1. Data Controller
AgentFabrica Technology Inc. ("AgentFabrica", "we") is the data controller for personal data processed via our service, in compliance with GDPR (EU), KVKK (Turkey), and applicable laws.
2. Personal Data Collected
- Identity: name, surname
- Contact: email, phone
- Account: username, password hash
- Payment: card data is processed by Stripe / PayTR — we do not store
- Social IDs: encrypted OAuth access tokens
- Brand profile data: logo, color, voice, audience, location
- Generation data: prompts and generated assets
- Technical: IP address, browser info, log records
3. Processing Purposes
- Service delivery, account management, billing
- Content generation (sending prompts to AI engines)
- Social media publishing (to user-authorized accounts)
- Customer support and communication
- Legal obligations (tax, invoicing)
- Service improvement and analytics (anonymous/aggregate)
4. Data Sharing
Your data may be shared with:
- Payment processors: PayTR (TR), Stripe (international)
- Cloud infrastructure: Supabase (Frankfurt EU), Vercel (Europe-West)
- AI providers: Prompts are forwarded to third-party AI engines during generation
- Email service: Resend / SendGrid for transactional notifications
- Social platforms: Only with user authorization (Meta, TikTok, LinkedIn, X)
4a. Connected Social Platforms — Data Processing Detail
When you connect your social media accounts inside AgentFabrica, we use each platform's official API via OAuth 2.0. Every authorization is consent-based and revocable at any time. We never sell your data or share it for marketing purposes with any third party.
TikTok Marketing API
- Data we read: advertiser info, campaign / ad group / ad performance metrics (impressions, clicks, spend, conversions), audience definitions, creative asset metadata, Pixel events, conversion events.
- Write permissions: only on the ad account explicitly authorized by the user — create and edit campaigns, ad groups, ads, and audiences.
- Purpose of processing: campaign launch from creative briefs, A/B test winner detection, ROAS-based budget optimization, unified client reporting.
- Retention: OAuth access and refresh tokens are stored AES-256-GCM encrypted for the duration of the active account + 30 days after cancellation; campaign and reporting data for 24 months.
- Revocation: When you remove "AgentFabrica" from TikTok Business Center → Settings → App Authorizations, your tokens are deleted from our systems within 72 hours.
- Brand asset compliance: TikTok logos and brand materials are used only within the AgentFabrica connection UI, in accordance with TikTok Brand Guidelines.
TikTok Login Kit & Content Posting API
- Scopes:
user.info.basic (open_id, display_name, avatar, username), video.upload, video.publish. - Data we read: only the public profile attributes of the connected TikTok account (open_id, display name, username, avatar URL). We do not read follower lists, direct messages, or private content.
- Video transfer: Videos scheduled inside AgentFabrica are transferred to TikTok's official Content Posting API endpoints (
/v2/post/publish/inbox/video/init/ or /v2/post/publish/video/init/) with the user's consent. Video files are not retained long-term on AgentFabrica servers; they are only delivered as draft or direct post to TikTok. - Captions / titles: Caption text entered by the user is forwarded to TikTok as-is; AgentFabrica does not repurpose this text for any other use.
- Automation control: Each brand has an autoPublish flag controlled by the user; when disabled, videos are sent only after explicit approval.
- Revocation: When you revoke "AgentFabrica Content" from your TikTok settings or disconnect the account inside AgentFabrica, both access and refresh tokens are deleted within 72 hours; pending scheduled posts are auto-cancelled.
Meta (Facebook & Instagram), LinkedIn, X / Twitter
Same framework: read/write only within the user-authorized scope, with explicit consent. Tokens are encrypted at rest; revocation triggers deletion within 72 hours. Platform-specific policy details available on request.
5. Retention Periods
- Active account + 30 days after cancellation
- Billing records: 10 years (Tax Code)
- Generated assets: until user deletion
- Log records: 6 months
- Social platform OAuth tokens: until user revokes + 72 hours
6. Your Rights (GDPR / KVKK)
- Right to access
- Right to rectification, erasure
- Right to restriction of processing
- Right to data portability
- Right to object to automated decision-making
- Right to withdraw consent
Requests: privacy@agentfabrica.com
7. Cookies
We use essential cookies (session, locale, security) and optional analytics cookies (PostHog). You can manage preferences in your account settings.
8. Security
AES-256-GCM encryption at rest, TLS 1.3 in transit, encrypted OAuth tokens, rate-limiting, and regular security audits. SOC 2 Type II target Q3 2026.
9. Changes
We notify users via email and panel for material changes. This policy is reviewed at least annually.