Privacy Policy

1. Introduction

ArtisanPromoter ("we," "our," or "us") provides a managed social media service that helps Etsy sellers promote their products across multiple social media platforms. We create, review, and publish content on your behalf to Facebook, Instagram, Pinterest, X, and LinkedIn.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. Please read this policy carefully. By using ArtisanPromoter, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, password, business name, and billing information when you create an account.
• Brand Information: Details about your business, brand voice, target audience, and content preferences you share with us.
• Communications: Any messages, feedback, or support requests you send to us.

2.2 Information From Connected Platforms (OAuth)

When you connect your social media and Etsy accounts, we receive:

• Etsy: Shop name, listings, product images, descriptions, prices, and shop statistics. This is read-only access via OAuth 2.0.
• Facebook & Instagram: Page name, profile information, and posting permissions for pages and accounts you authorize.
• Pinterest: Board names, profile information, and posting permissions for accounts you authorize.
• X: Profile name, handle, and posting permissions for accounts you authorize.
• LinkedIn: Profile or organization page information and posting permissions for accounts you authorize.

2.3 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the service, and interaction patterns.
• Device Information: Browser type, operating system, device type, and IP address.
• Log Data: Server logs including access times, API calls, and error reports.
• Content Performance: Engagement metrics (likes, comments, shares, clicks) for content we publish on your behalf.

2.4 Payment Information

We collect billing information to process payments. Payment processing is handled by third-party payment processors (such as Stripe). We do not store complete credit card numbers on our servers.

3. How We Use Your Information

We use the information we collect to:

• Provide Our Service: Create, schedule, and publish social media content on your behalf.
• Generate Content: Use your Etsy listings and brand information to create AI-generated social media posts.
• Communicate With You: Send service updates, content approvals, and respond to your inquiries.
• Improve Our Service: Analyze usage patterns to improve features and user experience.
• Process Payments: Handle subscription payments and billing.
• Ensure Security: Detect and prevent fraud, abuse, and security violations.
• Comply With Legal Obligations: Respond to legal requests and comply with applicable laws.

3.1 AI Content Generation

We use artificial intelligence to generate social media content based on your individual product listings. We do not train AI models on your Etsy data or social media data. AI is used only to transform your specific product information into social media posts.

4. How We Share Information

We share information in the following circumstances:

4.1 With Social Media Platforms

When we publish content on your behalf, we share that content with the applicable platform (Facebook, Instagram, Pinterest, X, or LinkedIn). This includes:

• The content of posts, pins, or tweets we publish
• Images derived from your Etsy listings
• Metadata associated with the post

4.2 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Payment Processors: To process subscription payments (e.g., Stripe)
• Cloud Hosting: To host our application and data (e.g., AWS, Google Cloud)
• Email Services: To send notifications and communications
• Analytics: To analyze service usage and improve our product

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

Meta Platform Data: For service providers who process data received from Meta (Facebook/Instagram) APIs, we maintain written agreements requiring them to: (a) use such data solely on our behalf and at our direction; (b) not use data for any other individual, entity, or purpose; and (c) ensure their own subcontractors comply with these same requirements, in accordance with Meta's Platform Terms (Section 5).

4.3 For Legal Reasons

We may disclose information if required by law, court order, or governmental request, or to:

• Protect our rights, privacy, safety, or property
• Enforce our agreements
• Respond to emergencies
• Prevent fraud or security threats

4.4 With Your Consent

We may share information with third parties when you give us explicit consent to do so.

4.5 We Do NOT

• Sell your personal information to third parties
• Share your data for advertising purposes outside our service
• Use your Etsy data to train AI models

5. Data Retention

We retain your information for as long as necessary to provide our service:

5.1 Active Accounts

• Account Information: Retained while your account is active.
• OAuth Tokens: Retained until you disconnect the connected account or delete your ArtisanPromoter account.
• Etsy Listing Data: Refreshed regularly (within 6 hours for listings) to remain current.
• Published Content: Retained for your records and performance tracking.
• Pinterest Data: We do not store data retrieved from the Pinterest API except for analytics about your own campaigns. We call the Pinterest API in real-time when we need to access information, in accordance with Pinterest's Developer Guidelines.

5.2 After Account Deletion

When you delete your account:

• We delete your account information and OAuth tokens within 30 days
• We delete your Etsy data cached in our systems within 30 days
• Content already published to social media platforms remains on those platforms until you delete it there
• We may retain aggregated, anonymized data for analytics purposes
• We retain billing records as required by law for tax and accounting purposes

5.3 Data Freshness (Etsy)

In compliance with Etsy API requirements, listing content displayed in our system is refreshed to remain current with your Etsy shop (within 6 hours for listing content, 24 hours for other content). If content is deleted or modified on Etsy, our system reflects those changes within these timeframes.

6. Your Rights

Depending on your location, you may have the following rights:

6.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. To request this, contact us at privacy@artisanpromoter.com.

6.2 Correction

You can update your account information at any time through your account settings. If you believe other information we hold is inaccurate, contact us to request correction.

6.3 Deletion

You can request deletion of your account and personal information by:

• Using the "Delete Account" feature in your account settings
• Contacting us at privacy@artisanpromoter.com

Upon deletion request, we will delete your information within 30 days, subject to legal retention requirements.

6.4 Withdrawal of Consent

You can withdraw consent for specific data processing activities by:

• Disconnecting social media accounts through platform settings or our app
• Opting out of marketing communications via unsubscribe links
• Contacting us to limit how we use your information

6.5 Rights for California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt-out of the sale of personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising these rights

6.6 Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR:

• Right to access and portability
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

6.7 Do Not Track

We currently do not respond to "Do Not Track" signals. However, you can opt out of certain tracking through your browser settings or by contacting us.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Access to personal data is restricted to authorized personnel only
• Secure Authentication: OAuth tokens are stored securely and never shared
• Regular Security Reviews: We conduct regular security assessments and vulnerability testing
• Incident Response: We have procedures in place to respond to security incidents

Despite our security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

7.1 Data Breach Notification

In the event of a data breach involving your personal information or data accessed from connected platforms, we will:

• Notify You: Promptly inform affected users via email about the nature of the breach and steps being taken
• Notify Etsy: For breaches involving data accessed via the Etsy API, we will notify Etsy's data protection team within 24 hours of discovery at dpo@etsy.com
• Notify Meta: For breaches involving data accessed via Meta (Facebook/Instagram) APIs, we will notify Meta's security team within 24 hours of discovery, in accordance with Meta's Platform Terms (Section 6)
• Notify X: For breaches involving data accessed via the X API, we will notify X immediately upon discovery, cooperate with investigations, and take remediation steps as required by the X Developer Agreement
• Notify Other Platforms: For breaches involving data from Pinterest or LinkedIn, we will notify the appropriate platform security contact within 24 hours
• Document the Breach: Maintain records of the breach, affected data, and remediation steps
• Remediate: Take immediate steps to secure systems, close vulnerabilities, and prevent future incidents

If you believe your data has been compromised, contact us immediately at security@artisanpromoter.com.

8. Cookies & Tracking

We use cookies and similar tracking technologies for the following purposes:

8.1 Types of Cookies We Use

First-Party Cookies (Set by ArtisanPromoter)

• Essential Cookies: Required for the service to function. These include authentication cookies that keep you logged in, security cookies that help detect and prevent fraud, and cookies that remember your consent preferences. These cannot be disabled without affecting core service functionality.
• Preference Cookies: Remember your settings and preferences such as language, display settings, and notification preferences. Disabling these may affect your user experience but will not prevent the service from working.
• Analytics Cookies: Help us understand how you use our service so we can improve it. These collect anonymous information about pages visited, features used, and interaction patterns. You can opt out of analytics cookies.

Third-Party Cookies (Set by Other Services)

• Payment Processors: Our payment processor (e.g., Stripe) may set cookies to process transactions and prevent fraud. These are governed by the payment processor's privacy policy.
• Embedded Content: If we display content from third-party services (such as embedded social media posts), those services may set cookies according to their own policies.

8.2 Managing Cookies

You can manage cookie preferences in several ways:

• Browser Settings: Most browsers allow you to block, delete, or manage cookies through their settings. Consult your browser's help documentation for instructions.
• Opt-Out: You can opt out of analytics cookies by contacting us at privacy@artisanpromoter.com.
• Do Not Track: We currently do not respond to "Do Not Track" browser signals. However, you can manage tracking through your browser's privacy settings.

Note: Disabling essential cookies will prevent you from using core features of our service. Disabling other cookies may affect functionality but will not prevent basic access.

8.3 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a set period (typically 1-2 years) or until manually deleted

8.4 Updates to Cookie Practices

We may update our cookie practices from time to time. Significant changes will be reflected in this policy with an updated "Last Updated" date.

9. Children's Privacy

ArtisanPromoter is not intended for users under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If you believe we have collected information from a child under 13, please contact us immediately at privacy@artisanpromoter.com, and we will take steps to delete such information.

10. Platform-Specific Disclosures

10.1 Etsy

We access your Etsy shop data via the Etsy API. You can revoke this access at any time through your Etsy account settings. Etsy's use of information received from APIs will adhere to the Etsy Privacy Policy.

10.2 Meta (Facebook & Instagram)

When you connect your Facebook or Instagram account, you authorize us to access certain data and publish content on your behalf. This access is governed by Meta's Privacy Policy and Platform Terms.

Important: This Privacy Policy does not supersede, modify, or conflict with Meta's Platform Terms or Developer Policies. In the event of any inconsistency, Meta's terms prevail regarding Platform Data received from Meta's APIs.

Platform Data Handling

For data received from Meta's APIs ("Platform Data"), we comply with the following restrictions:

• No Sale or Licensing: We do not sell, license, or purchase Platform Data.
• No Surveillance: We do not use Platform Data for surveillance or provide tools that enable surveillance.
• No Re-identification: We do not attempt to decode, circumvent, re-identify, or de-anonymize Platform Data.
• No Discrimination: We do not process Platform Data to discriminate based on race, ethnicity, religion, age, sex, or other protected characteristics.
• No Eligibility Determinations: We do not use Platform Data to make eligibility determinations for housing, employment, insurance, education, or credit.
• Data Deletion: We delete Platform Data when you request deletion, when you disconnect your account, when you no longer have an account with us, or when it is no longer necessary for our service.

User Consent for Publishing

Before publishing content to your Facebook or Instagram account, we obtain your consent. Content published on your behalf is created by our editorial team and is not pre-filled—each piece of content is uniquely created and reviewed by our team before publishing.

EEA/UK Data Transfers

If you are located in the European Economic Area (EEA) or United Kingdom, transfers of personal data from Meta to us are subject to Meta's Standard Contractual Clauses (Module One: Controller to Controller), as incorporated into Meta's Data Policy. For disputes arising from these clauses, Ireland is designated as the Member State for resolution. We implement Meta's Technical and Organisational Measures as required for data transfers from the EEA/UK.

Login Credentials

We never collect, store, or ask for your Facebook or Instagram login credentials (password). We access your accounts only through OAuth authentication, which uses secure authorization tokens that you can revoke at any time through your Facebook or Instagram settings.

10.3 X

When you connect your X account, you authorize us to access certain data and publish content on your behalf. This access is governed by X's Privacy Policy, Developer Agreement, and Developer Policy.

X Content Handling

For data received from X's APIs ("X Content"), we comply with the following requirements:

• No AI Training: We do not use X Content to fine-tune or train any foundation or frontier AI models. Our AI generates content only from your individual Etsy listings.
• No Surveillance: We do not use X Content for surveillance, investigating or tracking X users, or monitoring sensitive events.
• No Sensitive Data Derivation: We do not derive or infer sensitive information about X users, including health, political affiliation, racial or ethnic origin, religious beliefs, sexual orientation, trade union membership, financial status, or criminal history.
• No Off-X Matching Without Consent: We do not associate X usernames or user IDs with off-platform identifiers (such as your customer records) without your express opt-in consent.
• Content Deletion: We delete X Content from our systems within 24 hours when requested by X or by you, or when content is deleted or suspended on X.
• No Password Storage: We never store X passwords or request your X login credentials. We access your account only through OAuth authentication.
• No Automated Likes: We do not perform automated likes on X—this is prohibited by X's policies.
• No Identical Cross-Posting: We do not post identical or substantially similar content across multiple X accounts to prevent spam.

Data Protection

We comply with X's Controller-to-Controller Data Protection Addendum for transfers of personal data. For users in the European Union, EFTA States, or United Kingdom, disputes related to data transfers are governed by Irish law and resolved in Irish courts.

10.4 Pinterest

We access your Pinterest account via the Pinterest API with your authorization. You can revoke access through your Pinterest settings. See Pinterest's Privacy Policy and Developer Guidelines.

Data Handling Restrictions

For data received from Pinterest's API, we comply with the following additional restrictions:

• No Cross-Account Combination: We do not combine your Pinterest account information with information from other accounts or other services.
• No Off-Pinterest Ad Targeting: We do not use Pinterest data to target advertising outside of Pinterest.
• No Data Storage: Except for campaign analytics about your own account, we do not store information accessed through the Pinterest API. We call the API in real-time when we need to access information.
• No Data Sale: We do not share or sell Pinterest API data with third parties.

10.5 LinkedIn

We access your LinkedIn account via the LinkedIn Marketing API with your authorization. LinkedIn's general API does not permit automated posting—we use only the Marketing API, which is a vetted program requiring approval. You can revoke access through your LinkedIn settings. See LinkedIn's Privacy Policy, API Terms of Use, and Marketing API Terms.

Marketing Data Handling

For data received from LinkedIn's Marketing APIs ("Marketing Data"), we comply with the following requirements:

• Authorized Access Only: We only access LinkedIn accounts (Pages or profiles) on behalf of Authorized Clients—you must be the Account Manager or have been authorized by the Account Manager.
• No Password Storage: We never collect, store, or request your LinkedIn login credentials (password). We access your accounts only through secure OAuth authentication tokens that you can revoke at any time.
• Limited Storage: We only store Marketing Data to the extent expressly permitted by LinkedIn's Developer Documentation and Data Storage Requirements. Analytics Data is stored only to provide reporting to you.
• Data Deletion: We permanently delete stored Marketing Data within 10 days when: (a) you cease using our service; (b) you request deletion; or (c) LinkedIn requests deletion.
• No Member Data Sale: We do not commercialize, sell, or make LinkedIn Member Data available to data brokers, information resellers, or data monetization services.
• No Scraping: We do not use bots, crawlers, browser plugins, or any other automated means to access LinkedIn data outside the official Marketing API.
• No Pre-filling Without Notice: If we pre-fill any content for you, we provide clear notice that such content is subject to our privacy policy and you can edit it.

User Consent Requirements

Before you authenticate your LinkedIn account with our service, you consent to:

• How your LinkedIn data will be used and disclosed
• The type of data to be collected (profile information, posting permissions)
• How you can withdraw your consent (through LinkedIn settings or by contacting us)
• How you can request deletion of your data

Data Processing Agreement

To the extent either party processes Personal Information received from the other party, the parties agree that LinkedIn's Data Processing Agreement for Business Development Agreements governs such processing and is incorporated by reference.

EU/UK Data Transfers

For users located in the European Economic Area (EEA), European Free Trade Association (EFTA) States, or United Kingdom:

• If you are in the Designated Countries (EU, EEA, Switzerland, UK), your agreement is with LinkedIn Ireland Unlimited Company
• Disputes related to data transfers are governed by the laws of Ireland
• Irish courts have jurisdiction for dispute resolution

Security Incident Notification

If we discover any security incident that may affect the security of LinkedIn Marketing Data, we will:

• Notify LinkedIn within 24 hours of discovery via email to security@linkedin.com
• Immediately begin remediation efforts
• Cooperate with LinkedIn's security team
• Not make public statements without LinkedIn's prior written permission

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@artisanpromoter.com
• For Compliance Inquiries: compliance@artisanpromoter.com
• For Security Issues: security@artisanpromoter.com
• Response Time: We aim to respond within 48 hours

11.1 Data Deletion Requests

To request deletion of your personal information or Platform Data received from connected services:

• Email: Send a request to privacy@artisanpromoter.com
• Subject Line: Include "Data Deletion Request" in your email subject line
• Verification: Please include the email address associated with your account to help us verify your identity
• Response: We will process your request within 30 days and confirm deletion

You can also delete your data at any time by using the "Delete Account" feature in your account settings, which will remove your personal information and disconnect all linked platform accounts.

11.2 Data Access Requests

To request a copy of the personal information we hold about you:

• Email privacy@artisanpromoter.com with "Data Access Request" in the subject line
• Include your account email for verification
• We will provide your data in a portable format within 30 days

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by email for significant changes (where legally required)
• Post the updated policy on our website

Your continued use of ArtisanPromoter after changes become effective constitutes your acceptance of the updated policy.