Privacy Policy

1. Who we are

PolyReach is operated by the PolyReach team. For all privacy and support questions, contact us at contact@polyreach.app.

2. What data we collect

2.1 Account data (you provide)

• Email address and display name (used to authenticate you).
• Optional profile picture.
• Billing data handled by Stripe — we never see or store full card numbers.

2.2 Content data (you provide)

• Source videos, images, audio, subtitle files (.srt), captions, hashtags, brand context text and other media you upload or generate inside PolyReach.
• Translated subtitles and AI-generated voice-over audio derived from your content.
• Render output files in the languages you choose.

2.3 Social platform data (you authorize via OAuth)

When you connect a social account inside Settings → PolyReach Direct, we receive a small set of data from that platform — only the minimum needed to publish on your behalf and show your account in the UI:

• YouTube (Google account): channel ID, channel title, channel thumbnail, OAuth access & refresh tokens. Scopes used: youtube.upload (to upload videos) and youtube.readonly (to fetch your channel name/thumbnail for display). We do not read your subscriptions, watch history, comments, or analytics.
• TikTok: open_id (a TikTok-issued, non-personal identifier), display name, username, avatar URL, OAuth access & refresh tokens. Scopes used: user.info.basic, video.upload, video.publish. We do not read your follower list, DMs, or video history.
• Instagram (via Meta Graph API): Facebook user ID, the linked Instagram Business / Creator account ID, Instagram username and profile picture, the list of Facebook Pages you administer, OAuth long-lived access token (~60 days). Permissions used: instagram_basic, instagram_content_publish, pages_show_list, pages_read_engagement, business_management. We do not read DMs, comments, or insights beyond what is required to publish a post on your behalf.

Google API Limited Use: PolyReach’s use of information received from Google APIs (including YouTube Data API v3) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties for advertising, do not use it for ad serving, do not allow humans to read it (except when needed for security, with your explicit consent, or for legal compliance), and do not use it for any purpose unrelated to the user-facing features described in this policy.

2.4 Usage and technical data (collected automatically)

• Log data: IP address (truncated for storage), browser user-agent, request timestamps, error stack traces.
• Product analytics: pages visited inside the app, feature usage counters, rendered-video counters (used for plan-limit enforcement).
• Cookies and local storage strictly necessary for authentication and language preference. We do not use third-party advertising cookies.

3. How we use the data

• To provide the Service: authenticate you, store your projects, render videos, and publish them to the social platforms you have connected.
• To translate and synthesize voice-over for the languages you select (using Google Gemini and Google Cloud Text-to-Speech).
• To enforce subscription plan limits and process payments via Stripe.
• To prevent abuse, detect fraud, and secure our infrastructure.
• To send transactional emails (account verification, billing receipts, render-completion notifications).
• To respond to your support requests.

We do not sell your personal data, do not use your content to train third-party AI models, and do not show third-party advertising inside the Service.

4. Legal bases (GDPR Art. 6)

• Performance of a contract — to deliver the Service you signed up for.
• Legitimate interests — to keep the Service secure and improve it (you can object at any time).
• Consent — for each social-platform connection, given via the OAuth consent screen of the respective platform. You can revoke it at any time.
• Legal obligation — to keep tax-relevant billing records.

5. Sharing with third parties (sub-processors)

We never sell your personal data and do not share it with third parties for advertising. To deliver the Service we rely on a small number of trusted infrastructure providers (for hosting, database, file storage, AI translation & voice synthesis, payment processing, and transactional email). Each sub-processor is bound by a Data Processing Agreement and only processes data on our documented instructions. When data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses. The current list of sub-processors is available on request from contact@polyreach.app.

6. Data retention

• Account data: kept while your account is active. Deleted within 30 days after you delete the account.
• Content (uploads, renders): kept while your account is active or until you delete the project. Deleted on account closure.
• OAuth tokens for connected social accounts: kept until you click Disconnect in Settings, revoke access from the platform, or delete your account. Stored encrypted at rest using AES-256-GCM.
• Server logs: 30 days.
• Billing records: 7 years where required by tax law.

7. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (the “right to be forgotten”) — see our Data Deletion Instructions.
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent for any social-platform connection at any time.
• Lodge a complaint with your local Data Protection Authority.

To exercise any of these rights, email contact@polyreach.app. We respond within 30 days.

8. Security

• All traffic is encrypted in transit using TLS 1.2+.
• OAuth tokens for connected social accounts are encrypted at rest with AES-256-GCM. Encryption keys are stored separately from the database.
• Multi-tenant isolation: every query is scoped to your user ID; per-user storage buckets prevent cross-tenant access.
• OAuth flows use HMAC-SHA-256 signed state with a 10-minute TTL to prevent CSRF.
• We never log raw access tokens or full request bodies containing them.

9. Children

The Service is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact contact@polyreach.app and we will delete it.

10. Changes to this policy

We will post material changes to this page and update the “Last updated” date above. For significant changes that affect your rights, we will notify you by email at least 30 days before the change takes effect.

11. Contact

For any privacy or support question, email contact@polyreach.app.