Legal

Privacy Policy

Last updated: May 25, 2026

Tinilink Scheduler is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the scheduler.tinilink.click platform.

1. Information We Collect

1.1 Data You Provide Directly

  • Account information: full name, email address, password (stored as a hash)
  • Profile information: profile photo, time zone, language preferences
  • Content you create: captions, post schedules, post templates
  • Media you upload: photos and videos for social media content
  • Payment information: processed directly by our payment provider (we do not store credit card data)

1.2 Data from Third-Party Social Media Platforms

  • OAuth access tokens (encrypted with AES-256-GCM) for platforms you connect
  • Social media account profile information: name, username, profile photo, account ID
  • Content analytics data: likes, comments, shares, views (only for connected accounts)
  • Webhook events: incoming comments for the auto-reply and auto-DM features

1.3 Automatically Collected Data

  • Usage data: pages visited, features used, session duration
  • Technical data: IP address, browser type, operating system, browser language
  • Cookies and similar technologies (see Section 9)
  • Error and performance logs for debugging purposes

2. How We Use Your Data

PurposeData UsedLegal Basis
Providing and operating the serviceAll account and content dataContract performance
Publishing content to social platformsAccess tokens, content, mediaContract performance
Sending service notificationsEmail, notification preferencesContract performance
Improving and developing the platformAnonymous usage dataLegitimate interests
Preventing fraud and abuseActivity logs, IP addressLegitimate interests
Processing paymentsBilling data (via payment provider)Contract performance
Complying with legal obligationsRelevant dataLegal obligation

3. Data Storage and Security

Your data security is our top priority. Security measures we employ:

  • AES-256-GCM encryption for all social media access tokens — tokens are never stored in plaintext
  • Mandatory HTTPS (TLS 1.2+) for all communication between browser and server
  • Row Level Security (RLS) in the PostgreSQL database — each user can only access their own data
  • JWT-based authentication via Supabase Auth
  • HMAC-SHA256 verification for all incoming webhooks from social media platforms
  • Employee access restrictions: only necessary personnel can access production data
  • Audit logs for all sensitive operations

Your data is stored on servers located in regions selected by our infrastructure provider (Supabase). We choose providers with relevant security certifications.

4. Sharing Data with Third Parties

We do not sell your personal data. We only share data in the following situations:

  • Social media platforms: content data is sent to platforms (Facebook, Instagram, etc.) on your explicit instruction
  • Infrastructure providers: Supabase (database & auth), Cloudflare (CDN & security), Vercel/Railway (hosting)
  • Payment providers: Stripe or similar (only the necessary billing data)
  • Email providers: Resend or SendGrid for sending notification emails
  • Law enforcement: if required by court order or applicable law

All third-party service providers we use are bound by data processing agreements that require them to protect your information.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:

  • Account and profile data: while the account is active, plus 30 days after account closure
  • Post content and schedules: while the account is active, plus 30 days
  • Uploaded media: deleted immediately when you remove it, or 30 days after account closure
  • Automation logs (auto-reply/DM): automatically deleted after 90 days
  • Server and audit logs: retained for a maximum of 12 months for security purposes
  • Billing data: retained as required by law (generally 5-7 years)

6. Your Rights

You have the following rights regarding your personal data:

  • Right of Access: request a copy of the personal data we hold about you
  • Right to Rectification: update or correct inaccurate data via your account settings
  • Right to Erasure: request deletion of your data (subject to legal obligations)
  • Right to Restriction: restrict how we process your data under certain conditions
  • Right to Portability: receive your data in a machine-readable format
  • Right to Object: object to processing based on our legitimate interests
  • Right to Withdraw Consent: withdraw consent at any time for consent-based processing

To exercise these rights, contact us at hello@tinilink.click. We will respond within 30 business days.

You can also delete all your data directly via Settings → Account → Delete Account in the dashboard.

7. International Data Transfers

Your data may be stored or processed in a country other than your own. We ensure that such transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) for transfers outside the European Union.

8. Children's Privacy

Our service is not directed at children under the age of 13 (or the higher age limit required by local law). We do not knowingly collect personal data from children.

If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete that data.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential cookies: maintaining your login session and enabling core platform functions
  • Preference cookies: remembering your settings and preferences
  • Analytics cookies: understanding how users use the platform (anonymous data)

We do not use third-party advertising cookies or track you across other websites.

You can control cookies through your browser settings. However, disabling essential cookies will affect platform functionality.

10. Email Notifications

We send important service-related emails (security notifications, service updates, transaction confirmations). You cannot unsubscribe from these as they are transactional in nature.

For marketing emails or newsletters (if offered in the future), you can unsubscribe at any time via the unsubscribe link in the email or through your account settings.

11. Social Media Token Security

We understand the sensitivity of your social media access tokens. Our security guarantees:

  • Tokens are stored encrypted using AES-256-GCM with keys stored in environment variables separate from the database
  • Tokens are never sent to the frontend or browser
  • Refresh tokens are automatically renewed before expiry
  • You can revoke our access at any time by disconnecting an account in settings
  • Revoking access permanently deletes the token from our database

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via a notification on the platform at least 14 days before the change takes effect.

We encourage you to review this policy periodically. The “Last updated” date at the top of this page reflects the most recent version.

13. Contact Us

For questions, requests, or complaints regarding your data privacy, contact us:

  • Email: hello@tinilink.click
  • Email subject: [PRIVACY] followed by your question
  • Website: scheduler.tinilink.click
  • Response time: up to 30 business days

If you feel we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.