Privacy Policy
Last updated: June 18, 2026
1. Introduction
This Privacy Policy describes how Aigentifyable LLC (“Aigentifyable”, “ScoutSocial”, “we”, “us”), a limited liability company registered in the Republic of Armenia, collects, uses, shares and protects personal data when you use the ScoutSocial platform (https://scoutsocial.ai). For data you process on behalf of a Customer organisation, Aigentifyable acts as a data processor under our Data Processing Agreement; for data we process for our own purposes (account administration, billing, service security, and product improvement using aggregated or de-identified data), we act as controller. For platform-derived personal data collected via a Connected Platform's API, the relationship is described in § 6 (Platform-specific disclosures).
Beta programme participants: during ScoutSocial's beta phase, additional data-collection and third-party services apply to beta participants only. These are described in the Beta Programme Privacy Supplement, which supplements (and, for beta participants, should be read together with) this Privacy Policy.
2. Information We Collect
Account data: name, email, organisation membership and profile information (authentication via Clerk). Connected social account data: OAuth access and refresh tokens for each Connected Platform, platform user ID/handle, profile metadata, and the scope of permissions you granted. Content: posts, drafts, templates, scheduled items, AI-generated outputs, uploaded media files, collaborative whiteboards, and your chat threads with our AI assistant (“Scouty”). Platform Data: content and metrics ScoutSocial retrieves through each Connected Platform's API on your behalf — see § 6 for per-platform detail. Platform Data can include information about third-party individuals who interact with your content (for example, the handle and comment text of someone who comments on or mentions your posts); we collect and temporarily store such data only to provide the service and retain it only for the per-platform windows set out in § 8. Usage data: feature interactions, page views and product analytics (collected via Google Analytics where you have consented — see our Cookie Policy). Device data: browser type, operating system, IP address and similar technical identifiers. Billing data: billing identifiers and invoice references; full payment-card details are handled by our merchant of record Paddle.com Market Limited and are not stored by ScoutSocial.
3. How We Use Your Information
We use the information described above to: (a) operate the platform — including scheduling, publishing, retrieving analytics and running social listening; (b) provide AI features via our sub-processors OpenAI and Anthropic; (c) administer your subscription, billing and team workspace; (d) communicate with you about the service and respond to support requests, including where ScoutSocial staff need to access your data to diagnose an issue (always under access controls, with administrative actions audit-logged — see § 11); (e) maintain the security and reliability of the platform and prevent abuse; (f) improve the platform and develop new features, using aggregated or pseudonymous data wherever possible. We do not use Platform Data, customer content or your AI prompts to train AI models (our own or those of our sub-processors), and our contracts with OpenAI and Anthropic prohibit them from using your data for model training. We do not use Platform Data to build profiles of individual end-users (e.g. commenters or followers); AI and analytics features operate on aggregate performance data.
3.1 Background access and scheduled jobs
ScoutSocial performs scheduled and background operations on your Connected Platform accounts — including publishing posts at a scheduled time, refreshing analytics, refreshing OAuth access tokens to keep your connections active, and running social-listening pulls — even when no user from your organisation is signed in. All such operations: (a) use only the OAuth tokens you have granted; (b) are confined to the scopes you authorised at connection; (c) cease immediately if you disconnect the account, revoke ScoutSocial's authorisation at the platform, or are removed from the workspace; (d) are logged in our audit trail.
3.2 Automated decision-making, profiling and sensitive attributes
ScoutSocial does not make decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Art. 22). We do not use Platform Data to: (i) make eligibility determinations relating to credit, insurance, employment, housing, government benefits, immigration or similar; (ii) perform surveillance, intelligence-gathering or tracking of named individuals; (iii) build profiles of end-users on Connected Platforms (e.g. commenters, followers); (iv) derive or infer special-category attributes — health, financial status, political opinion, racial or ethnic origin, religion, sex life or orientation, union membership, alleged crime or biometric identity — about individuals; (v) feed Platform Data into facial-recognition or biometric-identification systems.
3.3 Disclosure signals forwarded on publish
When publishing on your behalf, ScoutSocial forwards the disclosure signals each Connected Platform requires — including automatically applying AI-generated / synthetic-media labels to Meta and YouTube where your content is AI-generated. You remain responsible for activating other platform disclosures, such as branded-content / paid-partnership toggles.
4. Legal Bases for Processing (GDPR)
For EU/EEA/UK data subjects, we process personal data under GDPR/UK GDPR lawful bases described below.
Purpose: Account authentication and session management
Data categories: Email, login/session identifiers, organization membership
Lawful basis: Performance of contract (Art. 6(1)(b))
Purpose: Publishing and scheduling content to connected social accounts
Data categories: Post text, media, scheduling metadata, platform OAuth tokens
Lawful basis: Performance of contract (Art. 6(1)(b))
Purpose: Retrieving analytics and account insights from connected platforms
Data categories: Platform analytics metrics, account metadata, post performance data
Lawful basis: Performance of contract (Art. 6(1)(b))
Purpose: AI content generation features
Data categories: Draft prompts, content instructions, generated outputs
Lawful basis: Performance of contract (Art. 6(1)(b))
Purpose: Platform security, abuse detection, and incident response
Data categories: IP address, device metadata, auth/rate-limit/security logs
Lawful basis: Legitimate interests (Art. 6(1)(f))
Purpose: Service reliability and observability (including optional LangSmith tracing)
Data categories: Operational telemetry, redacted prompts, tool traces
Lawful basis: Legitimate interests (Art. 6(1)(f))
Purpose: Improving the platform and developing new features
Data categories: Aggregated or pseudonymised usage and performance data
Lawful basis: Legitimate interests (Art. 6(1)(f))
Purpose: Compliance audit logs for vendor/platform obligations
Data categories: API operation metadata (no payment card data)
Lawful basis: Legal obligation (Art. 6(1)(c)) and contractual compliance duties
Purpose: Billing and subscription administration
Data categories: Billing identifiers, plan and invoice references
Lawful basis: Performance of contract (Art. 6(1)(b))
Purpose: Product analytics cookies and optional marketing communications
Data categories: Analytics identifiers, consent status, contact details
Lawful basis: Consent (Art. 6(1)(a))
We maintain documented legitimate-interests balancing assessments for each Art. 6(1)(f) processing activity, available to data-protection authorities on request. We do not rely on public-interest or vital-interest bases for ordinary service processing.
5. Data Sharing and Third Parties
We share data only as necessary with:
- Clerk (US): authentication and identity management.
- Paddle.com Market Limited (UK): merchant of record for payments and subscription billing.
- Amazon Web Services (US/EU — Frankfurt): cloud infrastructure, hosting, storage (S3), content delivery (CloudFront) and transactional email (SES).
- OpenAI (US), Anthropic (US): large-language-model inference for AI content-generation and AI Insights features. Our contracts with each AI provider prohibit them from training their models on your prompts, content or Platform Data. OpenAI additionally provides speech-to-text transcription (Whisper) of uploaded video audio; that audio is sent to OpenAI for transcription only and is not retained by ScoutSocial after transcription. Prompts sent to these providers may include text and uploaded source images you provide (multimodal input), and public content from competitor accounts you choose to track (with identifiers redacted) where you use competitor insights and content-idea features.
- LangChain, Inc. — LangSmith (US): optional LLM tracing and observability where enabled (redacted prompts and tool traces only).
- Google Analytics (US/Global): website and product analytics, where you have consented.
- The Connected Platforms themselves (Meta — Facebook & Instagram, LinkedIn, X, TikTok, YouTube/Google): publishing, analytics and social-listening requests are sent to each platform's APIs subject to that platform's terms and privacy policy.
The full, current list of sub-processors is available at https://scoutsocial.ai/legal/sub-processors. For EU/EEA/UK personal data transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, for the UK, the UK International Data Transfer Addendum (IDTA) (see § 7).
We do not sell personal data to third parties.
5.1 No training on customer data
Our written agreements with OpenAI and Anthropic prohibit those providers from using your prompts, content, generated outputs or Platform Data to train, fine-tune or improve their foundation or production models. ScoutSocial does not train its own AI models on customer data either.
Redaction before AI sub-processors. Every prompt we send to an AI provider (OpenAI or Anthropic) is filtered through a server-side redaction step immediately before the network call. It removes direct identifiers — such as platform handles, profile URLs, email addresses and phone numbers — before transmission. Our AI sub-processors are therefore not provided with identifying details of the social-platform members whose content you touch through ScoutSocial. This protection is enabled by default in production; our architecture is additionally designed to prevent social-listening data (comments and mentions collected from third-party platforms) from entering an AI pipeline.
6. Google API Services & YouTube Data
ScoutSocial connects to the YouTube Data API to let you publish videos, manage channel settings, and retrieve performance analytics. This section describes how we handle data received from Google APIs.
- Data we access: YouTube channel metadata, video upload status, video and channel analytics, and comment threads — only for accounts you explicitly connect.
- How we use it: to publish content you create in ScoutSocial, display performance metrics in your dashboard, and generate scheduling recommendations.
- How we store it: OAuth tokens are stored encrypted at rest in our database. Analytics data is cached to reduce API calls and retained per Section 8 (Data Retention). We do not store raw YouTube video files after upload completes.
Retention windows. YouTube authorisation tokens are retained for as long as you remain connected. Statistics-type data (Analytics, view/like/subscriber counts) is retained while we verify your authorisation remains valid and the underlying video still exists, on a maximum 30-day check cycle. Other YouTube Authorised Data (titles, descriptions, tags, comment text) and Non-Authorised Data (public search results, competitor channels) are refreshed or deleted within 30 calendar days. If you revoke ScoutSocial's access via Google's security settings, we delete all YouTube API Data held about you within 7 days. Deletion requests. You may request deletion of YouTube API Data ScoutSocial holds at any time — please note that this only removes data stored by ScoutSocial; it does not delete content stored by YouTube itself, which you must manage through YouTube directly. Other Google disclosures. ScoutSocial does not serve advertising on pages containing YouTube API Data and does not share Google user data with any third party other than the sub-processors listed in § 5. Cookies set by Google during account connection are described in our Cookie Policy. Questions about Google data handling: privacy@scoutsocial.ai.
- Sharing: we do not share your Google user data with third parties. Data is only transmitted between your browser, our servers, and Google's APIs.
ScoutSocial uses YouTube API Services. By using ScoutSocial's YouTube features you agree to be bound by the YouTube Terms of Service. ScoutSocial's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You may revoke ScoutSocial's access to your Google account at any time via Google's security settings.
For information on how Google collects, uses, and protects your data, please refer to the Google Privacy Policy.
6.1 Facebook & Instagram (Meta)
When you connect a Facebook Page or Instagram professional account, we access — only with your OAuth authorisation — Page/account metadata, posts you publish, post insights, comments and reactions on your content, follower-count aggregates, and conversation metadata where applicable. We store Instagram media as platform CDN URLs only; we do not download or rehost the underlying media bytes.
- Controller roles. Two layers of processing apply: (i) Meta processes end-user data on its own platform as controller under Meta's Privacy Policy and the Instagram Privacy Policy; (ii) ScoutSocial processes off-platform copies of API-fetched data under this Privacy Policy and, where you are a B2B Customer, our DPA.
- Administrator identity. The identity of the individual administrator who connected a Page or account is not disclosed to other workspace members or third parties without that administrator's explicit consent.
- Content licence. Content published to Facebook or Instagram through ScoutSocial is subject to Meta's perpetual content licence under Meta Platform Terms §2.b.i.1, which survives deletion in ScoutSocial.
- Token expiry & monitoring. Meta access tokens expire after approximately 60 days and cannot be silently refreshed; ScoutSocial monitors token expiry, permission usage and revocation, and sends you advance warnings (including around 7 days before token expiry, and before Meta automatically revokes permissions that have gone unused) prompting you to reconnect the account so service continuity is maintained.
- Page-admin checks. ScoutSocial periodically checks the admin/role status of connected Facebook Pages and notifies your organisation's administrators when a change is detected (for example, if ScoutSocial loses admin access), so connections can be maintained.
- Deletion-status endpoint. ScoutSocial provides a public data-deletion status endpoint at https://scoutsocial.ai/api/webhooks/meta/data-deletion where the status of a Meta-initiated data-deletion request can be confirmed using the confirmation code returned when the request is made.
6.2 LinkedIn
Where you connect a LinkedIn account, ScoutSocial accesses, on your authorisation, your profile data, Pages/Company Pages you administer, post content, post analytics, organisation analytics and (for the Community Management API) post engagements (likes, comments, reshares, mentions). LinkedIn's default position is no storage unless expressly permitted under the Marketing API Additional Terms or Data Storage Requirements; where we do store LinkedIn data, we apply LinkedIn's field-level retention caps, which override our general subscription-tier retention: profile data of LinkedIn Members who are not the authenticated account holder is cached for a maximum of 24 hours; Member-authored social-activity content (comments, post bodies, articles, mentions and metadata) is retained for a maximum of 48 hours; organisation-authored social activity is retained for 6 months (authenticated org) or 6 weeks (non-authenticated org, e.g. competitor pages); aggregate organisation analytics, including AI-derived insights, are retained for a maximum of 1 year; OAuth tokens and any LinkedIn data tied to a Member are deleted immediately when the Member requests deletion or closes their ScoutSocial account, and within 10 days when a Customer terminates LinkedIn integration. We use LinkedIn Analytics Data only to report back to the specific Authorised Client whose data it is — never for cross-client benchmarking, internal ScoutSocial purposes, or advertising/sales prospect identification. LinkedIn Member Data is never used for ad targeting, lead generation, CRM enrichment, audience building, recruiting, eligibility decisions, or to derive sensitive attributes (GDPR Art. 9 categories). Before connecting LinkedIn, we present the six disclosures required by LinkedIn's API Terms (data uses, when collected, data types, withdrawal of consent, deletion mechanism, and storage practice); if your OAuth token expires we ask for fresh consent — silent token refresh does not satisfy LinkedIn's requirements.
6.3 X
When you connect an X account we receive X profile data, the Posts you publish, Post metrics and (where in-scope) Post replies and mentions. ScoutSocial receives this data as an independent data controller under X's Controller-to-Controller Data Protection Addendum; X (X Corp. / X Internet Unlimited Company in the EEA/UK) is the source controller. Content you publish to X via ScoutSocial is subject to X's content licence, including X's right to use Posts for machine-learning and AI-model training as described in X's Privacy Policy. Where ScoutSocial replicates ad-interaction or off-X interaction data surfaced through X's APIs, ScoutSocial-side retention does not exceed X's 12-month cap for that category. We acknowledge that X-side data lifecycle is independent of ScoutSocial-side retention: if an X user deactivates their account, X retains the option to restore it within 30 days, which we account for in our deletion cascade.
6.4 TikTok
When you connect a TikTok account we access, on your authorisation: the TikTok open_id, display_name, avatar URL, bio, follower-count, video IDs and statistics, and comment metadata on videos you have authored or that mention your account. We process this data as an independent data controller under TikTok's Controller-to-Controller Data Terms; TikTok (TikTok Pte. Ltd. and ByteDance Ltd. as the parent infrastructure operator, see Sub-Processors) is the source controller; in the EEA and UK, TikTok Technology Limited (TikTok Ireland) is the controller of TikTok-side user data. Requests to TikTok to exercise rights over TikTok-side data (access, deletion, portability, etc.) must be made via TikTok's webform at https://www.tiktok.com/legal/report/privacy. Requests over ScoutSocial-side copies of TikTok data can be made to privacy@scoutsocial.ai. On termination of our TikTok API access (whether at your request or TikTok's), we delete all TikTok Information held about you in all storage systems, including caches, analytics, AI-derived insights, and backups.
6.5 YouTube Authorized Data — workspace visibility
YouTube Authorized Data of a Connected channel (analytics, video metadata accessible only to authorised users) is visible inside ScoutSocial only to (a) the user who authorised the YouTube connection, and (b) workspace members the authorising user has explicitly approved through our access-controls. We do not display YouTube Authorized Data to other organisation members by default; the authorising user can extend or revoke access at any time in Settings → Connections → YouTube → Authorized viewers.
7. International Data Transfers
Personal data may be transferred to and processed in countries outside your jurisdiction. For transfers of EU/EEA personal data to non-adequate countries — notably to our US-based sub-processors (Clerk, AWS US regions where applicable, OpenAI, Anthropic, Google Analytics, LangSmith) — we rely on the European Commission's Standard Contractual Clauses (SCCs), Module One (controller-to-controller) or Module Two (controller-to-processor) as applicable, together with supplementary technical measures (encryption in transit and at rest, redaction of identifiers before AI sub-processors). For transfers of UK personal data we rely on the UK International Data Transfer Addendum (IDTA) to the SCCs. As an additional safeguard for transfers of X-sourced data to X Corp. (USA), we rely on X's certification under the EU-US Data Privacy Framework, the Swiss-US DPF and the UK Extension. A copy of the relevant transfer documentation is available on request to privacy@scoutsocial.ai.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy. Two layers of retention rules apply: (1) ScoutSocial's general retention windows; (2) platform-specific retention caps imposed by each Connected Platform, which override the general windows where they are shorter.
General retention: account data — retained while your account is active, deleted within 30 days of account closure (unless legally required to retain). A 30-day grace period applies before the permanent, irreversible deletion of an organisation and its content and media; during that window a pending deletion can be cancelled, after which the deletion cannot be undone. Content and posts authored in ScoutSocial — retained while your organisation is active. Aggregate ScoutSocial analytics not subject to a platform cap — up to 24 months. Operational logs and audit trails — 12 months. AI processing data — not retained by our AI sub-processors beyond processing.
Platform-specific caps (apply to data sourced from each platform's API):
| Source | Data category | Cap |
|---|---|---|
| Profile data of non-authenticated Members | 24 hours | |
| Member-authored social activity (comments, post bodies) | 48 hours | |
| Authenticated org social activity | 6 months | |
| Non-authenticated org social activity | 6 weeks | |
| Aggregate org analytics (incl. AI-derived) | 1 year | |
| OAuth tokens and Member-tied data on Member request | Immediate | |
| YouTube | Authorisation tokens | While valid / connection active |
| YouTube | Statistics-type data | Indefinite, 30-day liveness check |
| YouTube | Other Authorised Data (titles, descriptions, tags, comments) | 30 calendar days, refresh-or-delete |
| YouTube | Non-Authorised Data (public search results, competitor channels) | 30 calendar days, refresh-or-delete |
| YouTube | On user revocation via Google security settings | Delete within 7 days |
| X | Ad/off-X interaction data | 12 months max |
| Meta (FB/IG) | API-fetched post content propagating user deletion | Within 90 days of source deletion |
| TikTok | All TikTok Information on API termination | Delete in all forms |
| All platforms | Customer requests deletion via Settings → Privacy | Within 30 days |
When a Connected Platform requires shorter retention or earlier deletion, that requirement prevails. On account closure or disconnection, we delete cached platform data per the platform's stated timeline; where YouTube requires it, we provide signed deletion certification to Google.
9. Your Rights
Depending on your jurisdiction, you may have rights to access, rectify, erase, port, restrict or object to our processing of your personal data, and to withdraw consent where processing relies on consent. To exercise any of these rights, use the in-product tools in Settings → Privacy & Cookies or email privacy@scoutsocial.ai; we will respond within one calendar month. Two important clarifications: (i) deletion requests fulfilled by ScoutSocial only remove copies of data held by us — they do not delete content stored by the Connected Platform itself; to remove content from a platform, please use that platform's own tools; (ii) rights against the Connected Platform's own processing must be exercised with the platform — for example, TikTok rights via the TikTok webform, Google/YouTube rights via myaccount.google.com, Meta rights via Facebook's Help Center, LinkedIn rights via LinkedIn Help, X rights via the X privacy contact form. For California residents, see our CCPA Rights notice for the full set of CCPA/CPRA rights. Data export files. When you generate a data export (for example, to exercise your access or portability rights), the export file is available for 7 days after generation and is then permanently deleted; you can request a new export at any time. Marketing communications. Every marketing email we send includes a one-click unsubscribe link, and you can opt out of marketing communications at any time; opting out does not affect essential service messages (e.g. billing, security and account notices).
10. Children's Privacy
ScoutSocial is a B2B platform and is not directed to children under 18. We do not knowingly collect personal data from users under 18. Our 18+ rule satisfies the U.S. Children's Online Privacy Protection Act (COPPA) and we comply with the Video Privacy Protection Act (VPPA) where applicable. Where ScoutSocial processes platform-sourced content that is Made For Kids under YouTube's classification or otherwise involves minors (e.g. comments on a connected Page from accounts that are themselves child-directed), we suppress personalised tracking for that content and apply enhanced safeguards consistent with COPPA and GDPR Article 8 (children's data).
11. Security
We implement administrative, technical and physical safeguards designed to protect personal data from unauthorised access, alteration, disclosure or destruction. Measures include: encryption of data in transit and at rest, role-based access controls, encrypted storage of OAuth tokens, regular security assessments, audit logging of system activity and a documented incident-response process. Staff access to your data is limited to authorised personnel who require it for a specific support, debugging or compliance task and is subject to access controls; administrative actions taken on your data are recorded in a reviewable audit log. Such access is for support and operational purposes only; ScoutSocial staff cannot publish or otherwise act on your connected social accounts. Security vulnerabilities can be reported to legal@scoutsocial.ai or via the disclosure contact published at /.well-known/security.txt. Full details: Security Practices.
Data breaches. If a personal-data breach occurs, ScoutSocial will notify the competent supervisory authority within 72 hours of becoming aware where required, and will inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Share links. If you create a public share link for shareable content — such as a Scouty chat thread or a collaborative whiteboard — anyone who has the link can view that content without signing in. Public sharing is off by default; for chat threads it is additionally disabled where the thread contains platform-derived analytics. Only enable a public share link for content you intend to make publicly readable.
12. Updates to This Policy
We may update this Privacy Policy when our practices, features, sub-processors or applicable law change. We will post the updated version on this page with a new “Last updated” date and, for material changes affecting your rights, give at least 30 days' prior notice by email or in-app notification before they take effect.
12.1 Public accessibility
This Privacy Policy is published at https://scoutsocial.ai/legal/privacy without geographic restriction and is the URL registered with each Connected Platform's developer dashboard. Material changes are reflected on the live URL within 24 hours of publication.
Not a ScoutSocial customer? Request your data here
If your name, handle, or profile URL appears in our system because one of our customers mentioned or commented on your content on a social platform, you can request that we delete any record of you. Submissions are processed by a human within 72 hours. You will receive a confirmation at the email you provide.
We obtain this information from the Connected Platform's API (not from you directly) and process it on behalf of, and on the instructions of, the ScoutSocial customer whose content you interacted with — that customer is the controller, relying on its legitimate interest in managing its own social-media presence, and ScoutSocial acts as processor. We retain it only for the per-platform windows set out in § 8.
13. Contact
If you have questions about this Privacy Policy or how we handle your data:
Email: privacy@scoutsocial.ai
Privacy contact: privacy@scoutsocial.ai. Our Data Protection contact is reachable at the same address; we will appoint a formal Data Protection Officer if and when required by applicable law. EU/UK data subjects have the right to lodge a complaint with their local supervisory authority.

