Privacy Policy

Last updated: 2026-04-28

This Privacy Policy describes how Marszal-arts (the “Service”) collects, uses, stores, and deletes information when you link third-party accounts (Google, Instagram, TikTok) and use the Service.

1. Information We Collect

1.1 Account information

• Google profile (email, display name, profile picture) — used for authentication.
• Instagram Business: page ID, IG user ID, page-scoped access token.
• TikTok: open_id, display name, access token, refresh token, and token expiry, obtained via OAuth scopes user.info.basic,video.upload, and video.publish.

1.2 Content you provide

• Media files (images, videos) you upload to the queue.
• Captions, schedules, and metadata you attach to that media.

1.3 Operational data

• Publish history, error logs, and API quota counters.
• Audit log of admin and authentication events.

2. How We Use Your Information

• To authenticate you and maintain your session.
• To publish content you have explicitly queued to the platforms you have linked.
• To refresh OAuth tokens before they expire.
• To display analytics and publish history back to you.
• To diagnose errors and enforce rate limits.

We do not sell or share your data with advertisers, train AI models on it, or use it for any purpose unrelated to operating the Service.

3. TikTok Data Use Disclosure

Information obtained from TikTok (including access tokens and open_id) is used exclusively to:

• Identify your linked TikTok account.
• Upload and publish videos you have explicitly queued in the Service.
• Refresh tokens to keep your account linked.

TikTok data is never sold, transferred, or used for any purpose other than providing the publishing feature you initiated. Use of TikTok data is bound by the TikTok API Terms of Service and the TikTok Privacy Policy.

4. Storage & Security

• Data is stored in Supabase (Postgres) with row-level security enforced.
• OAuth access and refresh tokens are encrypted at rest.
• Media files are stored in Supabase Storage with signed-URL access only.
• Tokens are never logged or exposed to the browser.
• All transit is over HTTPS/TLS.

5. Retention

• Linked-account records persist until you unlink the account or request deletion.
• Published content metadata is retained for analytics history.
• Logs are retained for up to 90 days, then purged.

6. Your Rights & Data Deletion

You may at any time:

• Unlink Instagram or TikTok via Settings → Connected Accounts.
• Request a full export or deletion of your account and all associated data by emailing p.romanczuk@gmail.com.

Deletion requests are processed within 30 days. Deleting your TikTok or Instagram link revokes the corresponding tokens and removes them from our database.

7. Children's Privacy

The Service is not directed to anyone under 18 and does not knowingly collect data from minors.

8. Changes to This Policy

Changes will be reflected by updating the “Last updated” date above.

9. Contact

Privacy questions or deletion requests: p.romanczuk@gmail.com