Privacy Policy
deploy.social is a tool for publishing short-form video to multiple platforms from one upload. This page explains what information we handle, why, and what control you have over it. No legalese — if anything here is unclear, email hello@deploy.social and a human will explain it.
The short version
We store your account, your videos, and encrypted credentials for the platform accounts you connect — because that’s literally what the product does. We don’t sell your data, we don’t run ads, we don’t mine your content, and we don’t use it to train AI. When you delete something, it’s deleted.
Who we are
deploy.social is built and operated by its owner in Bozeman, Montana, USA. Contact: hello@deploy.social.
What we collect and why
- Your account. Email address, display name, and — if you use password sign-in — a hashed password (we can’t read it). If you sign in with Google, we get your name, email, and avatar from Google. This is how you log in and how we reach you.
- Your content. The videos, thumbnails, captions, titles, tags, and schedules you create in the app. We store them so we can transcode your video into each platform’s required format and publish it where you tell us to.
- Connected platform credentials. When you connect a platform account (YouTube, Bluesky, and others as we add them), we store the credential that platform gives us — an OAuth token or app password. These are encrypted at rest with AES-256-GCM and are used for exactly one thing: doing what you asked (uploading and publishing your content, and checking its status).
- Notifications and preferences. Whether you want emails when a deployment finishes or fails, plus in-app notification history.
- Operational basics. Standard server logs (timestamps, requests, errors) so we can keep the service working and debug problems. No advertising trackers, no analytics profiles, no fingerprinting.
Google user data (YouTube)
If you connect a YouTube channel, we request Google OAuth scopes that let us see your channel identity (name, ID, avatar), upload videos to your channel, set their title/description/tags/visibility, check processing status, and — if you use the feature — post a first comment.
That access is used only to provide the features you actively use, and for nothing else. We don’t read your subscriptions, watch history, or anything beyond what the publishing flow needs. Your Google tokens are encrypted at rest and are never shared with anyone except Google itself when we make API calls on your behalf.
deploy.social’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Other platforms (Meta, TikTok, Bluesky, X)
The same principle applies to every platform you connect: we access only what the publishing flow needs (your account identity, the ability to upload and publish, and post status), we use it only when you trigger it, and the credentials are encrypted at rest. Each platform also has its own privacy policy that governs what happens to your content once it’s published there — that part is between you and them.
Who else touches your data
We run on a small set of infrastructure providers (“subprocessors”):
- Railway — hosts the application and database (USA).
- Cloudflare — DNS, and object storage (R2) where your uploaded and transcoded videos live.
- Resend — sends our transactional email (sign-in links, deployment notifications).
- The platforms you connect — Google/YouTube, Meta, TikTok, Bluesky, X — receive your content when you publish to them, because that’s the point.
That’s the whole list. Nobody else gets your data. We will update this list if it changes.
How long we keep things, and how to delete them
- Media, drafts, and deployments: delete them yourself in the Library at any time. Deleting media removes the files from storage. Deployment history for posts you actually published is kept so your records stay accurate.
- Connected accounts: disconnect any destination at any time in your account settings — the stored credential is destroyed immediately. (Publishing history to that account is preserved, minus the credentials.)
- Your whole account: email hello@deploy.social and we’ll delete it — account, media, credentials, everything — normally within 30 days.
- Meta-initiated deletion: if you remove the app from your Meta settings, Meta pings our deletion endpoint automatically and we deactivate the connection and destroy its credentials, with a confirmation page you can check.
Security
Platform credentials are encrypted at rest (AES-256-GCM envelope encryption). Everything moves over TLS. Access to production systems is limited to the operator. No system is perfect; if we ever have a breach that affects you, we’ll tell you promptly and plainly.
Cookies
We use session cookies to keep you signed in. That’s it — no third-party tracking cookies.
Kids
deploy.social isn’t intended for anyone under 13, and we don’t knowingly collect information from children.
Changes to this policy
If we change this policy in a way that matters, we’ll note the new date at the top and, for significant changes, email you. We won’t quietly weaken it.
Contact
hello@deploy.social — a human reads this.