Privacy Policy

We collect the following categories of data:

Account data: Name, email address, password (stored as a cryptographic hash using scrypt), profile information, and tenant/organization data.

Google Ads integration data: When you connect your Google Ads account via OAuth 2.0, we access campaign data, ad groups, performance metrics (impressions, clicks, CTR, CPC, conversions, cost), and campaign settings. We do not store your Google credentials — only a revocable OAuth access token.

Instagram/Meta Integration Data: When you connect your Instagram Business account via Facebook Login, we access: username, profile picture, follower and post counts, engagement metrics (impressions, reach, likes, comments), and published media data. We store an encrypted long-lived access token (valid for 60 days, automatically refreshed) and the Instagram Business account identifier. We do not store your Facebook or Instagram password.

LinkedIn Integration Data: When you connect your LinkedIn account via OAuth 2.0, we access: your member profile name and identifier, and the list of LinkedIn Company Pages (organizations) where you are an administrator. We store an encrypted OAuth access token (valid for 60 days) and, if available, an encrypted refresh token (valid for up to 365 days). We do not store your LinkedIn password.

TikTok Integration Data: When you connect your TikTok account via OAuth 2.0 with PKCE, we access: your TikTok user identifier, display name, and avatar URL. We store an encrypted OAuth access token and refresh token. We do not store your TikTok password.

Pinterest Integration Data: When you connect your Pinterest account via OAuth 2.0, we access: your Pinterest user profile, board list, and pin analytics (impressions, saves, clicks). We store an encrypted OAuth access token and refresh token. We do not store your Pinterest password.

Twitter/X Integration Data: When you connect your Twitter/X account via OAuth 2.0 with PKCE, we access: your Twitter/X user profile (username, display name, profile image) and the ability to post tweets. We store an encrypted OAuth access token and refresh token. We do not store your Twitter/X password.

Threads Integration Data: When you connect your Threads account via the Threads API (Meta Platform), we access: your Threads user profile, post metrics (views, likes, replies, reposts, quotes), and reply data. We store an encrypted long-lived access token (valid for 60 days, automatically refreshed). We do not store your Threads or Instagram password.

Reddit Integration Data: When you connect your Reddit account via OAuth 2.0, we access: your Reddit username and the ability to submit posts to subreddits. We store an encrypted OAuth access token and refresh token. We do not store your Reddit password.

Usage data: Information about how you interact with the platform, including pages visited, features used, access times, and actions performed.

Content data: Ideas, creatives, articles, keywords, and other content you create or import to the platform.

We use your data to:

• Provide our services: Display campaign metrics, generate content with AI, provide optimization recommendations, and manage your editorial calendar.
• Google Ads integration: Sync campaign data, analyze performance with AI, detect anomalies, generate alerts, and provide budget and bid optimization recommendations.
• Instagram/Meta Integration: Publish content to Instagram on your behalf, display engagement and performance metrics for your posts, and manage comments. Publishing only occurs upon explicit user action.
• LinkedIn Integration: Publish posts (text, images, articles, and multi-image) to your LinkedIn Company Page or personal profile on your behalf. Publishing only occurs upon explicit user action.
• TikTok Integration: Publish video content to your TikTok account on your behalf. Publishing only occurs upon explicit user action.
• Pinterest Integration: Publish pins to your Pinterest boards on your behalf and display pin analytics (impressions, saves, clicks). Publishing only occurs upon explicit user action.
• Twitter/X Integration: Publish tweets to your Twitter/X account on your behalf and monitor publicly available content for competitor analysis. Publishing only occurs upon explicit user action.
• Threads Integration: Publish posts to your Threads account on your behalf, display post and account metrics, and manage replies. Publishing only occurs upon explicit user action.
• Reddit Integration: Submit posts to Reddit subreddits on your behalf. Publishing only occurs upon explicit user action.
• Improve the platform: Analyze usage patterns to enhance features and user experience.
• Communication: Send notifications about your account, performance alerts, and service updates.

Our use of data obtained via the Google Ads API complies with the Google API Services User Data Policy, including the Limited Use requirements.

What we access:

• Campaign and ad group data (name, status, budget, settings)
• Performance metrics (impressions, clicks, CTR, CPC, conversions, cost per conversion)
• Keyword and search term data

What we do NOT do:

• We do not modify campaigns, budgets, or bids without explicit user action
• We do not share Google Ads data with third parties for advertising purposes
• We do not sell Google Ads data
• We do not use Google Ads data for purposes unrelated to the services we provide

AI Processing: Campaign performance data may be processed by AI models (via Cloudflare AI Gateway) to generate analytics insights, anomaly detection, and optimization recommendations for you. This data is used exclusively to provide these user-facing features and is not used for model training, advertising, or any purpose unrelated to your use of the platform.

Limited Use: Our access to, use of, storage of, and sharing of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We limit our use of Google Ads data to providing and improving the user-facing reporting, analytics, and insight features within the Elus platform.

Our use of data obtained via the Instagram API (Meta Platform) complies with the Meta Platform Policy and Instagram API Terms of Service.

What we access:

• Instagram Business account profile data (username, profile picture, follower and post counts)
• Post metrics (impressions, reach, engagement, likes, comments, shares)
• Published media data (images, videos, captions)
• List of Facebook Pages linked to the Instagram account

What we do:

• Publish photos and videos to the Instagram feed on behalf of the user, only upon explicit action
• Display engagement metrics in the platform's analytics dashboard
• Generate content recommendations based on post performance

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not share Instagram data with third parties for advertising purposes
• We do not sell Instagram data
• We do not use Instagram data for purposes unrelated to our services
• We do not access Instagram direct messages (DMs)

Token storage: The Instagram access token is stored encrypted (AES-256-GCM) in the database. Long-lived tokens expire after 60 days and are automatically refreshed before expiration.

Data deletion: When you disconnect your Instagram account from Elus, all tokens and Meta-originated account data are removed immediately. Meta may also request data deletion through our data deletion endpoint, as required by the Platform Policy. Content you created in the platform (creatives, copy, campaigns) is not affected by disconnection.

Revoking access: You can revoke Elus's access to your Instagram account at any time: through the Elus platform (Platforms section), through Instagram settings (Apps and websites), or through Facebook settings (Business integrations).

Our use of data obtained via the LinkedIn API complies with the LinkedIn API Terms of Use and the LinkedIn Marketing API Terms.

What we access:

• Member profile data (name and member identifier) via OpenID Connect
• List of LinkedIn Company Pages (organizations) where you are an administrator
• Organization details (name, vanity name, logo)

What we do:

• Publish posts (text, single image, multi-image, and article/link) to your LinkedIn Company Page or personal profile on your behalf, only upon explicit user action
• Upload images to LinkedIn for use in posts

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not read or display your LinkedIn feed, connections, or private messages
• We do not share LinkedIn data with third parties for advertising, sales, or recruiting purposes
• We do not sell LinkedIn data
• We do not use LinkedIn data for lead generation or to enhance customer databases
• We do not use LinkedIn data for purposes unrelated to our services
• We do not combine LinkedIn data with information from unauthorized sources

Token storage: The LinkedIn OAuth access token and refresh token (if provided) are stored encrypted (AES-256-GCM) in the database. Access tokens expire after 60 days. Refresh tokens, when available, expire after 365 days and are used to obtain new access tokens without requiring re-authorization.

Data deletion: When you disconnect your LinkedIn account from Elus, all OAuth tokens, member identifiers, and LinkedIn-originated organization data are deleted immediately from our systems. Content you created in the platform (creatives, copy, campaigns) is not affected by disconnection. You may also request deletion of all your LinkedIn-originated data at any time by contacting us.

Revoking access: You can revoke Elus's access to your LinkedIn account at any time: through the Elus platform (Platforms section), or through LinkedIn settings (Settings & Privacy > Data privacy > Permitted services). Upon revocation, LinkedIn will invalidate the access token and Elus will no longer be able to post on your behalf.

Our use of data obtained via the TikTok API complies with the TikTok Developer Terms of Service, Developer Guidelines, and Content Sharing Guidelines. On TikTok, our application is registered as "Elus - Marketing OS".

What we access:

• TikTok user identifier, display name, and avatar
• Content Posting API for publishing videos

What we do:

• Publish video content to TikTok on behalf of the user, only upon explicit action

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not access TikTok direct messages, followers list, or feed data
• We do not share TikTok data with third parties for advertising purposes
• We do not sell TikTok data
• We do not use TikTok data for purposes unrelated to our services
• We do not add watermarks, logos, or promotional branding to content posted to TikTok
• We do not use TikTok data for training AI models

Token storage: The TikTok OAuth access token and refresh token are stored encrypted (AES-256-GCM) in the database.

Data deletion: When you disconnect your TikTok account from Elus, all tokens and TikTok-originated account data are deleted immediately from our systems. Content you created in the platform (creatives, copy, campaigns) is not affected by disconnection.

Revoking access: You can revoke Elus's access to your TikTok account at any time: through the Elus platform (Platforms section) or through TikTok settings (Settings and Privacy > Security > Manage app permissions).

Our use of data obtained via the Pinterest API complies with the Pinterest Developer Terms and API Terms of Service.

What we access:

• Pinterest user profile data
• Board list and board details
• Pin analytics (impressions, saves, clicks, outbound clicks)
• Account-level analytics

What we do:

• Create pins on Pinterest boards on behalf of the user, only upon explicit action
• Create pins from published blog articles (blog-to-pin feature)
• Display pin and account analytics in the Elus dashboard

What we do NOT do:

• We do not publish pins automatically without explicit user action
• We do not share Pinterest data with third parties for advertising purposes
• We do not sell Pinterest data
• We do not use Pinterest data for purposes unrelated to our services

Token storage: The Pinterest OAuth access token and refresh token are stored encrypted (AES-256-GCM) in the database.

Data deletion: When you disconnect your Pinterest account from Elus, all tokens and Pinterest-originated account data are deleted immediately. Content you created in the platform is not affected by disconnection.

Revoking access: You can revoke Elus's access to your Pinterest account at any time: through the Elus platform (Platforms section) or through Pinterest settings (Settings > Apps).

Our use of data obtained via the Twitter/X API complies with the Twitter Developer Agreement and Policy.

What we access:

• Twitter/X user profile data (username, display name, profile image)
• Ability to post tweets on the user's behalf
• Publicly available tweet data for content monitoring

What we do:

• Publish tweets (text, with optional images) on behalf of the user, only upon explicit action
• Monitor publicly available content for competitor analysis

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not access Twitter/X direct messages
• We do not share Twitter/X data with third parties for advertising purposes
• We do not sell Twitter/X data
• We do not use Twitter/X data for purposes unrelated to our services

Token storage: The Twitter/X OAuth access token and refresh token are stored encrypted (AES-256-GCM) in the database.

Data deletion: When you disconnect your Twitter/X account from Elus, all tokens and Twitter/X-originated account data are deleted immediately. Content you created in the platform is not affected by disconnection.

Revoking access: You can revoke Elus's access to your Twitter/X account at any time: through the Elus platform (Platforms section) or through Twitter/X settings (Settings > Security and account access > Apps and sessions).

Our use of data obtained via the Threads API (Meta Platform) complies with the Meta Platform Policy, Threads API Terms, and Threads Usage Policies.

What we access:

• Threads user profile data (username, profile picture)
• Post metrics (views, likes, replies, reposts, quotes)
• Reply data and conversation threads
• Account-level insights

What we do:

• Publish posts (text, with optional images) to Threads on behalf of the user, only upon explicit action
• Display post and account metrics in the Elus dashboard
• Allow users to view and respond to replies

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not access Instagram direct messages or data beyond Threads
• We do not share Threads data with third parties for advertising purposes
• We do not sell Threads data
• We do not use Threads data for purposes unrelated to our services

Token storage: The Threads access token is stored encrypted (AES-256-GCM) in the database. Long-lived tokens expire after 60 days and are automatically refreshed.

Data deletion: When you disconnect your Threads account from Elus, all tokens and Threads-originated account data are deleted immediately. Content you created in the platform is not affected by disconnection.

Revoking access: You can revoke Elus's access to your Threads account at any time: through the Elus platform (Platforms section) or through Instagram settings (Settings > Apps and websites).

Our use of data obtained via the Reddit API complies with the Reddit API Terms of Use, Reddit Developer Terms, and the Reddit Responsible Builder Policy.

What we access:

• Reddit username and account identity
• Ability to submit posts to subreddits on the user's behalf
• Subreddit information for posting guidance

What we do:

• Submit text posts and link posts to Reddit subreddits on behalf of the user, only upon explicit action
• Check rate limits and posting eligibility before submission
• Enforce anti-spam protections: maximum 3 posts per week per subreddit, minimum 24-hour interval between posts, and cross-subreddit duplicate content detection

What we do NOT do:

• We do not publish content automatically without explicit user action
• We do not access Reddit private messages, saved posts, or voting history
• We do not share Reddit data with third parties for advertising purposes
• We do not sell Reddit data
• We do not use Reddit data to train AI or machine learning models
• We do not use Reddit data for purposes unrelated to our services
• We do not bypass subreddit rules or Reddit rate limits
• We do not allow posting identical or substantially similar content across multiple subreddits
• We do not manipulate Reddit features such as voting or karma

Token storage: The Reddit OAuth access token and refresh token are stored encrypted (AES-256-GCM) in the database.

Data deletion: When you disconnect your Reddit account from Elus, all tokens and Reddit-originated account data are deleted immediately. Content you created in the platform is not affected by disconnection.

Revoking access: You can revoke Elus's access to your Reddit account at any time: through the Elus platform (Platforms section) or through Reddit settings (Settings > Safety & Privacy > Apps).

Your data is stored on PostgreSQL servers hosted on Railway, with the following security measures:

• Passwords stored as cryptographic hashes (scrypt with salt)
• Session tokens stored as SHA-256 hashes (never in plain text)
• Data encrypted in transit (TLS/HTTPS)
• Data encrypted at rest on database servers
• API keys stored as SHA-256 hashes
• Role-based access control with multi-tenant isolation

We retain your data as long as your account is active and as necessary to provide our services. Specifically:

• Account data: Retained while the account is active.
• Google Ads data: Synced and maintained for up to 12 months of historical analysis while the integration is connected. When you disconnect the integration or close your account, all Google Ads data is deleted within 30 days.
• Instagram/Meta Data: Access tokens and Instagram account data are retained while the integration is connected. Upon disconnection, tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• LinkedIn Data: OAuth tokens and LinkedIn-originated account and organization data are retained while the integration is connected. Upon disconnection, all tokens and LinkedIn identifiers are deleted immediately. Content you created (creatives, posts) remains in your account.
• TikTok Data: OAuth tokens and TikTok account data are retained while the integration is connected. Upon disconnection, all tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• Pinterest Data: OAuth tokens and Pinterest account data are retained while the integration is connected. Upon disconnection, all tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• Twitter/X Data: OAuth tokens and Twitter/X account data are retained while the integration is connected. Upon disconnection, all tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• Threads Data: Access tokens and Threads account data are retained while the integration is connected. Upon disconnection, all tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• Reddit Data: OAuth tokens and Reddit account data are retained while the integration is connected. Upon disconnection, all tokens and account identifiers are deleted immediately. Content you created (creatives, copy) remains in your account.
• Generated content: Retained while the account is active.
• After account closure: All data is deleted within 30 days of account closure, except where retention is required by law.

We use the following third-party services in data processing:

• Cloudflare: CDN, AI Gateway for AI model routing, and file storage (R2).
• Railway: Server hosting and PostgreSQL database.
• OpenAI: Natural language processing for AI features (content generation, analysis, recommendations). Data sent to OpenAI is used exclusively to process your requests.
• Google APIs: Google Ads integration and OAuth authentication.
• Meta Platform (Instagram/Facebook): Integration with Instagram Business API for content publishing, metrics reading, and profile management. We use Facebook Login for authentication and the Graph API for Instagram operations.
• LinkedIn: Integration with LinkedIn Community Management API for publishing posts to Company Pages and personal profiles. We use LinkedIn OAuth 2.0 for authentication and the REST API for content operations.
• TikTok: Integration with TikTok Content Posting API for publishing video content. We use TikTok OAuth 2.0 with PKCE for authentication.
• Pinterest: Integration with Pinterest API v5 for pin publishing, board management, and analytics. We use Pinterest OAuth 2.0 for authentication.
• Twitter/X: Integration with Twitter API v2 for tweet publishing and content monitoring. We use Twitter OAuth 2.0 with PKCE for authentication.
• Threads (Meta): Integration with Threads API for post publishing, metrics reading, and reply management. We use Threads OAuth for authentication.
• Reddit: Integration with Reddit API for post submission to subreddits. We use Reddit OAuth 2.0 for authentication.

Each service operates under its own privacy policy and terms of use.

You have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Portability: Request your data in a structured, machine-readable format.
• Withdraw consent: Withdraw your consent at any time.
• Revoke Google Ads access: Disconnect the Google Ads integration at any time through the platform or directly in your Google account security settings.
• Revoke Instagram access: Disconnect the Instagram integration at any time through the Elus platform, through Instagram settings (Apps and websites), or through Facebook settings (Business integrations). Upon revocation, all Meta tokens and account data are deleted immediately.
• Revoke LinkedIn access: Disconnect the LinkedIn integration at any time through the Elus platform or through LinkedIn settings (Settings & Privacy > Data privacy > Permitted services). Upon revocation, all LinkedIn tokens and account data are deleted immediately.
• Revoke TikTok access: Disconnect the TikTok integration at any time through the Elus platform or through TikTok settings (Settings and Privacy > Security > Manage app permissions). Upon revocation, all TikTok tokens and account data are deleted immediately.
• Revoke Pinterest access: Disconnect the Pinterest integration at any time through the Elus platform or through Pinterest settings (Settings > Apps). Upon revocation, all Pinterest tokens and account data are deleted immediately.
• Revoke Twitter/X access: Disconnect the Twitter/X integration at any time through the Elus platform or through Twitter/X settings (Settings > Security and account access > Apps and sessions). Upon revocation, all Twitter/X tokens and account data are deleted immediately.
• Revoke Threads access: Disconnect the Threads integration at any time through the Elus platform or through Instagram settings (Settings > Apps and websites). Upon revocation, all Threads tokens and account data are deleted immediately.
• Revoke Reddit access: Disconnect the Reddit integration at any time through the Elus platform or through Reddit settings (Settings > Safety & Privacy > Apps). Upon revocation, all Reddit tokens and account data are deleted immediately.

To exercise any of these rights, contact us at [email protected].

We comply with the Brazilian General Data Protection Law (LGPD - Law No. 13,709/2018). As data controller, we ensure:

• Appropriate legal basis for each type of data processing.
• Transparency about what data we collect and how we use it.
• Adoption of technical and administrative security measures.
• Respect for data subject rights as provided by the LGPD.
• Notification to the National Data Protection Authority (ANPD) and data subjects in the event of a security incident that may cause relevant risk or harm.

For users in the European Union and European Economic Area, we comply with the General Data Protection Regulation (GDPR). Legal bases for processing include:

• Contract performance: Processing necessary to provide our services.
• Consent: When you connect third-party services such as Google Ads, Instagram, LinkedIn, TikTok, Pinterest, Twitter/X, Threads, or Reddit.
• Legitimate interest: To improve our services and ensure security.

You have the right to lodge a complaint with a data protection supervisory authority in your country of residence.

We use strictly necessary cookies for platform operation:

• Session cookie: An httpOnly cookie used to maintain your authenticated session. Expires in 30 days.
• Preference cookies: To store your language and theme preferences.

We do not use third-party cookies for advertising or tracking. We do not use third-party analytics tools that track users across websites.

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through a notice on the platform. Continued use of the services after changes constitutes acceptance of the updated policy.

For questions, requests, or complaints related to privacy and data protection, please contact us:

Email: [email protected]

Platform: elus.cc