Privacy Policy

1. Introduction

SoCoAI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our AI-powered social media management platform.

Data Controller: SoCoAI is the data controller responsible for your personal information.

2. Information We Collect

2.1. Information You Provide

• Account Information: Name, email address, password (encrypted), profile photo
• Payment Information: Billing address, payment method (processed by Stripe/PayPal, not stored by us)
• Social Media Connections: OAuth tokens, usernames, linked account data
• User Content: AI profiles, comment responses, settings, preferences
• Communications: Support tickets, feedback, correspondence

2.2. Information Collected Automatically

• Usage Data: Pages viewed, features used, time spent, clicks, navigation paths
• Device Information: IP address, browser type/version, operating system, device identifiers
• Cookies & Tracking: See our Cookie Policy
• Log Data: Access times, error logs, API calls

2.3. Information from Third Parties

• Social Media Platforms: Comments, engagement data, basic profile information (via YouTube API, Instagram Graph API, etc.)
• Authentication Providers: Google OAuth, social login services
• Payment Processors: Transaction confirmations, payment status

3. How We Use Your Information

We use your personal information for the following purposes:

3.1. Service Provision

• Create and manage your account
• Authenticate and authorize access
• Connect and manage social media accounts
• Generate AI-powered comment responses
• Provide platform features and functionality
• Process payments and manage subscriptions

3.2. Communication

• Send service announcements and updates
• Provide customer support
• Respond to inquiries and requests
• Send marketing communications (with your consent)
• Notify you of security issues

3.3. Improvement and Analytics

• Analyze platform usage and performance
• Develop new features and improvements
• Train and improve AI models (using aggregated, anonymized data)
• Conduct research and testing
• Generate statistical insights

3.4. Security and Legal

• Detect and prevent fraud, abuse, and security threats
• Enforce our Terms of Service
• Comply with legal obligations
• Protect rights, property, and safety
• Resolve disputes

4. Legal Bases for Processing (GDPR)

Under GDPR, we process your data based on:

• Contract: Processing necessary to provide our services to you
• Consent: You have given explicit consent (e.g., marketing emails)
• Legitimate Interests: Our business interests that do not override your rights (e.g., fraud prevention, analytics)
• Legal Obligation: Required by law (e.g., tax records, legal requests)

5. Sharing Your Information

We share your information only in the following circumstances:

5.1. Service Providers

• Cloud Hosting: AWS, Vercel, Coolify
• Database: MongoDB Atlas
• Payment Processing: Stripe, PayPal, CoinGate
• AI Services: OpenAI API
• Authentication: Google OAuth
• Email Services: SendGrid, Resend
• Analytics: Vercel Analytics

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2. Social Media Platforms

When you connect social media accounts, we share data with those platforms as necessary to provide services, subject to their respective privacy policies and API terms.

5.3. Legal Requirements

We may disclose your information if required by:

• Law, regulation, or legal process
• Court order or subpoena
• Government or regulatory authority request
• Protecting rights, safety, or property
• Investigating fraud or security issues

5.4. Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5. With Your Consent

We may share information for other purposes with your explicit consent.

We do NOT:

• Sell your personal information
• Share data with third-party advertisers
• Use your data for purposes unrelated to our services without consent

6. Data Security

We implement comprehensive security measures:

6.1. Technical Measures

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Authentication: Bcrypt password hashing, 2FA support
• Access Control: Role-based permissions, least privilege principle
• Network Security: Firewalls, DDoS protection, intrusion detection
• Regular Audits: Security assessments and penetration testing

6.2. Organizational Measures

• Limited employee access to personal data
• Confidentiality agreements with staff
• Security training programs
• Incident response procedures
• Regular backups and disaster recovery plans

Note: While we strive to protect your information, no system is 100% secure. Use strong passwords and enable 2FA for additional protection.

7. Data Retention

We retain personal information for as long as necessary:

• Active Accounts: While your account remains active
• Closed Accounts: 90 days after account closure (unless legal retention required)
• Backups: Deleted data removed from backups within 30 days
• Legal Requirements: As required by law (e.g., tax records for 7 years)
• Logs: Security and analytics logs for 12 months
• Marketing Data: Until you unsubscribe or withdraw consent

After retention periods expire, data is securely deleted or anonymized.

8. Your Rights

You have the following rights regarding your personal information:

8.1. GDPR Rights (EU/EEA)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten"): Request deletion of your data
• Restriction: Limit how we use your data
• Data Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for processing
• Automated Decisions: Request human review of automated decisions

8.2. CCPA Rights (California)

• Know: Request information about data collection and use
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale (we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices

8.3. How to Exercise Rights

To exercise your rights:

• Email: privacy@socoai.com
• Account Settings: Manage preferences directly in the platform
• Response Time: Within 30 days (GDPR) or 45 days (CCPA)

We may request identity verification before processing requests.

9. International Data Transfers

Your information may be transferred to and processed in countries outside your residence, including the United States and European Union. We ensure adequate protection through:

• Standard Contractual Clauses (EU-approved)
• Data Processing Agreements with service providers
• Adherence to Privacy Shield principles (where applicable)
• Compliance with local data protection laws

10. Children's Privacy

Our Service is not intended for users under 18 years old. We do not knowingly collect information from children. If we discover that we have collected data from a child, we will delete it immediately. Parents who believe we may have collected information from a child should contact us at privacy@socoai.com.

11. Cookies and Tracking

We use cookies and similar technologies for functionality, analytics, and preferences. For detailed information, please see our Cookie Policy.

You can manage cookie preferences through your browser settings or our cookie consent tool.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification (at least 30 days before effective date)
• Prominent notice on our website
• In-app notification

Continued use of the Service after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

14. Contact Us

For privacy-related questions, requests, or concerns:

15. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:

• EU: Your local Data Protection Authority
• Turkey: Personal Data Protection Authority (KVKK)
• California: California Attorney General