Privacy Policy

1. Definitions

We use terms as defined in Article 4 of the General Data Protection Regulation (GDPR), such as "Personal Data", "Processing", "Controller", and "Data Subject". We also comply with the California Consumer Privacy Act (CCPA/CPRA) and other applicable data protection laws. These terms apply regardless of whether the data is processed by automated means.

2. Data We Collect

We may collect the following categories of personal data:

• Account Information: Name, email address, phone number, location (if provided)
• Usage Data: IP address, browser type, device information, operating system, timestamps, login activity, pages visited
• Communication Data: Messages exchanged on our platform, support requests, feedback submissions
• Transaction Data: Payment confirmations, escrow activity logs, deal timelines (we do not store full card numbers)
• Listing Data: Details of social media accounts listed, descriptions, sales history, and media links

2.1 Instagram / Meta Platform Data

If you connect your Instagram account through Instagram Business Login, we may receive:

• Instagram User ID and username
• Profile picture URL
• Account type (Business, Creator, or Personal)
• Follower count, media count, and biography
• Business insights (impressions, reach, profile views) if you have a Business or Creator account
• Audience demographics (age, gender, country breakdown) if available
• OAuth access tokens required to perform actions you authorize

Data is accessed via the Instagram Graph API (currently v24.0) using scopes you explicitly authorize. We use the Meta Business Tools (OAuth login) to authenticate your account. For more information, see Instagram's Privacy Policy.

2.2 TikTok Data

If you connect your TikTok account through TikTok Login Kit, we may receive:

• TikTok Open ID and username
• Display name and avatar URL
• Follower count, following count, likes count, and video count
• Bio/description and verification status
• Video list with performance metrics (views, likes, comments, shares)
• OAuth access and refresh tokens

Data is accessed via the TikTok API v2 using scopes you explicitly authorize (user.info.basic, user.info.stats, video.list). ThemePages uses TikTok's third-party Login Kit for authentication. For more information, see TikTok's Privacy Policy.

2.3 YouTube / Google Data

If you connect your YouTube channel through Google OAuth 2.0, we may receive:

• YouTube Channel ID and channel title
• Custom URL, thumbnail/profile picture URL
• Subscriber count, video count, and total view count
• Channel description and country
• Channel analytics (views, watch time, subscriber changes) via the YouTube Analytics API
• Viewer demographics (age, gender, geography) if available
• OAuth access and refresh tokens

ThemePages's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. For more information, see Google's Privacy Policy.

2.4 X (formerly Twitter) Data

If you connect your X account through X OAuth 2.0 (PKCE), we may receive:

• X User ID and username
• Display name, profile image URL, and description
• Public metrics: follower count, following count, tweet count, listed count
• Verification status
• Recent tweets with engagement metrics (for analytics purposes)
• OAuth access and refresh tokens

Data is accessed via the X API v2 using scopes you explicitly authorize (tweet.read, users.read, offline.access). For more information, see X's Privacy Policy.

2.5 What We Do NOT Collect

Across all platform integrations, we do not collect:

• Passwords or login credentials for any social media platform
• Private/direct messages
• Financial information from social media accounts
• Contact lists or address books
• Sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data, sexual orientation)

3. How We Use Your Data

We process your data for the following purposes:

1. To provide and operate the ThemePages.ai platform and its core functionality
2. To verify and authenticate your social media accounts (Instagram, TikTok, YouTube, X)
3. To display your social media profile information and analytics within your ThemePages dashboard
4. To enable marketplace features such as creator listings, campaigns, and collaborations
5. To process transactions, including escrow services and buyer/seller interactions
6. To provide customer support and respond to inquiries
7. To comply with legal obligations and detect fraud or abuse
8. To improve and personalize our services

We do NOT:

• Sell, rent, or trade your personal data or social media data to any third party
• Use your data for advertising or profiling purposes unrelated to our platform
• Use Google user data to develop, improve, or train generalized AI and/or machine learning models
• Use social media data for surveillance, intelligence gathering, or monitoring of individuals
• Use data to determine eligibility for housing, employment, insurance, credit, or similar decisions

4. Legal Basis for Processing

We rely on the following legal bases under GDPR:

• Consent (Art. 6(1)(a) GDPR): When you connect your social media accounts, you explicitly consent to the data access described during the OAuth authorization flow
• Contractual necessity (Art. 6(1)(b) GDPR): Processing necessary to provide our platform services to you
• Legal obligations (Art. 6(1)(c) GDPR): Where we are required to process data by law
• Legitimate interests (Art. 6(1)(f) GDPR): For platform optimization, security, and fraud prevention, balanced against your rights

5. Data Retention

We retain your personal data only as long as necessary to:

• Provide the services you have requested
• Fulfill contractual obligations
• Meet legal and regulatory requirements
• Resolve disputes and enforce agreements

Specific retention periods:

• Social media access tokens: Stored only as long as your account is connected. Tokens are deleted immediately when you disconnect an account or revoke access.
• Social media profile data: Updated periodically while connected, deleted upon account disconnection or deletion request.
• Analytics snapshots: Retained for up to 12 months for historical tracking, then automatically purged.
• Account data: Retained for the duration of your account. Inactive accounts may be archived or deleted after 12 months of inactivity.
• Transaction records: Retained for up to 7 years as required by financial regulations.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted using HTTPS/TLS encryption
• Access tokens are stored encrypted at rest in our database
• Access to personal data is restricted to authorized personnel only
• We use industry-standard authentication (OAuth 2.0, PKCE) for all social media integrations
• Regular security audits and monitoring of our infrastructure

7. Disclosure to Third Parties

We may share your data only as necessary with:

• Social media platforms: Instagram/Meta, TikTok, Google/YouTube, and X, as required for OAuth authentication and API functionality
• Payment processors: Stripe and other integrated payment gateways, for transaction processing
• Hosting and infrastructure providers: Vercel, Supabase, and similar services for platform operation
• Analytics services: For aggregated, anonymized usage analytics to improve our service
• Legal authorities: If required by law, court order, or to protect the rights and safety of our users

We do not sell or trade your personal data. We do not share your social media data with any third party for their marketing purposes.

8. International Data Transfers

Your data may be processed outside your country of residence, including in the United States and other countries where our service providers operate. In such cases, we ensure appropriate safeguards are in place, including standard contractual clauses (SCCs) as approved by the European Commission under GDPR.

9. Your Rights

Under GDPR, CCPA, and other applicable laws, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request permanent deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
• Right to Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights
• Right to Lodge a Complaint: File a complaint with a supervisory data protection authority

To exercise any of these rights, contact us at: privacy@themepages.ai

We will respond to your request within 30 days (or within the timeframe required by applicable law).

§9.1 – Default Notification Preferences

When you create an account on ThemePages.ai, certain notification preferences are enabled by default to ensure you receive important updates about your activity on the platform.

These include, but are not limited to:

• Transactional notifications (e.g., booking confirmations, payout alerts, campaign delivery updates) — sent under our legitimate interest in fulfilling our contractual obligations to you (Art. 6(1)(b) GDPR).
• Service-related notifications (e.g., new campaigns, new messages, reviews) — sent under our legitimate interest in providing a functional and useful service (Art. 6(1)(f) GDPR).
• Promotional notifications (e.g., special offers, limited-time deals) — sent based on your consent, which you grant by keeping these notifications enabled in your settings.

You can change any of these preferences at any time by navigating to Profile → Account Settings → Notifications. Each notification category can be individually enabled or disabled. Changes take effect immediately.

For promotional communications, disabling the relevant toggle constitutes withdrawal of consent. You may also unsubscribe via the link provided in any promotional email.

10. Data Deletion

You can request deletion of your data in any of the following ways:

10.1 General Data Deletion

Email privacy@themepages.ai with the subject "Data Deletion Request" and we will delete all personal data associated with your account within 30 days.

10.2 Instagram / Meta Data Deletion

• Use our automated deletion endpoint: themepages.ai/instagram-data-deletion
• Or remove ThemePages via Meta Accounts Center: Settings → Accounts → Apps & Websites → ThemePages.ai → Remove

10.3 TikTok Data Deletion

• Email privacy@themepages.ai to request deletion of your TikTok data
• Or revoke access via TikTok: Settings → Security → Manage app permissions → ThemePages → Revoke

10.4 YouTube / Google Data Deletion

• Email privacy@themepages.ai to request deletion of your YouTube data
• Or revoke access via Google: Google Account → Security → Third-party apps → ThemePages → Remove Access

10.5 X (Twitter) Data Deletion

• Email privacy@themepages.ai to request deletion of your X data
• Or revoke access via X: Settings → Security and account access → Apps and sessions → Connected apps → ThemePages → Revoke

Upon deletion or revocation of access:

• All stored social media data is permanently removed from our systems
• All OAuth tokens are invalidated and deleted
• Your social media account is disconnected from ThemePages
• Analytics snapshots associated with your account are purged

11. Cookies and Tracking

We may use cookies and similar technologies to improve functionality and analyze platform usage. Specifically:

• Essential cookies: Required for authentication and core platform functionality
• Analytics cookies: Help us understand how you use our platform to improve our services

You can control cookie preferences via your browser settings or our Cookie Policy.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You may request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell your personal information. We have not sold personal information in the preceding 12 months.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, email privacy@themepages.ai.

13. Children's Privacy

ThemePages.ai is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete such information promptly.

14. AI, Bots & Automated Processing

Some features of our platform may involve automated systems, including niche detection and analytics calculations. These processes are designed for efficiency and transparency. No automated processing on our platform makes legally binding decisions about you without human oversight.

15. Platform-Specific Compliance

Our use of social media platform APIs is governed by each platform's developer terms:

• Meta/Instagram: We comply with the Meta Platform Terms and Developer Policies
• TikTok: We comply with the TikTok Developer Terms of Service
• Google/YouTube: We comply with the YouTube API Services Terms of Service and the Google API Services User Data Policy
• X (Twitter): We comply with the X Developer Agreement and Policy

16. Updates to This Policy

We may revise this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email or an in-app notification. The "Last updated" date at the top of this page will be revised accordingly. Continued use of our services after changes implies acceptance of the updated policy.

17. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data:

• Privacy inquiries: privacy@themepages.ai
• General support: support@themepages.ai
• Website: www.themepages.ai

We respond within 48 hours.