Privacy Policy

AnkleBreaker Studio operates Zerobans (the "Service"). We are the data controller for the personal data we collect through the Service. You can reach our privacy team at privacy@anklebreaker-studio.com.

Account data: name, email address, hashed password (when you use password auth), organization membership, role.

Connected-platform data: OAuth access + refresh tokens for each social account you connect, the platform's user ID, username, display name, and avatar URL. We do NOT receive or store your platform password.

Content data: posts you draft, schedule, or publish through the Service, including captions, hashtags, media URLs, and platform targets.

Usage data: actions you take in the app (scheduled posts, AI token consumption, settings changes), IP address, user-agent, and timestamps. Audit records of sensitive admin actions (invitations, API key rotations, account disconnects) are retained for compliance review.

Payment data: Stripe holds your payment method on our behalf. We only receive the last four digits, card brand, subscription status, and billing events — never the full card number.

Analytics data: engagement metrics pulled from connected platforms' APIs on your behalf (follower counts, post impressions, click-through rates) to display in your dashboard.

We use your data to:

• operate the Service — authenticate you, schedule and publish posts, display analytics, send notifications;

• generate AI drafts you explicitly request (captions, hashtags, adaptations). Your content and brand memory entries are sent to Amazon Bedrock (AWS) at the time of each AI call; AWS does not use them to train general-purpose models;

• bill for paid plans and process refunds;

• keep the Service secure — rate limiting, abuse detection, audit logging of admin actions;

• comply with legal obligations.

We do NOT sell your personal data, use it for behavioral advertising, or share it with third-party advertisers.

When you connect a social account (TikTok, Instagram, YouTube, X, LinkedIn, Facebook, Pinterest, Threads, Discord, Bluesky) via OAuth, we request only the permissions needed to provide the Service. For each platform you can see the exact scopes requested on the OAuth consent screen.

We use connected-platform data only to: display your accounts in the dashboard, publish posts you authorize, refresh expired tokens, and pull analytics you see in the app. We do not aggregate this data across users or sell it.

You can disconnect any account at any time from the Accounts page. On disconnect we revoke stored tokens and mark the account suspended in our system. Published posts remain in the platform (we cannot retroactively remove content once it has been published there).

We rely on the following service providers, each bound by data-protection terms:

• Amazon Web Services (AWS) — hosting, database, AI inference (Bedrock). Region: us-east-1.

• Stripe — payment processing.

• Cloudflare R2 — media storage.

• Resend — transactional email (invitations, alerts).

• Each connected social media platform — only for the scopes and content you explicitly authorize.

We keep personal data while your account is active and for a limited period after deletion to meet tax, legal, and fraud-prevention obligations. Typical retention periods:

• Account + org data: deleted 30 days after you close the account.

• Published-post history + analytics: kept for the life of the account.

• Audit log records: retained 2 years for compliance reviews.

• Payment records: 7 years as required by accounting rules.

Depending on your jurisdiction (GDPR, CCPA, UK GDPR, etc.) you may have the right to:

• access the personal data we hold about you;

• correct inaccurate data;

• delete your data ("right to be forgotten"), subject to retention obligations listed above;

• export your data in a portable format;

• withdraw consent for processing that relies on consent;

• object to processing or request restriction;

• lodge a complaint with your local data-protection authority.

To exercise these rights email privacy@anklebreaker-studio.com. We verify identity before acting on any request.

Our infrastructure is hosted in AWS us-east-1 (Northern Virginia). If you are located in the EEA, UK, or Switzerland, transfers to the United States are covered by Standard Contractual Clauses and supplemental measures as required by GDPR Chapter V.

We use TLS for data in transit, encryption at rest for databases and tokens, hashed storage for passwords (bcrypt) and API keys (SHA-256), row-level tenant isolation, per-user rate limiting, and structured audit logs for admin actions. No system is perfectly secure — if we detect a personal-data breach that is likely to result in a risk to your rights, we will notify you and relevant regulators within 72 hours as required by GDPR.

The Service is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has given us data, contact privacy@anklebreaker-studio.com and we will delete it.

We use first-party cookies for session authentication (NextAuth), CSRF protection, and remembering dashboard widget preferences. We do not use third-party advertising cookies or cross-site tracking.

We may update this policy as the Service evolves. Material changes will be highlighted on the dashboard and take effect 14 days after posting. The "Last updated" date at the top reflects the latest revision.

Privacy questions or requests: privacy@anklebreaker-studio.com.

Data Protection Officer (EEA/UK inquiries): dpo@anklebreaker-studio.com.