for security purposes; (c) as required by law; or (d) as part of a merger, acquisition, or sale of assets, with your explicit prior consent
• We do not use Google user data for advertising, retargeting, serving ads, or determining credit-worthiness or lending eligibility
• We do not allow humans to read your Google data unless: (a) you affirmatively agree to a specific interaction; (b) it is necessary for security purposes; (c) it is required to comply with applicable law; or (d) the data is aggregated and anonymized for internal operations
• Google Business Profile data is retained for no more than 30 calendar days and is stored separately, not aggregated with other data sources
• YouTube data is deleted or refreshed within 30 calendar days. Upon your request to delete YouTube data, we will process the deletion within 7 calendar days. If you revoke access through your Google security settings, we will delete your YouTube data within 30 days

Relevant Google policies and terms:

• YouTube Terms of Service
• Google Privacy Policy
• Google Security Settings (to review and revoke Socialweb's access)

13. Cookies and Local Storage

We use the following cookies and browser storage mechanisms, all of which are essential to the operation of the Service:

• Authentication cookie ("auth"): Maintains your login session. Secure, HTTP-only.
• Organization cookie ("showorg"): Tracks your active brand/organization selection. Secure, HTTP-only.
• Language cookie: Stores your language preference.
• Local storage: Stores UI preferences (e.g., sidebar state, timezone selection).

We do not use advertising cookies, analytics tracking cookies, or any third-party tracking cookies. All cookies used are strictly necessary for the Service to function.

14. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify registered users via the email address associated with their account
• Obtain new consent where required by law before using your data for any new purpose

We retain prior versions of this Privacy Policy and will provide them upon request. Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

16. Security Vulnerability Reporting

If you discover a security vulnerability that may affect the privacy of user data, please report it responsibly by emailing admin@choice.marketing with the subject line "Security Vulnerability Report." We will acknowledge receipt within 5 business days and work to address verified vulnerabilities promptly.

17. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information:

• Choice OMG - Privacy Officer
• 10060 Jasper Avenue, Suite 2020
• Edmonton, Alberta T5J 3R8, Canada
• Email: admin@choice.marketing
• Website: choice.marketing

We will respond to privacy-related inquiries within 30 days.