Skip to content
CrateSocial
Legal · Public · No sign-in required

Privacy Policy

What CrateSocial collects, why, where it lives, how long it stays, and how to have it deleted — in plain language, including the data we obtain through the Meta and TikTok APIs.

Last updated  2026-06-26Version  1.0
On this page

CrateSocial helps businesses, clients, and their approved implementation partners schedule and measure posts across Facebook, Instagram, and TikTok. This page explains exactly what we store and how to remove it — written to be understood without a lawyer.

01

Who we are

CrateSocial is an invite-only platform for businesses, clients, and their approved implementation partners to schedule, publish, and measure content on social accounts they own or administer — there is no public sign-up, and access is granted only by invitation code. This policy describes what CrateSocial stores about you and your connected accounts, why, and how to have it removed.

02

What data we collect

We collect only what CrateSocial needs to do its job. It falls into five groups.

Account data

Your name, work email, and a password that is stored only as a salted hash — never in plaintext. We also keep the invitation-code metadata used to grant your access and your role (manager or admin).

Data from the Meta APIs (Facebook & Instagram)

When you connect a Facebook Page or Instagram professional account, CrateSocial stores:

  • OAuth access tokens and long-lived / refresh tokens (encrypted at rest)
  • Facebook Page IDs and Instagram professional account IDs
  • The connected account's name, handle, and avatar
  • Post insights and metrics — reach, impressions, likes, comments, shares, and saves — and follower counts
  • Periodic analytics snapshots we record over time so you can see trends

Data from the TikTok API

When you connect TikTok, CrateSocial stores:

  • An access token (~24 hours) and a refresh token (~365 days), encrypted at rest
  • Your TikTok account / open IDs
  • The creator information TikTok requires in order to publish on your behalf
  • The post metrics TikTok returns for your published content

Content you create

The drafts and scheduled posts you compose, any per-platform text variants, and the media you upload. One thing to be transparent about: uploaded media is served from public URLs, because Instagram and TikTok fetch media by URL when publishing — so anyone with the exact file URL could view that file.

Technical & session data

Minimal. A single session cookie keeps you signed in (see Cookies). We run no third-party analytics or tracking.

03

How & why we use it

Each kind of data has one plain purpose:

  • Account data — to authenticate you and gate access to an invite-only tool.
  • Connection tokens — to connect your social accounts and keep them connected, refreshing tokens automatically so scheduled posts don't fail.
  • Content — to compose, schedule, and publish posts on your behalf at the time you choose.
  • Metrics & snapshots — to pull and chart how your posts perform over time.
  • Operational signals — to alert admins when a connection needs reconnecting or a post fails.

We use platform data only for the purposes above. We do not sell it, and we do not use it for advertising or to build profiles.

04

Data from Meta & TikTok

This section gathers, in one place, the data CrateSocial obtains through the Meta and TikTok developer APIs — so a reviewer can verify our disclosures at a glance.

Meta · Facebook & Instagram
  • Access & long-lived / refresh tokens
  • Facebook Page & Instagram account IDs
  • Account names, handles, avatars
  • Post insights: reach, impressions, likes, comments, shares, saves
  • Follower counts & periodic snapshots
TikTok
  • Access token (~24h) & refresh token (~365d)
  • TikTok account / open IDs
  • Creator info required to publish
  • Post metrics returned by TikTok

CrateSocial uses these APIs in line with the Meta Platform Terms & Developer Policies and TikTok's developer terms. Platform data is used solely to provide CrateSocial's scheduling and analytics features to you, the connected account owner — never resold or used for advertising.

05

How long we keep it

We keep data only as long as it is useful for the purpose it was collected, then remove it.

  • Account data — kept while your account is active and for 30 days after deactivation, then deleted.
  • Connection tokens — kept only while a connection is active; deleted and revoked the moment you disconnect an account.
  • Analytics snapshots — retained for 24 months of history, then aged out.
  • Uploaded media — retained for 90 days after a post is published, then removed from public URLs.
06

How we protect it

  • Platform tokens are encrypted at rest — a core CrateSocial guarantee.
  • All traffic runs over HTTPS.
  • Tokens are never written to logs.
  • Passwords are stored only as salted hashes.
  • Sign-in is rate-limited with lockout after repeated failures.
  • Internal access is restricted to the people who operate CrateSocial.

No system is perfectly secure, but we apply these specific safeguards and deliberately avoid storing more than we need.

07

Your rights & data deletion

You can ask us to access, correct, or delete the data CrateSocial holds about you and your connected accounts. Deleting your data revokes and removes your stored tokens, your account data, the analytics snapshots tied to your accounts, and your uploaded media.

Request data deletion

The data deletion page is the actionable path; this section explains what a request removes.

08

Cookies

CrateSocial is an invite-only platform and uses minimal cookies:

  • One session cookie (secure, http-only) that keeps you signed in.
  • No third-party advertising or tracking cookies, and no analytics trackers.

Because the only cookie is this strictly necessary session cookie, CrateSocial shows no cookie-consent banner — a deliberate choice, noted here for transparency.

09

Sharing & third parties

  • The platforms themselves — Meta (Facebook/Instagram) and TikTok receive the posts and requests you direct CrateSocial to make on your behalf.
  • Infrastructure — CrateSocial runs on our own server (a VPS host); your data and tokens stay there.

We do not sell your data, and we do not share it with advertisers or data brokers.

10

Changes to this policy

If we change this policy, we update the "Last updated" date at the top of the page. Material changes will be communicated to account holders. Continuing to use CrateSocial after an update means the revised policy applies.

11

Contact

Questions about privacy or this policy? Email us — for data removal, use the data deletion page.

privacy@cratesocial.net