YAPIC

Privacy Policy

Last updated: 20 May 2026 · Effective: 20 May 2026

This Privacy Policy explains what information the YAPIC platform (yapic.tech, the “Service”) collects, how that information is used, and the choices you have. It complies with the disclosure requirements of the EU GDPR, the UK GDPR, and the California Consumer Privacy Act (CCPA).

Plain-English summary. YAPIC is a private operator tool. We do not run user accounts for the general public, do not sell data, do not show ads, and do not run analytics or trackers in the operator UI. The only personal data we touch is the OAuth access tokens you voluntarily grant when connecting a social-media account, so the Service can publish videos on your behalf.

1. Who We Are

The Service is operated by the YAPIC project. For privacy enquiries contact privacy@yapic.tech.

2. Information We Collect

Category	Examples	Source
Authentication credentials	HTTP Basic Auth username/password hash for the operator UI	Configured by the operator at deployment
OAuth tokens	access_token, refresh_token, scope, expires_at, account_id, account_handle for each connected TikTok / YouTube / Instagram account	Provided by the respective platform when you authorise the connection
Generated content metadata	Job records (title, hook, prompt, score, file URL pointing to Cloudflare R2)	Created by you when you trigger a generation job
Operational logs	Backend access logs (timestamps, IP address, request path, response code) retained for diagnostic purposes	Generated automatically by the server
Connection alerts	Channel auto-pause and publish-failure events, optionally pushed to a configured Telegram chat	Generated automatically

We do not collect: contact lists, location, advertising identifiers, biometric data, payment card data (the Service does not handle payments), or analytics beacons.

3. How We Use the Information

Authenticate requests to the operator UI.
Publish content to TikTok, YouTube Shorts, or Instagram Reels using the OAuth scopes you granted. Tokens are used only for the platforms they were issued by.
Operate the generation pipeline (LLM-driven script writing, AI image generation, voice synthesis, video composition, publishing).
Diagnose problems via logs and error reports.
Alert the operator via Telegram when a channel auto-pauses or a publish fails (optional; only if TELEGRAM_BOT_TOKEN is configured).

We do not use any of this information for advertising, profiling unrelated parties, training third-party AI models, or selling to data brokers.

4. Legal Basis (GDPR Article 6)

Contract / pre-contractual measures — to provide the Service you have requested (Art. 6(1)(b)).
Legitimate interests — to operate, secure, and improve the Service (Art. 6(1)(f)).
Consent — when you connect a third-party account through OAuth, the underlying consent is collected by that platform and you may revoke it there at any time (Art. 6(1)(a)).

5. Sharing with Third Parties

We share data only with the providers necessary to operate the Service. Each provider acts as an independent processor or controller under its own terms:

TikTok — to upload and publish videos via the Content Posting API and to read basic profile data via Login Kit (scopes: user.info.basic, video.upload, video.publish).
Google (YouTube Data API v3) — to upload videos and read your YouTube channel metadata (scopes: youtube.upload, youtube.readonly).
Meta (Instagram Graph API) — to publish Reels via the connected Facebook Page → Instagram Business account.
Cloudflare R2 — to store generated video and audio files and to host the public domain assets.
Anthropic, Google AI, ElevenLabs, Auphonic, FAL.ai, Pexels — to power the AI script/voice/image/video generation pipeline. We send the prompts and any input data you submit.
Telegram — to deliver operator alerts to the chat configured by the operator.
MongoDB (self-hosted database) — to persist job records and OAuth tokens at rest.

We will disclose information if required to do so by law or in response to a valid legal request (subpoena, court order).

6. Data Retention

Data	Retained
OAuth tokens	Until you disconnect the integration or revoke access at the provider
Generated job records	Indefinitely, until manually deleted by the operator
Backups (R2)	30 days for daily snapshots; 90 days for monthly snapshots
Access logs	30 days, rolling
System alerts	90 days after acknowledgement

7. How Data is Protected

All traffic is served over HTTPS / TLS 1.3, with HSTS enabled (max-age=63072000; includeSubDomains; preload).
The administrative UI is protected by HTTP Basic Auth.
OAuth state is signed with an HMAC-SHA256 token (5-minute TTL) to prevent CSRF and platform-mixing attacks.
Cross-Origin Resource Sharing is restricted to an explicit allow-list of domains. Credentials are never reflected to untrusted origins.
Database connections are private to the pod’s loopback interface.
Backups are stored in Cloudflare R2 with bucket-level credentials scoped to the YAPIC service.

No system is 100% secure. If we become aware of a breach affecting your data we will notify you without undue delay where required by law.

8. Your Rights

Depending on where you live (EEA, UK, California, etc.), you have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Erase your data (“right to be forgotten”).
Restrict or object to processing.
Port your data in a machine-readable format.
Withdraw consent for any processing based on consent.
Lodge a complaint with your supervisory authority.

To exercise these rights, email privacy@yapic.tech. We will respond within 30 days. To disconnect a social-media integration, click Disconnect next to the relevant account in Studio → Settings → Social Auth, or revoke access directly at the provider’s account settings.

9. International Transfers

The Service is hosted on infrastructure that may transmit data across international borders (e.g., Cloudflare’s global edge network). Where we transfer personal data outside the EEA / UK, we rely on Standard Contractual Clauses or equivalent safeguards published by the sub-processors.

10. Children’s Privacy

The Service is not directed at and not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors.

11. Cookies & Local Storage

The public site (yapic.tech) does not set tracking cookies. The operator UI uses localStorage only to remember UI preferences (language toggle). HTTP Basic Auth credentials are cached by the browser — they are not stored by us.

12. Do-Not-Track

We do not run any analytics or advertising trackers, so Do-Not-Track is effectively respected by default.

13. Changes to This Policy

We may update this Policy. The “Last updated” date at the top reflects the most recent version. Substantive changes will be announced on the site for at least 14 days before they take effect.

14. Contact

Privacy enquiries: privacy@yapic.tech
Legal: legal@yapic.tech