Privacy Policy

Calota ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our AI ad creative generation platform, ad performance tracking tools, and content publishing tools at calota.ai ("the Service").

This policy also describes how we handle data received from Meta Platforms, Inc. ("Meta"), TikTok Pte. Ltd. ("TikTok"), and Google LLC ("Google", including data accessed via YouTube API Services) when you connect your social media accounts through our Service, in accordance with Meta's Platform Terms and Developer Policies, TikTok's Developer Terms of Service, and the YouTube API Services Terms of Service.

Account Information: When you create an account, we collect your email address, name, and authentication credentials. If you sign in with Google, we receive your name, email, and profile picture from Google.

Payment Information: Payment processing is handled entirely by Stripe. We do not store your credit card numbers or bank details. We receive only your subscription status, plan type, and billing history from Stripe.

User Content: We process images you upload (reference ads, product photos, moodboards) solely to generate ad creatives. Images are sent to our AI processing provider for generation and are not stored permanently on our servers.

Video Content: When you use the Publisher feature, video files you upload for publishing are stored on our cloud storage provider (Cloudflare R2) so they can be accessed by third-party platforms (Meta, TikTok, YouTube) during the publish process. These video files remain stored until you delete them, delete the associated post, or your account is terminated.

Generated Content: AI-generated images are returned directly to your browser and stored locally on your device (in browser storage). We do not retain copies of generated images on our servers.

Usage Data: We collect basic usage metrics including generation counts, post counts, feature usage, and account activity to operate the Service and enforce plan limits.

Device Information: We collect a canvas-based device fingerprint and IP address solely for the purpose of preventing abuse of the free tier. This information is not used for tracking or advertising purposes.

When you connect your Meta accounts through our Service, we receive and process data from Meta depending on the features you use:

Ad Tracker (Creative Tracker) — data we receive:

• Ad account information: account ID, account name, currency, and account status.
• Ad performance data: ad names, campaign names, ad set names, delivery status, spend, impressions, frequency, CPC, link CTR, ROAS, CPA, revenue, video view metrics, and cost per thruplay.
• Ad preview links: shareable preview URLs for your ads.
• Access tokens: OAuth access tokens that allow us to retrieve your ad data on your behalf.

Publisher — data we receive:

• Facebook Page information: Page ID, Page name, and Page access tokens for Pages you authorise.
• Instagram account information: Instagram professional account ID, username, display name, and profile picture URL for accounts linked to authorised Pages.
• Page access tokens: long-lived tokens that allow us to publish content to your Pages and linked Instagram accounts on your behalf.

How we use Meta data:

• To display your ad performance metrics in the Ad Tracker dashboard.
• To generate read-only client view links so you can share performance data with your clients.
• To calculate aggregate statistics (total spend, revenue, ROAS trends) across your connected ad accounts.
• To publish video content, images, and Reels to your Facebook Pages and Instagram accounts when you initiate a publish or schedule action.

How we do NOT use Meta data:

• We do not sell Meta data to any third party.
• We do not use Meta data for advertising, targeting, or profiling purposes.
• We do not use Meta data to build or augment user profiles for advertising.
• We do not transfer Meta data to any data broker, ad network, or advertising service.
• We do not use Meta data for any purpose other than providing the Ad Tracker and Publisher features to you.
• We do not share Meta data with any third-party service except as required to operate the features (i.e., storing it in our database and communicating with Meta's API).

When you connect your TikTok account through our Publisher feature, we receive and process the following data from TikTok's API:

Data we receive from TikTok:

• Basic profile information: your TikTok open_id (a unique identifier specific to our app), display name (nickname), username, and profile picture URL.
• Creator publishing information: your available privacy level options, maximum video duration, and interaction settings (comment, duet, stitch availability).
• Access and refresh tokens: OAuth tokens that allow us to publish content to your TikTok account on your behalf. Access tokens expire after 24 hours; refresh tokens are valid for 365 days.
• Publish status data: status updates for content we publish on your behalf (processing, published, failed).

How we use TikTok data:

• To display your connected TikTok account information (name, username, avatar) in the Publisher dashboard.
• To publish video content to your TikTok account when you initiate a publish or schedule action.
• To query your creator information so we can display the correct privacy options and interaction settings when you create a post.
• To check the publishing status of content uploaded to TikTok on your behalf.
• To refresh your access token when it expires, using your refresh token, so the Service continues to function without requiring you to re-authorise.

How we do NOT use TikTok data:

• We do not sell TikTok data to any third party.
• We do not use TikTok data for advertising, targeting, or profiling purposes.
• We do not share TikTok data with any third-party service other than TikTok's own API.
• We do not use TikTok data for any purpose other than providing the Publisher feature to you.
• We do not access your TikTok direct messages, followers list, or analytics data.
• We do not add watermarks, logos, or promotional content to videos published on your behalf.

When you connect your YouTube channel through our Publisher feature, we receive and process the following data via the YouTube Data API v3:

Data we receive from YouTube:

• Basic channel information: channel ID, channel title (name), custom URL (handle), avatar URL, and subscriber count.
• Access and refresh tokens: OAuth tokens issued by Google that allow us to upload videos to your channel and read your channel info on your behalf. Access tokens expire after approximately one hour; refresh tokens remain valid until you revoke them at security.google.com/settings/permissions.
• Upload responses: the video ID and watch URL returned by YouTube after a successful upload, which we associate with the corresponding post in your dashboard.

How we use YouTube data:

• To display your connected channel information (name, handle, avatar, subscriber count) in the Publisher dashboard.
• To upload Shorts and long-form videos to your YouTube channel when you initiate a publish or schedule action.
• To honour scheduled publishes by setting YouTube's native publishAt field on the upload, so the video auto-publishes at your chosen moment.
• To refresh your access token automatically using the refresh token, so the Service continues to function without requiring you to re-authorise.

How we do NOT use YouTube data:

• We do not aggregate YouTube data across users.
• We do not resell, share, or syndicate YouTube data to any third party.
• We do not use YouTube data for advertising, targeting, or profiling purposes.
• We do not use YouTube data to train AI or machine-learning models.
• We do not access your video lists, comments, playlists, search history, recommendations, or analytics beyond the channel info listed above.
• We do not modify videos after upload, alter metadata after publish, or interact with comments or subscriptions on your behalf.

YouTube API Services and Google policies: By using the Calota Publisher feature for YouTube, you also agree to be bound by the YouTube Terms of Service and Google Privacy Policy.

When you authorise Calota to access your Meta, TikTok, or YouTube accounts, the respective platform issues access tokens. We store these tokens securely in our database, encrypted at rest.

Meta tokens: We exchange short-lived tokens for long-lived tokens (valid for approximately 60 days for user tokens; Page tokens derived from long-lived user tokens do not expire). These are used to fetch ad data and publish content to your Pages and Instagram accounts.

TikTok tokens: Access tokens expire after 24 hours. We store your refresh token (valid for 365 days) and use it to obtain new access tokens automatically. If your refresh token expires, you will need to re-authorise your TikTok account.

YouTube (Google) tokens: Access tokens expire after approximately one hour. We store your refresh token and use it to obtain new access tokens automatically. Refresh tokens remain valid until you revoke them at security.google.com/settings/permissions or disconnect the channel from within Calota.

We never share your access tokens with any third party. When you disconnect an account or delete your data, the associated tokens are permanently deleted from our systems within 48 hours.

We use your information to: (a) provide and operate the Service, including AI ad generation, ad performance tracking, and content publishing; (b) process payments and manage subscriptions; (c) enforce usage limits and prevent abuse; (d) send team invite emails when requested by a team owner; (e) communicate important updates about the Service; (f) publish and schedule content to your connected social media accounts when you initiate such actions; and (g) improve and develop new features.

Images you upload for ad generation are sent to a third-party AI processing provider for image generation. This provider processes images according to their own API terms of service. We send images over encrypted connections and do not grant any third party rights to your content beyond what is necessary for processing your request. Images submitted via API are not used to train AI models. YouTube data, Meta data, and TikTok data are never sent to any AI processing provider and are never used to train AI or machine-learning models.

Account data (email, name, plan, usage) is stored in our cloud database, hosted on infrastructure in the EU.

Social account data (Meta Page IDs, Instagram account IDs, TikTok open_ids, YouTube channel IDs, account names, usernames, handles, avatar URLs, subscriber counts, and encrypted access/refresh tokens) is stored in our database for as long as the accounts remain connected.

Meta ad account data (account IDs, access tokens, performance metrics) is stored in our database. Access tokens are encrypted at rest. Performance data is fetched in real-time from Meta's API and is not cached or stored permanently — it is retrieved fresh each time you load the dashboard.

Post data (captions, titles, platform selections, scheduling times, publish status, returned video IDs, and error logs) is stored in our database. This data is retained for as long as your account is active.

Video files uploaded for publishing are stored on Cloudflare R2 (a cloud storage service). These files are hosted in the EU (Western Europe) and are accessible via a public URL so that Meta, TikTok, and YouTube can retrieve them during the publish process. Video files remain stored until you delete the associated post, or your account is terminated.

Generated images are stored locally in your browser using IndexedDB. They are not uploaded to or stored on our servers.

Uploaded images (for ad generation) are transmitted to our API for processing but are not permanently stored. They exist in memory only during the generation request.

We do not sell your personal information. We share data only with the categories of third-party service providers that are essential to operating the Service:

• Cloud infrastructure and database hosting providers
• Cloud storage providers (Cloudflare R2 — for video file hosting)
• Payment processing providers
• AI and machine learning processing providers
• Meta Platforms, Inc. — for ad performance data retrieval and content publishing when you connect your accounts (required by Meta's Platform Terms)
• TikTok Pte. Ltd. — for content publishing when you connect your TikTok account (required by TikTok's Developer Terms)
• Google LLC (YouTube Data API v3) — for channel information retrieval, video uploads, and OAuth token refresh when you connect your YouTube channel (required by the YouTube API Services Terms of Service)
• Application hosting providers
• Email delivery providers (for transactional emails such as team invites only)
• Image processing providers

Each of these providers processes data in accordance with their own privacy policies and data protection agreements. We only share the minimum data necessary for each provider to perform its function. Meta data is only stored in our own database and communicated back to Meta's API. TikTok data is only stored in our own database and communicated back to TikTok's API. YouTube data is only stored in our own database and communicated back to Google's YouTube Data API — none of the three platforms' data is shared with any other provider.

We use browser localStorage to store your authentication session, preferences, and referral attribution codes. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No data is shared with advertisers or analytics platforms.

We retain your account information for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or legitimate business purposes. Usage logs and device fingerprints used for abuse prevention are retained for 90 days.

Meta data retention: Connected ad account and Page information (account IDs, names, access tokens) is retained for as long as the account remains connected. When you disconnect an account, all associated data including the access token is deleted immediately.

TikTok data retention: Connected TikTok account information (open_id, username, display name, avatar URL, access token, refresh token) is retained for as long as the account remains connected. When you disconnect a TikTok account, all associated data including both the access token and refresh token is deleted immediately.

YouTube data retention: Connected YouTube channel information (channel ID, name, handle, avatar URL, subscriber count, access token, refresh token) is retained for as long as the channel remains connected. When you disconnect a YouTube channel — either from within Calota's Accounts tab, or by revoking access at security.google.com/settings/permissions — all associated data including both the access token and refresh token is deleted from our systems within 48 hours. Cached YouTube data is refreshed at least every 30 days, in accordance with the YouTube API Services Developer Policies.

Video file retention: Video files uploaded for publishing are retained on Cloudflare R2 until you delete the associated post, or until your account is terminated. Upon account termination, all associated video files are deleted within 30 days.

Under applicable data protection laws (including UK GDPR), you have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request deletion of your data; (d) object to or restrict processing of your data; (e) request portability of your data; and (f) withdraw consent at any time.

How to delete your data:

Disconnect a social account: Go to the Publisher or Ad Tracker in your dashboard, and click "Disconnect" or "Remove" next to the account you wish to disconnect. This immediately deletes the account record, access tokens, and all associated data from our systems.

Delete specific Meta ad accounts: Go to the Ad Tracker in your dashboard, select the account you wish to disconnect, and click "Remove." This immediately deletes the account record, access token, and all associated client view links from our systems.

Delete a scheduled or draft post: Go to the Publisher queue, find the post, and click delete. This removes the post record from our database. The associated video file on Cloudflare R2 may be retained if it is used by other posts.

Delete all Meta data: Email us at support@calota.ai with the subject line "Delete all Meta data" and we will remove all connected ad accounts, Pages, Instagram accounts, access tokens, client view links, and whitelabel settings associated with your account within 48 hours.

Delete all TikTok data: Email us at support@calota.ai with the subject line "Delete all TikTok data" and we will remove all connected TikTok accounts, access tokens, refresh tokens, and profile information associated with your account within 48 hours.

Delete all YouTube data: Email us at support@calota.ai with the subject line "Delete all YouTube data" and we will remove all connected YouTube channels, access tokens, refresh tokens, and channel information associated with your account within 48 hours. You may also revoke Calota's access entirely at security.google.com/settings/permissions, which automatically severs Calota's ability to access your channel.

Delete your entire Calota account: Email us at support@calota.ai with the subject line "Delete my account." We will permanently delete your account and all associated data — including your profile, Meta ad account connections, Meta Page connections, Instagram connections, TikTok connections, YouTube channel connections, all access and refresh tokens, client links, referral records, team membership, published post records, uploaded video files, and any other data we hold — within 30 days.

Delete local data: Generated images and saved content are stored in your browser's local storage and IndexedDB. To delete this data, clear your browser data for calota.ai, or use the "Clear History" and "Clear Saved" options within the app.

Meta data deletion callback: If you remove the Calota app from your Meta account via Facebook Settings → Apps and Websites, Meta will notify us via a data deletion callback. Upon receiving this notification, we will automatically delete all Meta-related data associated with your account (ad account records, Page records, Instagram records, access tokens, and client view links) within 48 hours and provide a confirmation to Meta.

Our use of Meta data complies with Meta's Platform Terms and Developer Policies. Specifically:

• We only request the permissions necessary to provide the Ad Tracker and Publisher features (ads_read, ads_management, business_management, pages_show_list, pages_read_engagement, pages_manage_posts, instagram_basic, instagram_content_publish).
• We do not use Meta data for any purpose other than providing the Service to you.
• We do not sell, license, or otherwise transfer Meta data to any third party.
• We do not use Meta data to create surveillance tools.
• We do not use Meta data to discriminate against or harm any individual or group.
• We honour all data deletion requests and Meta's data deletion callback.
• We store Meta access tokens securely, encrypted at rest, and delete them immediately when an account is disconnected.
• Users can revoke our access at any time by disconnecting their accounts in Calota, or by removing the Calota app from their Meta account settings.

Our use of TikTok data complies with TikTok's Developer Terms of Service and Content Posting API guidelines. Specifically:

• We only request the scopes necessary to provide the Publisher feature (user.info.basic, video.upload, video.publish).
• We display the creator's nickname on the upload page so users are aware of which TikTok account content will be uploaded to.
• We require users to manually select a privacy level before publishing — there is no default value.
• We allow users to configure interaction settings (comments, duet, stitch) and commercial content disclosures before publishing.
• We display consent language ("By posting, you agree to TikTok's Music Usage Confirmation") before publishing.
• We do not add promotional watermarks or logos to content published on behalf of users.
• We only send content to TikTok after the user has expressly consented to the upload.
• We poll TikTok's publish status API and display the status to users so they understand the state of their posts.
• We do not use TikTok data for any purpose other than providing the Publisher feature.
• We store TikTok tokens securely, encrypted at rest, and delete them immediately when an account is disconnected.
• Users can revoke our access at any time by disconnecting their TikTok account in Calota.

Our use of YouTube API Services complies with the YouTube API Services Terms of Service and Google's developer policies. Specifically:

• We only request the scopes necessary to provide the Publisher feature (youtube.upload and youtube.readonly).
• We do not use YouTube data for any purpose other than providing the Publisher feature to you.
• We do not sell, license, or otherwise transfer YouTube data to any third party.
• We do not use YouTube data to create surveillance tools.
• We do not use YouTube data to train AI or machine-learning models.
• We refresh stored YouTube data at least every 30 days, in accordance with the YouTube API Services Developer Policy retention requirements.
• We store access and refresh tokens securely, encrypted at rest, and delete them immediately when a channel is disconnected from Calota or its access is revoked from your Google Account.
• Users can revoke Calota's access to YouTube at any time by visiting security.google.com/settings/permissions and removing Calota from the list. Once revoked, all stored tokens and channel data are deleted from our systems within 48 hours.
• Users can request deletion of their YouTube data at any time by emailing support@calota.ai.

The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Your data may be processed in countries outside of the UK/EEA by our third-party service providers, including providers based in the United States. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data in accordance with applicable data protection laws.

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS/SSL), secure authentication, server-side API key management, access token encryption at rest, refresh token encryption at rest, and role-based access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically. If we make changes that affect how we handle Meta, TikTok, or YouTube data, we will notify affected users by email.

If you have any questions about this Privacy Policy, our data practices, or wish to exercise any of your data rights, please contact us:

Email: support@calota.ai

For data deletion requests, please include your account email address and specify what data you would like deleted. We will respond within 48 hours and complete the deletion within the timeframe specified in Section 13.