1. Who we are & scope

This Privacy Policy explains how VentureKit CMS ("VentureKit", "we", "us") collects, uses, shares and protects personal data when you use the VentureKit CMS workspace at cms.venturekit.dev and related services (the "Service").

The Service is a business-to-business content management platform. We act as a data controller for account and billing data, and as a data processor for the content and connected-account data you and your team manage in your workspace, which we process on your instructions. Where you connect third-party accounts (LinkedIn, X, Facebook, Instagram), you remain responsible for the content you choose to publish through them.

2. Information we collect

• Account data — your name, email address and a hashed password (or identity-provider identifier), and your role within a workspace.
• Workspace & content data — the articles, social posts, briefs, strategy (clusters, authors, keywords), media and configuration you create or generate in the Service.
• AI provider keys — the API keys you supply for your AI providers (Anthropic, Google, optionally OpenAI), stored encrypted and used only to run the features you enable.
• Social connection data — see Social platform connections below.
• Usage, audit & cost data — logs of actions taken in the Service (saves, publishes, review decisions, failures, AI calls), with actor attribution and associated cost/usage metrics.
• Technical data — IP address, device/browser information and a session cookie strictly necessary to keep you signed in. We do not use advertising or cross-site tracking cookies.

3. Social platform connections

When you connect a social account, you authorize the connection through that platform's OAuth flow. We request only the permissions needed to publish content you approve, and we store the resulting credentials encrypted at rest. Specifically:

• LinkedIn — scopes openid, profile and w_member_social. We store an access token and your member identifier (author URN) to publish posts as you.
• X (Twitter) — scopes tweet.read, tweet.write, users.read and offline.access. We store an access token and a refresh token (X access tokens are short-lived) and your account handle.
• Facebook — scopes pages_show_list, pages_read_engagement and pages_manage_posts. We store a Page access token and Page identifier to publish to the Facebook Page you select.
• Instagram — through the Meta Graph API, we resolve and store the Instagram Business account linked to your Facebook Page in order to publish to it.

We use this data solely to publish the content you have approved and to show connection status in the workspace. We do not read your private messages, import your contacts, or use platform data for advertising or to train AI models. You can disconnect any platform at any time (see Data deletion & revoking access).

4. How we use information

We use personal data to:

• provide, operate and secure the Service and your workspace;
• generate, translate and schedule content using the AI providers and personas you configure;
• publish content you approve to the social accounts you have connected, on your instruction;
• maintain audit logs and cost accounting, and provide support and service communications;
• comply with legal obligations and enforce our terms.

5. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service); consent (for connecting third-party social accounts, which you may withdraw at any time by disconnecting); legitimate interests (to secure, maintain and improve the Service); and compliance with legal obligations.

6. How we share data & subprocessors

We do not sell personal data. We share it only with service providers who process it on our behalf, and with the platforms you direct us to publish to:

• AI providers — Anthropic, Google and (optionally) OpenAI receive the prompts and content needed to generate and translate your material.
• Social platforms — LinkedIn, X and Meta (Facebook/Instagram) receive the content you approve for publication, via their APIs.
• Cloud infrastructure — Amazon Web Services (AWS) hosts the Service and stores data.
• Legal — we may disclose data where required by law or to protect our rights, users or the public.

Your use of each connected platform is also governed by that platform's own privacy policy and terms.

7. Platform commitments

Our use and transfer of information received from platform APIs adheres to each platform's developer policies, including the Meta Platform Terms and Developer Policies, the LinkedIn API Terms of Use, and the X Developer Agreement and Policy. In particular, data obtained through these APIs is used only to provide the publishing features you enable; it is not used for advertising, sold to third parties, or used to train machine-learning or AI models. We retain platform data only as long as needed to provide the feature, and delete it when you disconnect the account or close your workspace.

8. Data retention

We retain personal data for as long as your workspace is active or as needed to provide the Service. Social access and refresh tokens are kept until you disconnect the account or they are revoked by the platform. Audit and cost records may be retained for a limited period for security and accounting. When you close your workspace, we delete or anonymize personal data within a commercially reasonable period, except where retention is required by law.

9. Data deletion & revoking access

You can remove your data and revoke platform access at any time:

• Disconnect a social account — in the workspace, go to Settings → Secrets and disconnect the platform. This immediately deletes the stored access/refresh tokens and account identifiers for that platform.
• Revoke from the platform — you may also remove our app from your LinkedIn, X, Facebook or Instagram account settings at any time.
• Delete your account or workspace — email us at legal@venturekit.dev with the subject "Data deletion request" and we will delete your personal data and connected content, subject to legal retention requirements, and confirm once complete.

For Meta (Facebook/Instagram) data specifically, this section serves as our data deletion instructions: disconnecting in Settings → Secrets, or emailing the address above, removes all data we obtained from Meta.

10. Security

We protect data with encryption in transit and at rest, encrypted storage of secrets and access tokens, scoped access controls, and audit logging. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you of incidents where required by law.

11. International transfers

We and our subprocessors may process data in countries other than yours. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for international transfers of personal data.

12. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict or object to the processing of your personal data, and to withdraw consent. To exercise these rights, contact us at legal@venturekit.dev. You may also have the right to lodge a complaint with your local data protection authority.

13. Children

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal data from children.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, for material changes, provide additional notice where appropriate.

15. Contact us

For any privacy question or request, contact VentureKit CMS at legal@venturekit.dev.