Template notice: This document was drafted to match the actual behavior of the OneBridge Social product but has not been reviewed by a lawyer. Before handling data of real customers, especially in jurisdictions with data protection laws (GDPR, CCPA, DPDP, etc.), have qualified legal counsel review and adapt this document.
Privacy Policy
Last updated: July 12, 2026
1. What we collect
The OneBridge Social Service collects only what is necessary to operate:
- Account data — email, name, avatar URL, Google ID if you use Google sign-in.
- Content you create — post captions, scheduled dates, uploaded images and videos.
- Connected social accounts — OAuth access tokens (encrypted), handle, display name, avatar URL for each platform you connect.
- Platform response data — external post IDs, publish timestamps, error messages returned by third-party platforms.
- Consent and preference data — timestamps for Terms and Privacy acceptance, marketing opt-in preference, policy version acknowledged.
- Operational data — API request logs, error traces (may include IP address for abuse prevention, retained ≤ 30 days).
2. What we do NOT collect
- We do not access your social media contacts, direct messages, or personal timelines beyond what is needed to publish your content.
- We do not sell your data to advertisers or data brokers.
- We do not use your uploaded media to train AI models.
- We do not track you across the web (no third-party ad pixels or cross-site tracking).
3. How we use your data
- Deliver the Service: authenticate you, store your content, publish on your behalf to connected platforms.
- Send transactional emails (sign-in codes, scheduled-post notifications, account alerts).
- If you opt in: send occasional product updates and marketing emails. You can opt out anytime from Settings or via the unsubscribe link in any marketing email.
- Monitor for abuse, fraud, and security incidents.
- Comply with legal obligations (e.g., responding to lawful court orders).
4. How we protect your data
- OAuth access tokens are encrypted at rest using AES-256-GCM before storage.
- Passwords are never stored — we authenticate via email OTP or Google OAuth.
- Communication with third-party platforms uses HTTPS/TLS.
- Database access is restricted to production systems and audited.
5. Third parties we share with
The Service uses a small set of subprocessors and only to the extent necessary:
- Social platforms (LinkedIn, X, Pinterest, Meta, Google) — content you explicitly publish is transmitted to whichever platforms you targeted.
- OAuth providers (Google, LinkedIn, X, Meta) — when you use social sign-in or connect an account.
- Email delivery — for transactional and (opt-in) marketing email.
- Cloud infrastructure — hosting, database, object storage providers used to run the Service.
- Error monitoring (e.g., Sentry) — anonymized error traces to help us fix bugs.
We do not share your data with advertisers, data brokers, or resellers.
6. Data retention
- Media assets — auto-delete 30 days from upload (see Terms §5).
- Posts and post history — retained while your account is active.
- Connected account tokens — kept while active; deleted immediately when you disconnect or delete your account.
- Operational logs — up to 30 days.
- Account data — retained until you delete your account, then purged within 30 days (some data may be retained longer to comply with legal obligations).
7. Your rights
Depending on where you live, you may have the right to access, correct, export, or delete your personal data, object to certain processing, or restrict our use of it. To exercise these rights:
- Access and export: download your posts, media list, and profile from Settings.
- Delete: use the "Delete account" action in Settings (removes all your data within 30 days).
- Correct: update your profile in Settings, or email us for anything not editable in the UI.
- Opt out of marketing: toggle in Settings or use the unsubscribe link in any marketing email.
8. Cookies
We use a small number of essential cookies for authentication (sign-in session). We do not use advertising cookies, third-party tracking pixels, or cross-site tracking.
9. International data transfers
The Service is operated from the region indicated on our infrastructure page. When you use the Service, your data may be processed outside your country. We rely on standard contractual protections (SCCs where required) to transfer data internationally.
10. Children
The Service is not directed to children under 16. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
When we materially change this policy, we bump the version identifier and require you to re-acknowledge it on next sign-in. Minor edits (typo fixes, clarifications) may not trigger a re-consent prompt.
12. Contact
Privacy questions or requests? Email support@onebridgesocial.com
By clicking "I acknowledge the Privacy Policy" during onboarding, you confirm you have read this document and understand how we handle your data.