Data Policy
Last updated: March 9, 2026
This Data Policy provides detailed information about how itoms processes data, particularly in relation to third-party platform integrations (Instagram, TikTok) and data subject rights. This supplements our Privacy Policy.
1. Data We Process from Third-Party Platforms
1.1 Instagram (Meta Platform)
When you connect your Instagram account, we access the following through Meta's official API:
| Data | Purpose | Retention |
|---|---|---|
| Instagram username | Display connected account identity | Until disconnected |
| Instagram user ID | API calls to publish content | Until disconnected |
| Account type (Business/Creator) | Validate account eligibility for publishing | Until disconnected |
| OAuth access token | Authenticate API requests to publish on your behalf | Encrypted; deleted on disconnect |
Permissions requested:
instagram_business_basic— read account informationinstagram_business_content_publish— publish photos, videos, and carousels on your behalf
We do not access your Instagram followers, messages, insights, comments, or any data beyond what is listed above. Publishing only occurs when you explicitly click “Publish” in our interface.
1.2 TikTok
When you connect your TikTok account, we access the following through TikTok's official API:
| Data | Purpose | Retention |
|---|---|---|
| Display name | Display connected account identity | Until disconnected |
| Open ID | API calls to publish content | Until disconnected |
| OAuth access token | Authenticate API requests to publish on your behalf | Encrypted; deleted on disconnect |
| Refresh token | Renew expired access tokens | Encrypted; deleted on disconnect |
Permissions requested:
user.info.basic— read display namevideo.publish— publish videos on your behalf
We do not access your TikTok followers, messages, analytics, or any data beyond what is listed above. By posting through itoms, you agree to TikTok's Music Usage Confirmation.
1.3 Anthropic (AI Captions)
When you use the AI caption feature, the following content metadata is sent to Anthropic's API:
- Content title and description
- Content type (video, image, article, etc.)
- Tags associated with the content
- Project name
No personal data (email, name, account credentials) is sent to Anthropic. Anthropic's data usage policy states that API inputs are not used to train their models.
2. Token Security Architecture
- All OAuth tokens are encrypted using AES-256-GCM before storage
- Encryption uses a dedicated key stored in environment variables, separate from the database
- Tokens are decrypted only server-side at the moment of making an API call
- Tokens are never: sent to the browser, included in logs, stored in cookies, or included in error reports
- Database access is restricted by Row Level Security — each project can only access its own connections
3. Data Flow
3.1 Social Media Connection Flow
- User clicks “Connect” in project Settings
- User is redirected to the platform's official OAuth page (Instagram or TikTok)
- User authorizes itoms with the requested permissions
- Platform redirects back to itoms with an authorization code
- itoms exchanges the code for access tokens server-side
- Tokens are encrypted and stored in the database
- Connected account info is displayed in Settings
3.2 Publishing Flow
- User selects content and clicks “Publish to Social Media”
- User optionally generates an AI caption, reviews, and edits it
- User clicks “Publish”
- Server decrypts the stored token for the target platform
- Content media URL and caption are sent to the platform's API
- Publication status is recorded (success/failure)
- Token is discarded from memory after use
4. Your Data Rights
4.1 Right to Access
You can view all your data through the itoms dashboard. For a complete data export, contact privacy@ito.ms.
4.2 Right to Rectification
You can update your personal information at any time through Account settings.
4.3 Right to Erasure (Right to be Forgotten)
You can delete your account and all associated data from Account settings. You can also request deletion by emailing privacy@ito.ms. We will process deletion requests within 30 days.
4.4 Right to Disconnect
You can disconnect any social media account at any time. This immediately and permanently deletes the stored OAuth tokens. You can also revoke itoms's access from within each platform's own settings:
- Instagram: Settings → Apps and Websites → Remove itoms
- TikTok: Settings → Security → Manage app permissions → Remove itoms
4.5 Right to Object
You may object to any processing of your data by contacting us. We will cease processing unless we have compelling legitimate grounds.
5. Data Breach Notification
In the unlikely event of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours of becoming aware of the breach
- Describe the nature of the breach and data affected
- Outline the measures taken to address the breach
- Provide recommendations for users to protect themselves
6. Sub-Processors
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database and authentication | All user and content data |
| Vercel | Application hosting | Request logs, server-side processing |
| Cloudflare | Media storage (video, images, audio) | Uploaded media files |
| Resend | Email delivery | Recipient email addresses, email content |
| Anthropic | AI caption generation | Content metadata (no personal data) |
| Plausible | Privacy-friendly analytics | Anonymized page views (no cookies, no personal data) |
7. Contact
For data-related requests or questions:
- Email: privacy@ito.ms