Privacy Policy

Last updated: February 2026

1. Introduction

Uptoma Inc. (“we”, “us”) operates the Uptoma platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

2. Information We Collect

Account Information: Email address, name, and password hash when you register.

Social Media Tokens: OAuth access tokens and refresh tokens for each social media platform you connect. These tokens allow Toma to post on your behalf.

Content: Text, images, and video files you upload for posting. We process and temporarily store this content to deliver it to your selected platforms.

Usage Data: Pages visited, features used, post counts, and error logs to improve the Service.

Billing Information: Payment details are processed by Stripe. We do not store credit card numbers on our servers.

3. How We Use Your Information

• To publish content to your connected social media accounts
• To convert video files to platform-specific formats
• To schedule and queue posts at your requested times
• To manage your subscription and billing
• To send transactional emails (post confirmations, billing receipts)
• To improve the Service and fix bugs

4. Social Media Tokens

We treat your OAuth tokens with the highest care. Tokens are encrypted at rest using AES-256 encryption. We only use tokens to perform actions you explicitly request (posting content). We never read your DMs, followers, or analytics unless you grant specific permission. You can revoke access to any platform at any time from your dashboard.

5. Data Storage & Security

Data is stored on encrypted PostgreSQL databases hosted in the United States. Media files are stored in S3-compatible object storage with server-side encryption. All data in transit is encrypted via TLS 1.3. We use industry-standard security practices including regular audits, access controls, and monitoring.

6. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Uploaded media: Retained for the duration of your subscription. Processed video variants are deleted within 30 days of posting.
• OAuth tokens: Deleted immediately when you disconnect a platform or delete your account.
• Logs: Retained for 90 days for debugging purposes.

7. Third-Party Services

We integrate with the following third-party services:

• Stripe: Payment processing
• Social Media Platforms: Instagram, Facebook, TikTok, YouTube, LinkedIn, X/Twitter, Pinterest, Reddit, Threads, Bluesky — for posting content via their official APIs
• AWS/Cloudflare: Infrastructure and file storage

Each third-party service has its own privacy policy. We encourage you to review them.

8. GDPR Compliance (EU/EEA Users)

If you are located in the European Economic Area, you have the following rights:

• Right of Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Portability: Receive your data in a machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests

To exercise these rights, email [email protected]. We will respond within 30 days.

Legal Basis for Processing: We process your data based on (a) contractual necessity (to provide the Service), (b) your consent (connecting social accounts), and (c) legitimate interests (improving the Service, preventing fraud).

9. CCPA Compliance (California Users)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell your personal information to third parties.

10. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies. Analytics, if implemented, will use privacy-respecting, cookieless solutions.

11. Children's Privacy

Uptoma is not intended for users under 18. We do not knowingly collect data from minors.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours and report to relevant authorities as required by law.

13. Changes to This Policy

We may update this Privacy Policy periodically. We'll notify you of material changes via email. The “last updated” date at the top reflects the latest revision.

14. Contact

For privacy inquiries: [email protected]

For general support: [email protected]