Privacy Policy

Effective date:

This Privacy Policy describes how [TODO(human): legal entity name](“Strew”, “we”, “us”) collects, uses, stores, and shares personal data when you use the Strew web application (the “Service”). Strew is a social-media broadcasting tool that publishes content you author to third-party social networks on your behalf.

1. Who we are

The data controller is [TODO(human): legal entity name and registered address] (company registration [TODO(human): registration number, if any]). You can contact us about this policy or about your personal data at [TODO(human): contact email, e.g. privacy@strew.app].

[TODO(human): if Strew has no establishment in the EU/UK and offers the Service to EU/UK residents, name an Art. 27 GDPR representative here. Delete this paragraph if not applicable.]

2. Data we collect

We try to collect as little as possible. The categories below are exhaustive — if it’s not listed here, we don’t store it.

2.1 Account data (when you sign in)

Strew uses third-party identity providers for sign-in. We do not see or store your password. From the identity provider we receive a stable provider account ID, your email address, your display name, and (where the provider supplies one) an avatar URL, plus a short-lived OAuth handshake token used only to complete sign-in.

Identity providers currently supported:

2.2 Connected social accounts

When you connect a social network so Strew can publish on your behalf, we store the provider name, the account’s public identifier, its display name, the OAuth tokens issued by that provider, the token expiry, refresh tokens (where supplied), and the scopes you granted. Tokens are encrypted at rest using AES-256-GCM with envelope encryption (per-row data-encryption keys wrapped by an application key-encryption key) and bound to the row they belong to via authenticated additional data so they cannot be reused if copied to a different row.

2.3 What each social-network permission gives us

When you connect a Connected Network, the network asks you to approve a specific list of permissions. Strew only uses each permission for the purpose stated below.

Meta (Facebook Pages and Instagram Business) available from v1.0:

We do not use Meta permissions to retrieve your friends list, your private messages, ad performance, audience insights, or any other data outside the scope of publishing the content you authored in Strew. We do not use Meta data for advertising, profiling, or training machine-learning models.

LinkedIn (personal profile) available from v1.2:

We do not use LinkedIn data for analytics, profiling, advertising, or training machine-learning models. LinkedIn tokens and any cached LinkedIn account metadata are deleted when you disconnect the account or delete your Strew account.

2.4 Content you create

Posts you compose in Strew, including text, attached media (images, video), scheduling metadata, and the list of destinations you selected. Once a post has been published, we retain a record of the publish attempt (timestamp, target account, success/failure, the provider’s response) for support, debugging, and audit purposes.

2.5 Operational data

We do not use third-party advertising trackers, analytics pixels, or cross-site cookies. The only cookies we set are first-party, essential session cookies required to keep you signed in.

3. Why we process this data (legal bases)

4. Sub-processors and third parties

We share data with the following sub-processors. Each one is bound by a data-processing agreement and processes data only on our instructions. Where personal data of EU/UK residents is transferred to the United States, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable). A copy of the relevant transfer mechanism is available on request from [TODO(human): contact email].

5. How long we keep your data

6. Your rights

Depending on where you live, you may have the right to:

California residents have additional rights under the CCPA/CPRA: the right to know what personal information we collect and why, the right to delete it, the right to correct it, the right to data portability, and the right to non-discrimination for exercising these rights.

We do not sell or share your personal informationas those terms are defined under the CCPA/CPRA. We do not use or disclose “sensitive personal information” for any purpose beyond what is necessary to provide the Service, so the “Right to Limit Use of Sensitive Personal Information” is satisfied by default.

Categories of personal information collected, mapped to CCPA categories: identifiers (name, email, provider account ID), internet or other electronic network activity (browser type, URLs of errors, timestamps in audit events), and professional or employment-related information (only the public profile data exposed by GitHub/Google/LinkedIn when you sign in or connect those accounts).

To exercise any of these rights, email [TODO(human): contact email]. We will respond within 30 days. You can also delete your account at any time from the account settings; deletion cascades through connected accounts, posts, and publish history within 30 days.

7. Security

Connected-account tokens are encrypted at rest using AES-256-GCM with per-row data-encryption keys, wrapped by an application key-encryption key (KEK) held only in the runtime environment. Tokens are bound to the row they belong to via authenticated additional data (AAD), so a token cannot be reused if copied to a different row. The KEK infrastructure supports periodic rotation.

Database connections use TLS. We follow the principle of least privilege for internal access and audit privileged actions.

8. Children

Strew is not intended for children. We do not knowingly collect personal data from anyone under the minimum digital-consent age in their country (16 in much of the EU; 13 in the UK and the United States). If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced in the application and, where required, by email. The “Effective date” at the top of this page reflects the latest version.

10. Contact

Questions about this policy or about your personal data: [TODO(human): contact email].

Postal address: [TODO(human): registered postal address].