Privacy Policy

Last updated: June 18, 2026

1. Introduction

The Social Tools ("we," "our," or "us") provides a rule-based automated comment moderation platform that ingests comments from connected social media accounts and applies user-defined workflow rules. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, platform, and related services (collectively, the "Service").

We are committed to protecting your privacy. If you have questions or concerns about this policy, please contact us at [email protected].

2. Definitions

"Personal Data" means any information relating to an identified or identifiable individual.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Content" means comments, messages, posts, and associated metadata ingested from your connected social media platforms.

"Connected Account" means a social media account you link to the Service via OAuth.

"Workflow" means the automated moderation rules you configure within the Service.

3. Information We Collect

3.1 Information You Provide to Us

Account Information: When you register, we collect your name, email address, and authentication credentials (managed by Clerk, our identity provider). If you subscribe to a paid plan, we collect billing information (managed by Stripe, our payment processor — we do not store full credit card numbers on our servers).

Social Media Connections: When you connect a social media account via OAuth, we receive access tokens and basic profile information (account name, profile image, user ID) from that platform. Access tokens are encrypted at rest using AES-256-GCM.

Workflow Configuration: The moderation rules, conditions, and actions you define, including keyword lists, sentiment thresholds, and automated response templates.

Team & Workspace Data: If you use team features, we collect team member email addresses, names, and role assignments for access management. Team invitations are sent to the email addresses you provide.

Support Communications: Information you share when contacting our support team, including email correspondence and support ticket content.

3.2 Information Ingested from Your Connected Platforms

The Service ingests comments and associated metadata from the social media platforms you connect. This includes:

  • Comment text and the username/display name of the comment author
  • Post content and metadata (post ID, URL, timestamp)
  • Engagement metrics (likes, replies, reaction counts where available)
  • Sentiment signals and language metadata

We ingest this data solely to apply your configured moderation workflows. We do not use your ingested comments for any purpose beyond providing the Service to you, and we do not sell or share this data with third parties for their own purposes.

3.3 Information Collected Automatically

Log Data: When you access the Service, our servers automatically record information including your IP address, browser type, referring/exit pages, timestamp, and requested resources.

Usage Data: We collect information about your interactions with the Service, such as pages visited, features used, and actions taken within the platform.

Device Information: We collect device type, operating system, and browser configuration to optimize the Service experience.

4. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for authentication, security, and core platform functionality. The Service cannot operate without these.
  • Preference Cookies: Remember your settings and preferences across sessions.
  • Analytics Cookies: Help us understand how you use the Service so we can improve it. We use privacy-focused analytics where possible.

We do not use advertising or marketing cookies on our platform. You can control cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To authenticate your account, connect to your social media platforms, ingest comments, evaluate workflow rules, and execute moderation actions (flag, allow, promote, reply, like) you have configured.
  • Analytics & Reporting: To provide you with moderation analytics, audit trails, sentiment trends, and platform breakdowns based on your ingested data.
  • Communication: To send service-related announcements, security alerts, billing notifications, and support responses. We may also send product updates and feature announcements (with opt-out available).
  • Product Improvement: To analyze aggregated, de-identified usage patterns to improve the Service, develop new features, and fix issues.
  • Security & Compliance: To detect and prevent fraud, abuse, and security incidents; to comply with legal obligations; and to enforce our Terms of Service.
  • AI Features (Optional): If you enable AI-powered reply suggestions, your comment data is processed by an AI provider to generate suggested responses. This processing occurs only when you activate the feature, and only for the comments you direct it to.
  • Push Notifications (Optional): If you enable web push notifications, we process subscription data to deliver real-time alerts.

6. Legal Bases for Processing (EEA & UK Users)

If you are located in the European Economic Area, Switzerland, or the United Kingdom, we process your Personal Data under the following legal bases:

  • Contractual Necessity: Processing required to provide the Service you have requested under our Terms of Service — including account management, comment ingestion, workflow execution, and billing.
  • Legitimate Interests: Processing for security monitoring, fraud prevention, product improvement (using aggregated, de-identified data), and communicating relevant product updates to existing customers. You may object to processing based on legitimate interests by contacting us.
  • Consent: Where you have given clear consent, such as for optional AI features or marketing communications. You may withdraw consent at any time.
  • Legal Obligation: Processing required to comply with applicable laws, regulations, or valid legal requests.

7. How We Share and Disclose Information

We share information only as described below and never sell Personal Data:

7.1 Service Providers (Subprocessors)

We engage the following categories of third-party service providers to operate the Service:

  • Authentication: Clerk — manages user identity, sign-in, and session management.
  • Payment Processing: Stripe — processes subscription payments and manages billing. We do not store full payment card details.
  • Infrastructure: Cloud hosting and database providers that host the Service.
  • AI Provider (Optional): If you enable AI-powered reply suggestions, comment data is processed by a third-party AI inference provider.
  • Analytics: Privacy-focused analytics services to understand platform usage.

All service providers are contractually bound to process data only on our instructions and are prohibited from using your data for their own purposes.

7.2 Social Media Platforms

At your direction, we interact with the APIs of Facebook, Instagram, TikTok, YouTube, Twitter/X, Reddit, and Discord to ingest comments and execute moderation actions on your behalf. Data transmitted to these platforms is governed by their respective privacy policies. We recommend reviewing the privacy policies and terms of each platform you connect.

7.3 Legal and Safety Disclosures

We may disclose information if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or valid governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

7.4 Business Transfers

If The Social Tools is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

7.5 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

8. Data Retention

We retain your Personal Data only as long as necessary to fulfill the purposes described in this policy, or as required by applicable law:

  • Account Data: Retained while your account is active. You may delete your account at any time.
  • Ingested Comments: Retained while your account is active and for up to 30 days after account deletion (soft-deletion window, during which data recovery is possible). After this period, comment data is permanently deleted.
  • Workflow Configurations: Retained while your account is active and deleted upon account deletion.
  • Audit Logs: Retained while your account is active and for a limited period after deletion as needed for security and compliance purposes.
  • Billing Records: Retained as required by tax and accounting laws.
  • Server Logs: Retained for a limited period for security and operational purposes, typically not exceeding 90 days.

When data is no longer needed, we securely delete or anonymize it. Data that has been anonymized or aggregated so that it can no longer identify you may be retained indefinitely for analytics and product improvement.

9. Data Security

We implement and maintain appropriate technical and organizational measures to protect your Personal Data:

  • All data in transit is encrypted using HTTPS/TLS.
  • Social media access tokens are encrypted at rest using AES-256-GCM with a unique master key.
  • Sensitive configuration values (API keys, secrets) are never logged or stored in plaintext.
  • We enforce least-privilege access controls for internal systems.
  • We maintain rate limiting to protect against abuse and denial-of-service attacks.
  • We regularly review our security practices and infrastructure.

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your Personal Data, we will notify you and relevant authorities as required by applicable law.

10. International Data Transfers

The Service is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. We ensure that such transfers are protected by appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
  • Data processing agreements with our service providers that include transfer safeguard provisions.
  • Assessments of the legal frameworks in destination countries.

By using the Service, you acknowledge that your information will be processed in the United States.

11. Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

  • Access: Request a copy of the Personal Data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request deletion of your Personal Data ("right to be forgotten").
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Withdraw Consent: Withdraw previously given consent at any time (does not affect the lawfulness of processing prior to withdrawal).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may need to verify your identity before processing your request. You will not be discriminated against for exercising your rights.

If you believe our processing of your data violates applicable law, you have the right to lodge a complaint with your local data protection authority.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with additional rights:

  • Right to Know: You may request information about the categories and specific pieces of Personal Data we have collected about you, the sources of that data, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your Personal Data, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate Personal Data.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We do not sell Personal Data as defined under the CCPA, and we do not share Personal Data for cross-context behavioral advertising. We do not knowingly sell or share the Personal Data of consumers under 16 years of age.

To exercise your California privacy rights, contact us at [email protected]. You may designate an authorized agent to make a request on your behalf; we may require proof of authorization.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 18, and we do not knowingly collect Personal Data from children under 13. If you believe a child under 13 has provided us with Personal Data, please contact us immediately at [email protected], and we will take steps to delete such information.

14. Automated Decision-Making

The Service performs automated processing of comments based on Workflow rules that you configure. You control the conditions (keywords, sentiment thresholds, platform, author criteria) and the resulting actions (flag, allow, promote, reply, like) through the Service interface. These automated decisions are made according to your instructions and are not used to make decisions about you.

If you enable AI-powered reply suggestions, the AI model generates suggested responses based on comment content. These are suggestions only — you review and approve every suggested reply before it is posted.

15. Marketing Communications

We may send you emails about product updates, new features, and relevant offers. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us. Please note that even if you opt out of marketing, we will continue to send you transactional and account-related communications (billing receipts, security notices, service announcements) necessary for the operation of your account.

16. Third-Party Links and Services

The Service integrates with and may contain links to third-party websites and services, including social media platforms, Clerk (authentication), and Stripe (payments). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of every third-party service you interact with:

  • Clerk Privacy Policy: clerk.com/legal/privacy
  • Stripe Privacy Policy: stripe.com/privacy

17. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) — for example, to comply with GDPR, UK GDPR, or other data protection laws where we act as a data processor — please contact us at [email protected]. We will provide a DPA that includes Standard Contractual Clauses where applicable.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice on the Service prior to the changes becoming effective. The "Last updated" date at the top of this page indicates the most recent revision. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

We will respond to all privacy-related inquiries within 30 days. If you have an unresolved privacy concern, you may also contact your local data protection authority.