Privacy Policy

1. Information We Collect

We collect information in the following categories:

a. Information You Provide Directly

• Account registration details: name, email address, password;
• Billing and payment information (processed by Stripe — we do not store full card numbers);
• Content you create, upload, or manage on the platform: titles, descriptions, scripts, transcripts, captions, tags, notes, and metadata;
• Communications you send to our support or legal team.

b. Information Collected Automatically

• Usage and interaction data: features used, pages viewed, actions taken, timestamps;
• Device and technical data: IP address, browser type, operating system, device identifiers;
• Authentication tokens and session cookies necessary to keep you logged in and maintain Service functionality;
• Aggregated, anonymized performance and error data collected via our application monitoring provider (New Relic) for the purpose of diagnosing issues and improving the Service.

c. Information from Connected Social Media Accounts

When you connect a social media account to Doro Social, we receive data from that platform via its official API. No data is collected from a platform until you actively connect that account and authorize access via OAuth. The specific data accessed depends on the permissions you grant. This may include:

• YouTube: Channel information, video metadata (titles, descriptions, tags, thumbnails), upload and scheduling permissions, and analytics data via the YouTube Data API v3 and YouTube Analytics API;
• TikTok: Basic profile information (unique account identifier, display name, and profile picture), creator posting settings needed to render TikTok publishing options, and publishing permissions for Direct Post via the TikTok for Developers API and TikTok Login Kit;
• Instagram: Business or Creator account profile data, media objects, insights, and publishing permissions via the Instagram Graph API;
• Facebook: Page profile data, page insights, and publishing permissions via the Meta Graph API;
• LinkedIn: Profile information and publishing permissions via the LinkedIn API;
• X (Twitter): Profile information (user id, username, display name, and profile picture), publishing permissions, and refresh tokens needed to keep the connection active until you revoke access.

We access and retain only the data necessary to provide the specific features of the Service you use (e.g., content scheduling, metadata management, analytics display). For platforms not yet integrated at the time of your account creation, no data will be collected until that integration becomes available and you actively connect your account and grant consent.

2. How We Use Your Information

We use the information we collect to:

• Create, maintain, and secure your Doro Social account;
• Provide Service features including content planning, template generation, scheduling, multi-platform deployment, and workflow management;
• Execute actions on connected social media platforms on your behalf (such as publishing or scheduling content) based on your explicit instructions;
• Display your social media analytics and content data within the Service;
• Process payments and manage your subscription;
• Send transactional and account-related communications (e.g., billing receipts, security alerts, policy updates);
• Improve the reliability, performance, and features of the Service through aggregated and anonymized analytics;
• Detect and prevent fraud, abuse, and security incidents;
• Comply with applicable legal obligations.

We do not use data obtained through social platform APIs (including YouTube, TikTok, Meta, LinkedIn, or X APIs) for: advertising targeting, building user profiles for third-party use, training artificial intelligence or machine learning models without explicit informed consent, or any purpose not disclosed in this Privacy Policy.

3. YouTube API Services — Specific Disclosures

Doro Social uses YouTube API Services (YouTube Data API v3 and YouTube Analytics API). Our use of these services is governed by the YouTube API Services Terms of Service and the YouTube Terms of Service. By connecting your YouTube account, you are also bound by those agreements.

Google API Services User Data Policy. Doro Social's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not use Google user data to serve advertisements, we do not allow humans to read Google user data unless we have obtained your affirmative consent, the data is needed for security investigations, or it is required to comply with applicable law, and we do not sell or transfer Google user data to third parties for advertising, credit-worthiness, or any other purpose unrelated to providing the Service to you.

• Data collected via YouTube API: Channel profile information, video metadata (titles, descriptions, tags, thumbnails, upload dates), video performance analytics (views, watch time, likes, comments), and any other data included in API responses for the OAuth scopes you authorize;
• Purpose of YouTube data use: Solely to enable you to manage and organize your YouTube content within Doro Social, to display your YouTube analytics to you, and to publish or schedule content to YouTube at your explicit direction;
• No sale or unauthorized transfer: We do not sell, rent, lease, or otherwise transfer YouTube API data to any third party for their independent use. YouTube data is shared with sub-processors only as described in Section 8 of this policy, and only as necessary to operate the Service;
• No AI training on YouTube data: We do not use YouTube API data to train machine learning models, build behavioral profiles, or conduct analysis beyond what is necessary to deliver the Service features you use;
• Data retention and deletion: YouTube API access tokens are revoked and deleted immediately when you disconnect your YouTube account. You can request deletion of your Google/YouTube data held by Doro Social at any time using any of the following methods: (i) click Disconnect next to YouTube on your Doro Social Settings page to revoke the integration; (ii) use the Permanently Wipe All Data control in the YouTube Danger Zone to delete YouTube-specific metadata, cached content, analytics, comments, and stored video IDs/URLs from Doro Social; (iii) use the Delete Account control on your Settings page to permanently delete your Doro Social account and all associated YouTube data; or (iv) email [email protected] to request manual deletion. YouTube-specific data deleted through the YouTube Danger Zone is permanently deleted from our active systems immediately, except where limited retention is required by law, security, fraud prevention, or backup operations;
• Revoking YouTube/Google access: You can revoke Doro Social's access to your Google/YouTube account at any time from your Doro Social Settings page, or directly via Google Security Settings. Revoking access will immediately prevent Doro Social from accessing your YouTube account.

Google's privacy practices are described in the Google Privacy Policy.

4. TikTok API — Specific Disclosures

Doro Social integrates with TikTok via the TikTok for Developers API and TikTok Login Kit. This integration is currently pending TikTok API approval; when approved and enabled in your account, you will be able to connect your TikTok account and the following disclosures apply once you do. In connection with our use of the TikTok for Developers API and TikTok Login Kit, Doro Social makes the following specific disclosures required for platform compliance:

• Data collected via TikTok API: User profile information (display name, unique account identifier, profile picture) and creator posting settings returned by TikTok for the permission scopes you authorize, such as available privacy levels and interaction settings;
• Purpose of TikTok data use: Solely to let you connect your TikTok account, choose compliant posting settings, and publish content you expressly approve through Doro Social;
• No sale or unauthorized transfer: We do not sell, rent, lease, or otherwise transfer TikTok user data to any third party for their independent use. TikTok data is shared with sub-processors only as described in Section 8 of this policy;
• No AI training on TikTok data: We do not use TikTok API data to train machine learning models, build behavioral profiles, or conduct analysis beyond what is necessary to deliver the Service features you use;
• Data retention: When you disconnect your TikTok account in Doro Social, your TikTok API access and refresh tokens are revoked at TikTok and removed from our active database immediately. Encrypted backup copies are purged within 30 days as part of our standard backup rotation. Cached TikTok content data is deleted within 30 days of account deletion or upon your written request to [email protected];
• Revoking TikTok access: You can revoke Doro Social's access to your TikTok account at any time from your Doro Social Settings page, or directly via TikTok's Connected Apps settings. Revoking access will immediately prevent Doro Social from accessing your TikTok account.

Our use of TikTok API services is governed by the TikTok Developer Terms of Service and the TikTok Privacy Policy, which govern TikTok's own data practices.

5. Meta (Facebook, Instagram & Threads) API — Specific Disclosures

Doro Social integrates with Meta platforms via Facebook Login, the Meta Graph API, Instagram Graph API, and Threads API. Users can connect eligible Facebook Pages, Instagram Business/Creator accounts linked to those Pages, and Threads profiles. The following disclosures apply once you connect a Meta account:

• Data collected via Meta APIs: Meta profile identifiers, display names, and email addresses if granted, Facebook Page identifiers and names, Page access tokens, Instagram Business/Creator account identifiers and usernames, Threads profile identifiers and usernames, granted permission metadata, token expiration timestamps, and publish identifiers returned by Meta APIs — as permitted by the OAuth scopes you authorize. Because Meta uses shared authorization for these surfaces, a Meta connection may request Facebook, Instagram, and Threads permissions together; Doro Social uses granted permissions only to connect, display, and publish to enabled Meta surfaces in the Service;
• Purpose of Meta data use: Solely to enable you to connect, manage, schedule, and publish your Facebook Page, Instagram, and Threads content within Doro Social, and to show connection status and publishing history to you;
• No sale or unauthorized transfer: We do not sell, rent, lease, or otherwise transfer Meta platform data to any third party for their independent use. Meta API data is used only as described in this Privacy Policy and as permitted by Meta Platform Terms;
• No AI training on Meta data: We do not use Meta API data to train machine learning models or conduct analysis beyond what is necessary to deliver the Service features you use;
• Data retention: Meta platform API access tokens are revoked where supported and deleted when you disconnect or delete your Meta connection in Doro Social. Meta-derived connection metadata and publish identifiers are deleted when you use the delete-data control, when Meta sends us a valid data deletion callback, or upon verified written request;
• Revoking Meta access: You can revoke Doro Social's access to your Meta accounts at any time from your Doro Social Settings page, or directly via Facebook's Apps and Websites settings.

Meta's privacy practices are described in Meta's Privacy Policy. Doro Social's use of Meta platform data is governed by the Meta Platform Terms, and we process such data only as permitted thereunder.

6. LinkedIn API — Specific Disclosures

Doro Social integrates with LinkedIn via the LinkedIn API to allow you to publish content to your LinkedIn personal profile. LinkedIn Company Pages, post analytics, and other Marketing Developer Platform features are available only if LinkedIn separately approves Doro Social for those APIs. The following disclosures apply once you connect a LinkedIn account:

• Data collected via LinkedIn API: Basic profile information (name and profile photo), your LinkedIn member identifier, and the permission to post content on your behalf via the w_member_social scope;
• Purpose of LinkedIn data use: Solely to enable you to publish content to your LinkedIn personal profile within Doro Social and to display the connected profile to you;
• No sale or unauthorized transfer: We do not sell, rent, lease, or otherwise transfer LinkedIn API data to any third party for their independent use. LinkedIn data is used only as described in this Privacy Policy and as permitted by LinkedIn's API Terms of Use;
• Data retention: LinkedIn API access tokens are removed from active use when you disconnect your LinkedIn account and deleted from Doro Social when you delete the connection data or your account;
• Revoking LinkedIn access: You can revoke Doro Social's access to your LinkedIn account at any time from your Doro Social Settings page, or directly via LinkedIn's Permitted Services settings.

LinkedIn's privacy practices are described in LinkedIn's Privacy Policy.

7. X API — Specific Disclosures

Doro Social integrates with X through the official X API to let you connect your own X account and publish public text posts when you explicitly request publication from Doro Social. The following disclosures apply once you connect an X account:

• Data collected via X API: Your X user id, username, display name, profile image, OAuth access token, OAuth refresh token, token expiration timestamp, and granted OAuth scopes;
• Purpose of X data use: Solely to display the connected X account to you, keep the connection active, and publish content to X only when you choose to publish, including applying X's paid-partnership label when you select that disclosure;
• Limited scopes: We request only the X permissions needed for native text-post publishing and account display. We do not request X email, Direct Message, follow, like, list, bookmark, ad, or media-upload permissions for the initial X integration;
• No scraping or non-API access: We use the official X API only and do not scrape X, automate browsers against X, or access X outside the permissions you grant;
• No AI training on X data: We do not use X API data or X Content to train machine learning or AI models, build behavioral profiles for third-party use, or derive sensitive attributes;
• Data retention and deletion: X OAuth tokens are removed from active use when you disconnect your X account and deleted from Doro Social when you delete the connection data or your account. If X requires removal of X Content from our systems, or you request deletion of X-specific data, we will remove the applicable X API data from active systems as required by X's developer policies and applicable law;
• Revoking X access: You can revoke Doro Social's access to your X account at any time from your Doro Social Settings page or from your X account's connected apps settings.

X's privacy practices are described in X's Privacy Policy.

8. Legal Basis for Processing (EEA / UK Users)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR and equivalent laws:

• Contract: Processing necessary to provide the Service under our Terms of Service (e.g., account management, content publishing);
• Legitimate Interests: Fraud prevention, security, and Service improvement (where such interests are not overridden by your rights);
• Legal Obligation: Compliance with applicable laws and regulations;
• Consent: Where you have provided explicit consent, including for any optional communications or features.

9. How We Share Your Information

We do not sell, rent, or trade your personal information or social platform data. We share your data only in the following circumstances:

• Service Providers (Sub-processors): We share data with trusted third-party vendors who help us operate the Service, including:
  • Stripe — payment processing
  • DigitalOcean — cloud infrastructure and database hosting
  • Cloudflare — content delivery, DDoS protection, DNS
  • OpenAI — AI features (content generation, transcription) — content you submit for AI features is processed subject to OpenAI's Privacy Policy
  • Resend — transactional email delivery (e.g., email verification, billing receipts)
  • New Relic — application performance monitoring and error logging; collects request metadata and aggregated performance data
  • Google Cloud — infrastructure and API services
  All sub-processors are contractually bound to use your data only as necessary to provide their services and to maintain appropriate security standards.
• Social Media Platforms: When you direct Doro Social to publish content or take actions on a connected platform, we transmit the necessary data to that platform as instructed by you;
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal process (e.g., a court order or subpoena), or to protect the rights, property, or safety of Doro Social, our users, or others;
• Business Transfers: In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred as part of that transaction, subject to the acquiring entity honoring this Privacy Policy.

9. Cookies and Tracking Technologies

Doro Social uses a minimal set of cookies and local storage tokens strictly necessary to operate the Service:

• Authentication tokens: To keep you securely logged in across sessions;
• Session state: To maintain your workspace preferences and UI state;
• Security tokens: For CSRF protection and request integrity;
• Analytics: We use privacy-respecting website analytics to understand aggregate traffic patterns (e.g., page views, referral sources). Our analytics tool does not track individual users across sites, does not use advertising cookies, and does not share data with ad networks. No cross-site behavioral tracking is performed.

We do not use third-party advertising cookies, tracking pixels, or cross-site behavioral tracking technologies. We do not participate in ad networks or retargeting programs.

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: Retained for the duration of your account and deleted within 30 days of account closure or deletion request;
• Content and workspace data: Retained while your account is active; deleted within 30 days following account deletion unless you request earlier deletion;
• Uploaded source video files: Stored source video files may be automatically deleted after the retention window for your plan to manage storage costs. Free-plan source videos are generally retained for 24 hours; paid-plan source video retention is longer and based on the retention period configured for your plan. When a source video file expires, Doro Social keeps the related dashboard item, post records, filename/reference, captions, transcripts, and metadata so you can identify the prior source and re-upload it if needed.
• Social platform API tokens (all platforms): Revoked and deleted within 30 days of disconnecting a connected account or account deletion;
• Cached social platform content data: Deleted within 30 days of account deletion or upon written request to [email protected];
• Billing records: Retained for 7 years as required by applicable financial regulations;
• Server logs: Retained for up to 90 days for security and debugging purposes.

11. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of all data in transit using TLS (Transport Layer Security);
• Encryption of sensitive data at rest, including OAuth access tokens and credentials;
• Access controls that restrict employee and system access to personal data on a need-to-know basis;
• Regular security reviews and continuous infrastructure monitoring;
• Secure credential storage using industry-standard hashing practices.

While we take these precautions, no method of internet transmission or electronic storage is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

12. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you;
• Correction: Request correction of inaccurate or incomplete data;
• Deletion: Request permanent deletion of your account and personal data via your Settings page or by contacting us. Hard deletion is processed within 30 days, subject to legal retention requirements (e.g., billing records);
• Portability: Request an export of your data in a machine-readable format (JSON or CSV) via your Settings page or by contacting us;
• Restriction: Request that we restrict the processing of your data in certain circumstances;
• Objection: Object to processing based on legitimate interests;
• Withdraw Consent: Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing;
• Disconnect Social Accounts: Revoke Doro Social's access to any connected social media account at any time through your Settings page or directly through the relevant platform (see platform-specific sections above for direct revocation links).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing certain requests.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect and how we use it, the right to delete your personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights. To exercise your California privacy rights, contact us at [email protected].

14. International Data Transfers

Doro Social is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from your country of residence. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) to protect cross-border data transfers in compliance with GDPR and equivalent regulations.

15. Children's Privacy

Doro Social is not intended for use by children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a minor, we will delete it promptly. If you believe we have inadvertently collected information from a minor, please contact us at [email protected].

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by email and/or by a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy. We retain all prior versions of this Privacy Policy and will provide them upon request.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy team:

For EEA or UK residents wishing to file a complaint, you have the right to contact your local data protection authority.