Privacy Policy

1. Who We Are

Spellcast is a social media scheduling and management tool operated by Samantha Kellow (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Spellcast at spellcast.sammii.dev.

Contact: privacy@sammii.dev

2. Data We Collect

We collect the following categories of personal data:

• Account data: your email address and name, used to create and authenticate your account.
• Social account credentials: OAuth access tokens and refresh tokens for connected social media accounts (TikTok, Instagram, Facebook, X/Twitter, LinkedIn, Threads, Bluesky, Pinterest, YouTube). These tokens allow us to publish, schedule, and retrieve content on your behalf.
• Social profile data: public profile information retrieved via platform APIs at connection time (display name, username, profile picture URL, account ID). We do not access private messages, follower lists, or any data beyond what is necessary for scheduling and publishing.
• Content you create: posts, captions, images, and scheduling instructions you enter into Spellcast.
• Usage data: log data such as IP address, browser type, and pages visited, retained for security and debugging purposes only.

3. How We Use Your Data

• To authenticate you and maintain your session.
• To schedule and publish content to your connected social media accounts at the times you specify.
• To retrieve post analytics and engagement data from connected platforms where you have granted permission.
• To send you system notifications related to your account (e.g. failed posts).
• To improve the reliability and security of the service.

We do not use your data for advertising, profiling, or any purpose beyond operating the service. We do not sell your data to any third party.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, our legal basis for processing your personal data is:

• Performance of a contract: processing your account data and OAuth tokens is necessary to provide the scheduling service you signed up for.
• Legitimate interests: usage/log data is processed to protect the security and integrity of the service.
• Consent: where you explicitly grant us permission to access specific platform data via OAuth, you may withdraw that consent at any time by disconnecting the account.

5. Third-Party Platforms

Spellcast integrates with social media platforms via their official APIs. When you connect an account, data is exchanged with that platform under their own privacy policies:

• TikTok — TikTok Privacy Policy
• Instagram / Facebook — Meta Privacy Policy
• X (Twitter) — X Privacy Policy
• LinkedIn — LinkedIn Privacy Policy
• Threads — governed by Meta's Privacy Policy above
• Bluesky — Bluesky Privacy Policy

We request only the minimum OAuth scopes necessary to schedule and publish content. We do not access your direct messages, contacts, or follower/ following lists unless explicitly required by a feature you have enabled.

6. TikTok Data Handling

Spellcast uses the TikTok Content Posting API to schedule and publish videos and posts to TikTok accounts you connect. In connection with this:

• We request only the scopes necessary for content publishing (video.publish, video.upload).
• TikTok access tokens are stored encrypted in our database and used solely to publish content on your behalf.
• We do not access your TikTok followers, messages, comments, or any data beyond what is needed for publishing.
• You can revoke TikTok access at any time by disconnecting your TikTok account in Spellcast settings, or directly in your TikTok app under Settings > Security > Manage App Permissions.
• To request deletion of all TikTok-related data we hold, use our Data Deletion Request page or email privacy@sammii.dev. TikTok may also trigger automated deletion via our callback at https://api.spellcast.sammii.dev/api/data-deletion/callback?platform=tiktok.

7. Data Storage and Security

All data is stored on infrastructure hosted in the European Union (Hetzner, Germany). We take the following measures to protect your data:

• All data in transit is encrypted via TLS/HTTPS.
• OAuth tokens are stored encrypted at rest in a PostgreSQL database.
• Access to production infrastructure is restricted to authorised personnel only.
• We do not store social media passwords — only OAuth tokens issued by each platform.

8. Data Retention

• Account data: retained for as long as your account is active. Deleted within 30 days of account closure upon request.
• OAuth tokens: retained while the connected account is active. Deleted immediately upon disconnection.
• Scheduled posts and content: retained until you delete them or close your account.
• Log/usage data: retained for up to 90 days for security and debugging purposes.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: request deletion of your personal data (“right to be forgotten”).
• Restriction: ask us to restrict processing of your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: disconnect any social account at any time to withdraw the OAuth consent you granted.

To exercise any of these rights, email privacy@sammii.dev. We will respond within 30 days.

10. Data Deletion Requests

To request deletion of all personal data associated with your Spellcast account, including all connected social account tokens:

1. Visit our Data Deletion Request page and submit your email address. Social account access is revoked immediately and you will receive a confirmation code to track your request.
2. Alternatively, email privacy@sammii.dev with the subject line “Data Deletion Request”.
3. All personal data will be permanently deleted within 30 days.
4. You can check the status of your request at any time using your confirmation code at spellcast.sammii.dev/data-deletion.

11. Cookies

Spellcast uses a single session cookie to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as we only use cookies that are strictly necessary for the service to function.

12. Children's Privacy

Spellcast is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notice at least 14 days before the changes take effect. Continued use of Spellcast after that date constitutes acceptance of the updated policy.

14. Contact

For any privacy-related questions, data requests, or concerns: