Privacy Policy
Plain-language summary. StreamX is a desktop application. Your social accounts, content, audience data, and AI inference all run on your computer. We never receive a copy of your social media data. The platform we operate handles only authentication, license validation, and product announcements.
Contents
- 1. Scope
- 2. Information We Collect
- 3. OAuth Authorization Handoff
- 4. Information We Do Not Collect
- 5. How We Use Information
- 6. Sharing & Disclosure
- 7. Data Retention
- 8. Data Deletion
- 9. Your Rights (GDPR / CCPA)
- 10. Security
- 11. International Transfers
- 12. Children
- 13. Changes to This Policy
- 14. Contact
1. Scope
This Privacy Policy describes how StreamX ("we", "us") collects, uses, and discloses information when you visit our website, create an account, download our desktop application, connect supported social platforms, or interact with our customer support.
This policy does not cover the privacy practices of the third-party social media platforms you connect through our software (Facebook, Instagram, X, YouTube, TikTok, LinkedIn). Your use of those platforms is governed by their own privacy policies.
2. Information We Collect
2.1 Account Information
When you register an account, we collect: email address, hashed password, display name, and an optional profile photo. This information lives in our authentication database.
2.2 Subscription & Billing Information
When you subscribe to a paid plan, our payment processor collects payment details. We receive only a transaction reference, the plan tier, and the subscription status. We never store credit card numbers.
2.3 License & Telemetry
The desktop application periodically contacts our license service to validate your subscription. Each request includes:
- An anonymous machine identifier (a hashed value generated on first run)
- Your account ID
- The product version and operating system version
- A timestamp
It does not include any social media account data, post content, comments, or messages.
2.4 Device Registration
When you activate a license, the desktop application registers a device identifier (machine fingerprint) with our platform. This is used solely to enforce your subscription's device limit. No social media data is transmitted during this process.
2.5 OAuth Session Metadata
When you connect a third-party social platform, we process short-lived OAuth session metadata such as platform name, requested scopes, state, callback status, plugin version, and source IP. This metadata is used to complete the authorization flow and prevent cross-site request forgery.
2.6 Customer Support Communications
If you email us or submit a contact form, we keep a record of the conversation, including your email address, message contents, and any attachments.
2.7 Website Analytics
We use Google Analytics 4 and Microsoft Clarity to understand how visitors use our website. These tools may set cookies that record browsing patterns, IP addresses, and device information. You can opt out via the cookie banner.
3. OAuth Authorization Handoff
Some social platforms require a public server callback during OAuth authorization. In that flow, our platform API receives the callback, exchanges the authorization code, encrypts the resulting token payload, and makes it available to the original desktop app session.
The token payload is intended as a one-time handoff to the desktop app. After the desktop app retrieves it, the server-side handoff record is marked consumed and the encrypted token payload is cleared. Long-term connected-account tokens are stored in the desktop app's local encrypted credential vault.
4. Information We Do Not Collect
To make our privacy promise concrete, we explicitly do not collect:
- Long-term OAuth token storage for your social accounts on our servers
- The text, images, or video of posts you create, schedule, or publish
- Comments, replies, or direct messages from your social audience
- Audience demographics, follower lists, or engagement records
- AI prompts, suggested replies, or any AI inference output (all AI runs locally)
- Local file paths on your machine
5. How We Use Information
- Provide the service: authenticate your login, validate your license, enforce your device limits, deliver product announcements.
- Billing: charge your subscription via the payment processor.
- Support: respond to your inquiries.
- Improve the product: analyze website traffic to improve content; we do not analyze in-app behavior because we never see in-app data.
- Legal compliance: comply with applicable laws and respond to lawful requests.
6. Sharing & Disclosure
We share information only with:
- Payment processor — to handle your subscription payments.
- Email delivery service — to send transactional and notification emails.
- Cloud hosting provider — where our authentication and license services run.
- Law enforcement — only when legally compelled and only to the minimum extent required.
We never sell your personal information.
7. Data Retention
- Account data: kept while your account is active. Deleted within 30 days of account closure.
- Billing records: kept for 7 years to comply with tax law.
- License & device logs: kept for 90 days then aggregated to monthly statistics.
- OAuth handoff records: pending sessions expire quickly; consumed sessions clear encrypted token payloads after pickup.
- Support emails: kept for 2 years.
- Website analytics: anonymized after 14 months.
8. Data Deletion
See our Data Deletion page for instructions to remove local desktop data, revoke platform access, and request deletion of server-side account records.
9. Your Rights (GDPR / CCPA)
Depending on your location you may have the right to:
- Access the information we hold about you
- Correct inaccurate information
- Delete your information ("right to be forgotten")
- Restrict or object to processing
- Portability — receive a machine-readable copy of your data
- Withdraw consent for analytics / marketing at any time
To exercise any of these rights, email privacy@example.com. We respond within 30 days.
10. Security
We use industry-standard measures: TLS 1.3 in transit, AES-256 at rest, encrypted credential vault for any sensitive secrets, regular security audits, and least-privilege access controls. Because we do not collect your social media data in the first place, the most sensitive information you produce while using StreamX is never exposed to a server-side breach.
11. International Transfers
Our servers may be located in jurisdictions other than your own. Where data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards approved by the relevant data protection authority.
12. Children
StreamX is not directed to anyone under 16. We do not knowingly collect personal information from children. If you believe we have, please contact us and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email and announced in the desktop application. The "Last Updated" date at the top of this page reflects the latest revision.
14. Contact
Privacy inquiries: privacy@example.com
Data Protection Officer: dpo@example.com
Postal mail: (company address to be filled in)