Back to Home

Privacy Policy

Personal Marketing · Operated by Nextoria Information Technology LLC

Last Updated: April 16, 2026
Contents
  1. 1. Introduction
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. AI Processing
  5. 5. Google Limited Use
  6. 6. TikTok Platform Data
  7. 7. Data Deletion
  8. 8. Third-Party Services
  9. 9. Security & Incident Response
  10. 10. Retention
  11. 11. Your Rights
  12. 12. Children
  13. 13. International Transfers
  14. 14. Changes
  15. 15. Contact

1. Introduction

Nextoria Information Technology LLC (“Nextoria,” “we,” “us,” or “our”) operates the Personal Marketing application (“the App”). This Privacy Policy explains what data we collect, why we collect it, how we protect it, and your rights over it.

By using the App, you agree to the practices described in this Policy. If you do not agree, please discontinue use and contact us at info@nextoria.ae to request deletion of your data.

2. Data We Collect

2.1 Account Information

When you register, we collect your name, email address, and any profile information you provide.

2.2 Connected Social Media Accounts

When you connect a social platform via OAuth, we store:

  • Platform-specific access tokens and refresh tokens (encrypted at rest with AES-256)
  • Platform user ID, page names, page IDs, and ad account identifiers
  • Token expiry dates and last-successful-call timestamps
  • The OAuth scopes you granted

Supported platforms: Google (YouTube), Facebook, Instagram, LinkedIn, X (Twitter), TikTok, Snapchat, and Telegram.

2.3 Content You Create
  • Posts, captions, images, and videos you draft or publish through the App
  • Scheduled post data and publishing history
  • Content planner entries, brand voice profiles, and user goals
  • Strategy clone configurations
2.4 Data Processed by AI Features

When you use AI-powered features (content optimization, onboarding, AutoReply, Strategy Clone), the following data is transmitted to Google Gemini for processing:

  • Your post text and media type
  • Your brand voice settings (tone, industry, target audience)
  • Your user goals and content style preferences
  • For AutoReply: The text of incoming messages received on your connected social accounts

This data is sent to Google’s Gemini API solely to generate a real-time response for you. We do not store these API requests beyond what is needed to display the result.

2.5 Analytics Data (Background)

We periodically fetch the following from your connected platforms on your behalf:

  • Follower counts and growth metrics
  • Post impressions, reach, engagement rates, and video views
  • YouTube channel statistics
2.6 Google Calendar Sync

If you connect Google Calendar, we sync event titles and dates to schedule social posts. Deleting a calendar event automatically deletes the corresponding scheduled post.

2.7 Technical & Log Data
  • Last API call timestamps per platform connection
  • Error messages from failed API calls (stored per connection)
  • AutoReply log entries (incoming message metadata and AI-generated reply text)

3. How We Use Your Data

Data Purpose Feature
Account credentialsAuthentication & account managementAll
OAuth tokensMaking API calls to social platforms on your behalfAll posting & analytics features
Post contentPublishing, scheduling, AI-assisted optimizationPost, ContentPlanner, Schedule
Brand voice & goalsPersonalizing AI-generated content suggestionsPost, AutoReply, StrategyClone
Incoming messagesGenerating AutoReply suggestions via Google GeminiAutoReply
Analytics metricsDisplaying performance data in your dashboardAnalytics, Dashboard
Calendar eventsCoordinating scheduled social media postsSchedule, Calendar Sync

We do not use your data for advertising, sell it to third parties, or use it to train any AI or machine learning model. This applies to all data — including data received from TikTok, Meta (Facebook/Instagram), Google, X, LinkedIn, and Snapchat platforms.

4. AI Processing Disclosure

The App uses Google Gemini (operated by Google LLC) to power content suggestions, onboarding guidance, AutoReply generation, and strategy analysis.

  • Content you write, and messages received on your social accounts (including TikTok, Instagram, Facebook, X, and LinkedIn), may be transmitted to Google Gemini for real-time processing.
  • Google processes this data under its own Privacy Policy and Generative AI Additional Terms.
  • We do not use your data, or data received from any social platform, to train AI models. We use Google’s Gemini API under terms that do not permit Google to use API inputs for model training.

Per-platform commitments: We do not use TikTok, X (Twitter), Meta, Google, LinkedIn, or Snapchat account data, message content, or media for AI training, advertising profiling, or any model training pipeline. Platform data is accessed solely to perform the action you requested (publish, fetch analytics, generate a reply for you).

5. Google API Services — Limited Use Disclosure

Our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request Google API scopes that are necessary for features you actively use.
  • We do not transfer Google user data to third parties except as necessary to provide the App’s features (e.g., publishing a post to YouTube).
  • We do not use Google user data for serving advertisements or for any purpose unrelated to the feature that required the scope.

6. TikTok Platform Data — Business Messaging & Content APIs

Our access to and use of data received from TikTok APIs (including the TikTok for Developers Content Posting API and the TikTok Business Messaging API) adheres to TikTok’s Developer Terms of Service, Content Sharing Guidelines, and the TikTok Privacy Policy.
6.1 TikTok Data We Access

When you connect your TikTok account (Personal, Creator, or Business) to Personal Marketing via OAuth, we may access the following TikTok platform data, depending on the scopes you grant:

  • Profile basics (user.info.basic): your TikTok open_id, union_id, display name, and avatar URL — used to identify which connected account is acting.
  • Video upload & publish (video.upload, video.publish): the videos and captions you choose to publish through Personal Marketing are uploaded to TikTok using the Content Posting API.
  • Business Messaging (biz.message.read, biz.message.write — only if you connect a TikTok Business account): incoming direct messages sent to your Business inbox by TikTok users, including the message text, sender’s TikTok identifier (open_id), display name, attachments, and timestamps. Used solely to display your inbox and enable manual or AI-assisted replies that you have explicitly configured.
6.2 How We Use TikTok Data
  • To display your TikTok content, scheduled posts, and (for Business accounts) message inbox inside Personal Marketing.
  • To publish posts and send replies on your behalf only after you initiate the action or enable an auto-reply rule.
  • To generate AI-assisted reply suggestions via Google Gemini, when you have enabled this feature for the relevant TikTok rule.
6.3 What We Do NOT Do With TikTok Data
  • We do not sell or rent TikTok user data to any third party.
  • We do not use TikTok user data, message content, sender identifiers, or media to train AI or machine learning models — either our own or any third party’s.
  • We do not use TikTok data for advertising, audience profiling, or marketing analytics directed at any party other than the connected account owner.
  • We do not share TikTok data with sub-processors except as strictly necessary to deliver the feature you requested (Google Gemini for reply generation; our database hosting provider for storage).
  • We do not aggregate, anonymize, or combine TikTok data with data from other users or other platforms to build profiles.
  • We do not retain TikTok message data longer than required to deliver the inbox experience (see retention policy in Section 6.5 below).
6.4 Sub-Processor for TikTok Data

The only sub-processor that may receive TikTok-derived data is Google LLC (Gemini API), used solely to generate AI-assisted reply text when you have enabled auto-reply rules for a TikTok conversation. Gemini operates under its own privacy terms and Google does not use API inputs to train its models. No TikTok data is shared with any other third party for any purpose.

6.5 TikTok-Specific Retention
  • TikTok OAuth tokens: retained until you disconnect TikTok or delete your account.
  • TikTok Business Messaging conversations & message content: retained for a rolling 90 days from the date the message was received, then automatically purged. You may delete individual conversations earlier from the AutoReply Activity Log at any time.
  • TikTok publishing history (post text, references to media you uploaded): retained until you delete the post or your account.
  • TikTok analytics (impressions, views, engagement counts) fetched via API: cached up to 30 days for dashboard display, then refreshed.
6.6 Revoking TikTok Access & Deleting TikTok Data

You can revoke our app’s access to your TikTok account and delete all TikTok-derived data we hold about you in two ways:

  1. From within Personal Marketing: Social Media → TikTok → Disconnect. This immediately revokes our token, deletes locally cached message data and analytics, and unsubscribes from TikTok webhooks.
  2. From TikTok: open the TikTok app → Settings and privacy → Security and permissions → Manage app permissions → Personal Marketing → Revoke access. TikTok will notify our system, which will then purge all related data within 24 hours.

For deletion requests by email, contact info@nextoria.ae with the subject line “TikTok Data Deletion Request” and we will confirm completion within 30 days.

7. Data Deletion Instructions

7.1 Self-Service In-App Deletion

You may delete your account and all associated data at any time, directly within the App, by visiting Account Settings → Delete My Account. After confirming your password, we immediately and permanently delete:

  • Your account and profile information
  • All connected social media account tokens (and we revoke app permissions at each platform)
  • All posts, drafts, schedules, and content planner data
  • All analytics data, brand voice profiles, and AutoReply configurations
  • All uploaded media files stored on our servers

If you are unable to access your account, you may alternatively email info@nextoria.ae with the subject line “Data Deletion Request — Personal Marketing” and we will process your request within 30 days.

7.2 Facebook / Meta — Revoking App Access

If you connected your Facebook or Instagram account and wish to remove our access and delete data we received via the Facebook Platform:

  1. Go to your Facebook Account Settings → Security and Login → Apps and Websites
  2. Find Personal Marketing and click Remove
  3. Facebook will automatically notify our system via a Data Deletion Callback, which triggers immediate deletion of all data associated with your Facebook account

You will receive a confirmation code and a status URL at /facebook/deletion-status where you can verify completion.

7.3 TikTok — Revoking App Access

See Section 6.6 above for the dedicated TikTok revocation process.

8. Third-Party Services & Data Sharing

We share data with the following services only to the extent necessary to operate the App:

ServicePurposeData SharedData Region
Google Gemini APIAI content generation & reply suggestionsPost content, brand voice, incoming message textUnited States
Google APIs (YouTube, Calendar)Publishing & calendar syncVideo content, calendar events, channel analyticsUnited States
Facebook / Instagram Graph APIPost publishing, analytics, DM auto-replyPost content, page access tokens, incoming messagesUnited States / Ireland
LinkedIn APIPost publishing, comment managementPost content, comment textUnited States
X (Twitter) API v2Post publishing, analytics, DM auto-replyTweet content, incoming DMsUnited States
TikTok Content Posting APIVideo publishingVideo file, caption text, privacy preferencesSingapore / United States
TikTok Business Messaging APIReceiving and replying to DMs sent to your TikTok Business inboxMessage text, sender identifier, timestamps, AI-generated replies you choose to sendSingapore / United States
Snapchat Marketing APIAd account accessOAuth credentialsUnited States
Telegram Bot APIMessaging featuresMessages sent via connected botMultiple (Telegram-managed)
SendGridTransactional emailEmail address onlyUnited States
SmarterASP.NETApplication hosting & database storageAll data stored at restUnited States

We do not integrate Meta Pixel, Google Analytics, or any behavioral tracking SDKs. We do not sell or rent your personal data to any third party. We do not share platform data with any sub-processor not listed above.

9. Data Security & Incident Response

9.1 Technical Safeguards
  • AES-256 encryption at rest for all OAuth access tokens and refresh tokens stored in our database
  • HTTPS (TLS 1.2+) for all data in transit — all connections between your browser and our servers are encrypted; HTTP requests are automatically redirected to HTTPS
  • HMAC-SHA256 signed state tokens to prevent cross-site request forgery (CSRF) during OAuth authorization flows
  • PKCE (Proof Key for Code Exchange) for X/Twitter OAuth to prevent authorization code interception
  • Session and authentication cookies enforced with Secure and HttpOnly flags
  • Webhook signature verification (HMAC-SHA256) for all inbound platform events (Meta, TikTok, X)
  • Role-based access control on internal systems; production credentials are never logged
  • Automated daily backups of the production database with 7-day retention
9.2 Incident Response & Breach Notification

In the event of a data breach or security incident affecting your personal data, we will:

  • Notify affected users by email within 72 hours of confirmed discovery, in accordance with GDPR Article 33 and UAE PDPL requirements.
  • Notify the relevant supervisory authority (e.g., UAE Data Office, EU Data Protection Authorities) within the timelines required by applicable law.
  • Notify affected platform partners (TikTok, Meta, Google, X, LinkedIn) where the incident involves data received via their APIs, within the timelines specified in their developer terms.
  • Publish a post-incident report describing the scope, root cause, remediation, and preventive measures.

While we take commercially reasonable steps to protect your data, no system is 100% secure. Please notify us immediately at info@nextoria.ae if you suspect unauthorized access.

10. Data Retention

Data CategoryRetention Period
Account and profile dataUntil account deletion
OAuth tokens (all platforms)Until you disconnect the platform or delete your account
Published post historyUntil you delete your account
Cached analytics metrics30 days rolling, then refreshed from source
AutoReply message logs (Instagram, Facebook, X, LinkedIn)90 days rolling, then automatically purged
TikTok Business Messaging conversations & content90 days rolling, then automatically purged (see Section 6.5)
Server access logs30 days, then deleted
Backup snapshots7 days, then deleted

We do not retain data longer than necessary for the purposes described in this Policy. Upon account deletion, data is permanently removed from our active systems within 24 hours and from backup snapshots within 7 days.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

RightDescription
AccessRequest a copy of the personal data we hold about you
CorrectionRequest correction of inaccurate data
Deletion (Erasure)Request permanent deletion of all your data
PortabilityRequest your data in a machine-readable format
RestrictionRequest that we limit how we process your data
Opt-Out of AI ProcessingDisable AI-assisted features (AutoReply, content suggestions) to prevent your data from being sent to Google Gemini
Withdraw ConsentRevoke OAuth permissions for any connected platform at any time

Applicable frameworks: EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), and India’s Digital Personal Data Protection Act (DPDP) 2023.

To exercise any of these rights, email info@nextoria.ae. We will respond within 30 days. Residents of the EU/EEA may also lodge a complaint with their local data protection authority.

12. Children’s Privacy

The App is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@nextoria.ae.

13. International Data Transfers

Nextoria is based in Dubai, UAE. When you connect social platforms, data may be transferred to and processed in the United States, Singapore, Ireland, and other countries where these platforms operate (see Section 8 for per-service regions). We rely on your explicit consent (provided via OAuth authorization) and, where applicable, standard contractual clauses or equivalent safeguards for such transfers. TikTok user data may be processed in TikTok’s data centers located in Singapore, Malaysia, the United States, and Ireland, in accordance with TikTok’s data residency policies.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. The “Last Updated” date at the top will always reflect the most recent revision. Continued use of the App after a revision constitutes acceptance of the updated Policy.

15. Contact Us

Nextoria Information Technology LLC

Airport Rd, Al Garhoud, Dubai, United Arab Emirates

Email: info@nextoria.ae

  • Data Deletion Requests: Subject — Data Deletion Request — Personal Marketing
  • Data Access / Portability Requests: Subject — Data Access Request — Personal Marketing
  • TikTok Data Deletion: Subject — TikTok Data Deletion Request
  • Security / Breach Reports: Subject — Security Incident Report
© 2026 Nextoria Information Technology LLC  ·  Personal Marketing  ·  info@nextoria.ae