itomsitoms

Privacy Policy

Last updated: March 9, 2026

itoms (“we”, “our”, or “us”) operates the itoms platform at app.ito.ms. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication, notifications, and account recovery
  • Full name — displayed as your profile name
  • Password — stored securely using industry-standard hashing (never in plaintext)
  • Company name (optional) — for account context
  • Profile photo (optional) — stored on Cloudflare Images

1.2 Content You Create

When you use itoms to publish content, we store:

  • Videos, images, audio files, articles, shouts, and polls you upload or create
  • Titles, descriptions, tags, and other metadata associated with your content
  • Project settings, branding, and configuration

1.3 Third-Party Social Media Data

If you connect a social media account (Instagram or TikTok) for publishing, we collect and store:

  • Account username and ID — to identify the connected account
  • Account type — e.g., Business or Creator (Instagram)
  • OAuth access tokens — encrypted using AES-256-GCM encryption and stored server-side only; never exposed to the browser
  • Refresh tokens (where applicable) — encrypted and stored server-side only
  • Token expiration dates — to manage token lifecycle

We do not collect your social media passwords. Authentication is handled entirely through each platform's official OAuth flow. We only request the minimum permissions necessary to publish content on your behalf.

1.4 Subscriber Data

When end users subscribe to a project's newsletter, we collect their email address and subscription preferences. This data belongs to the project and is used solely for email delivery.

1.5 Automatically Collected Information

  • IP address — for rate limiting and security
  • User agent — for device compatibility
  • Usage analytics — page views, feature usage (via Plausible Analytics, which is privacy-focused and does not use cookies)
  • Error logs — for debugging and service reliability (via Sentry)

2. How We Use Your Information

  • Provide the service — authenticate you, manage your projects, store and deliver your content
  • Social media publishing — use your stored OAuth tokens to publish content to Instagram and TikTok on your behalf, only when you explicitly initiate a publish action
  • AI-generated captions — when you request AI caption generation, your content title, description, and tags are sent to Anthropic's API (Claude) to generate social media captions. No personal data is sent — only content metadata
  • Email delivery — send transactional emails (account approval, password resets) and project newsletters to subscribers
  • Security — detect and prevent fraud, abuse, and unauthorized access
  • Improvement — understand usage patterns to improve the platform (using aggregated, anonymized data)

3. How We Store and Protect Your Data

3.1 Infrastructure

  • Application hosting — Vercel (encrypted in transit via TLS)
  • Database — Supabase (PostgreSQL with Row Level Security, encrypted at rest)
  • Media storage — Cloudflare (Stream for video, Images for photos, R2 for audio)
  • Email — Resend
  • Payment processing — Stripe (billing information, subscription management)

3.2 Token Security

Social media OAuth tokens are encrypted using AES-256-GCM with a dedicated encryption key before being stored in our database. Tokens are only decrypted server-side at the moment of publishing. They are never sent to the browser, logged, or included in error reports.

3.3 Access Controls

All database queries are scoped to the authenticated user's projects using Row Level Security. Cross-project data access is not possible. Admin API routes verify project membership and role (owner/admin/viewer) before processing requests.

4. Data Sharing and Third Parties

We share your data only in these circumstances:

  • With your explicit action — when you publish content to Instagram or TikTok, the content and caption are sent to that platform via their official API
  • Service providers — the infrastructure providers listed in Section 3.1 process data on our behalf under their own privacy policies
  • AI caption generation — content metadata (not personal data) is sent to Anthropic for caption generation when you request it
  • Legal requirements — if required by law, regulation, or legal process

We do not sell, rent, or trade your personal information to third parties.

5. Your Rights and Choices

5.1 Access and Portability

You can access all your data through the itoms dashboard at any time. To request a complete export of your data, contact us at privacy@ito.ms.

5.2 Correction

You can update your profile information (name, email, avatar) in your Account settings at any time.

5.3 Deletion

You can delete your account and all associated data from your Account settings page. This action is irreversible and will permanently remove:

  • Your user account and profile
  • All projects you own (including all content, settings, and subscriber data)
  • All social media connections and stored tokens
  • All analytics and usage data associated with your account

Alternatively, you can email privacy@ito.ms to request account deletion.

5.4 Social Media Disconnection

You can disconnect your Instagram or TikTok account at any time from the project Settings page. Disconnecting immediately deletes the stored OAuth tokens and removes the connection. You can also revoke access from within Instagram or TikTok's own settings.

5.5 Email Unsubscribe

Every email sent through itoms includes an unsubscribe link. Subscribers can opt out at any time.

6. Data Retention

  • Active accounts — data is retained for as long as your account is active
  • Deleted accounts — data is permanently deleted within 30 days of account deletion
  • Social media tokens — deleted immediately when a connection is disconnected or when the account is deleted
  • Server logs — automatically purged after 90 days
  • Analytics data — aggregated and anonymized; raw events purged after 12 months

7. Cookies and Tracking

itoms uses minimal cookies. See our Cookie Policy for full details. We use Plausible Analytics, which is privacy-focused and does not use cookies or track individual users.

8. Children's Privacy

itoms is not intended for children under 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 16, we will delete it promptly.

9. International Data Transfers

Our infrastructure providers operate globally. By using itoms, you consent to your data being processed in the jurisdictions where our providers operate, all of which maintain appropriate data protection standards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top reflects the most recent revision.

11. Contact Us

For privacy-related questions, data requests, or concerns: