Privacy policy

What sociality collects and why

What the extension observes

After you give explicit consent, the sociality Chrome extension detects engagement actions you take on the platforms it supports (www.instagram.com and www.tiktok.com), specifically the likes and comments you make manually. It does this by reading the platform's own like and comment network requests on the tab you are using, including the comment text you submit. No action is ever taken on your behalf; the extension only measures activity you perform yourself.

What the web app stores

The sociality web app stores the following data linked to your account:

• Your account email address and hashed password (required for login).
• Your connected platform profiles (Instagram and TikTok). When you connect a platform, the extension reads your own public profile on it; we store the public handle, display name, and public profile counts (such as follower count) for each connected account.
• Credit ledger events recording verified engagement actions (used to calculate your engagement record).
• Audit events for GDPR compliance and operational integrity.

What we do NOT collect

• Your direct messages (DMs) on any platform.
• Your full feed, or posts you scroll past without interacting.
• Profiles of other people on Instagram or TikTok.
• Your browsing history on any site other than www.instagram.com and www.tiktok.com.
• Any data from any other website. Only www.instagram.com and www.tiktok.com are in scope.

Legal basis for processing (GDPR)

• Extension data. Explicit consent per GDPR Art. 6(1)(a). You must accept the in-extension consent screen before any observation begins. You can withdraw consent at any time by clicking "Disconnect this device" in the extension settings.
• Account data. Necessary for the performance of our service contract per GDPR Art. 6(1)(b). Without your email and connected platform profiles we cannot associate verified engagement records with your account.

How long we keep your data

• Comment text captured for verification: deleted within 90 days.
• Credit ledger events: retained for at least 7 years to meet financial-record obligations.
• Audit events: retained for at least 2 years.
• On account deletion: all personal data is erased within 30 days of your deletion request, subject to the above statutory retention periods.

Your rights

Under GDPR you have the right to access, portability, erasure, rectification, and objection. To exercise any of these rights, email philipp@sociality.live or use the self-service tools in your account:

• Data export: /dashboard/settings/data (JSON download of your account data).
• Account deletion: /dashboard/settings/account (initiates the 30-day erasure SLA).

Sub-processors

We share your data only with the following sub-processors, each bound by a Data Processing Agreement:

• DeepSeek. AI grading of engagement quality. A Data Processing Agreement is in place or being finalized before any AI grading runs in production.
• Resend. Transactional email delivery (password reset, notifications).
• Stripe. Billing and subscription management. Stripe is a PCI-DSS-compliant processor; sociality never sees your card number.
• Vercel & Hetzner / Coolify. Hosting infrastructure for the web app and API.

Cookies and local storage

The web app sets three cookies:

• Session cookie (better-auth). Keeps you logged in. Expires on logout or browser close.
• CSRF token. Protects mutating requests against cross-site forgery. Required for security; not optional.
• Theme preference. Remembers your light/dark mode choice. Contains no personal data.

The Chrome extension uses chrome.storage.local (not cookies). The keys it stores are:

• sociality:auth: your per-installation bearer token. Cleared on disconnect.
• sociality:consent-version: records which version of the consent text you accepted. Cleared on disconnect.
• Additional operational keys used only to manage the extension's internal state (handshake nonce, error counters, action-paused sentinel). None contain personal data beyond the opaque auth token.

Cross-border data transfers

All data is hosted in the EU (Hetzner Cloud FRA region, Vercel fra1 region). DeepSeek is the sole external processor outside the EU; a Data Processing Agreement is in place or being finalized before any AI grading runs in production.

Children's data

sociality is not directed at users under 13. We do not knowingly collect data from children under 13 (or under 16 where local GDPR transposition requires a higher age). If you believe we have collected data from a child, contact philipp@sociality.live and we will delete it promptly.

Changes to this policy

We will update this policy as the product changes. Material changes will be announced via in-app banner; the "Last updated" stamp above always reflects the most recent revision.

Contact

For data-protection questions, email philipp@sociality.live.