01 What we collect
Account information. Your email address (used for login and billing notifications), your display name if you set one, and your authentication provider (email or Google OAuth).
Billing data. Held by our payment processor. We see your subscription status and invoice amounts. We never see your card number.
Your content. Slideshows, hooks, prompts, image collections, generated outputs. Stored in our cloud database (US region) with strict per-user access controls.
Third-party tokens. When you connect a TikTok, YouTube, or Instagram account, we store OAuth access and refresh tokens encrypted at rest. Used to (a) post content on your behalf when you initiate or schedule a post, and (b) read the list of posts you've made on your own connected account along with their performance metrics (such as view count, like count, watch time, and follower/following counts) so Svmmon can show you a unified analytics dashboard of your own content. We only ever access content and metrics on accounts you have personally authorized, never anyone else's.
Usage data. Slideshow generation counts per billing period (for quota enforcement), API call logs for cost tracking, login timestamps and IP addresses for fraud prevention (retained up to 180 days).
Support correspondence. If you email us, we keep the email so we can reply.
Consent records. When you agreed to which version of this policy and our terms. Required by GDPR and CCPA.
Encrypted AI provider API key. Only if you opt into bring-your-own-key on the Unlimited tier. Stored encrypted at rest; we never log the plaintext.
02 What we don't collect
- Your typed prompts in real-time beyond what gets persisted into your content database
- Behavior outside the Svmmon app. No tracking pixels beyond standard server-access logs
- Browser fingerprints, advertising IDs, or cross-site tracking data
- Content from any TikTok, YouTube, or Instagram account other than your own. OAuth tokens grant Svmmon access strictly to the accounts you personally connect. We do not crawl, scrape, or otherwise read data belonging to anyone else, including comment authors, viewers, or accounts you interact with.
- Direct messages, private comments, or any private (non-public) content on connected social accounts. We only read your public posts and your own account-level metrics.
03 How we use what we collect
- Run your account: login, generate content, store your work, charge you, send service notifications
- Enforce quotas and prevent abuse: usage metering, rate limiting, fraud detection
- Improve the Service: aggregate, anonymized usage patterns may inform product decisions. We do NOT use your individual content for AI training without explicit opt-in.
- Community intelligence: anonymized post-performance patterns, stripped of account identities, are pooled across creators to power the community-level insights shown to members
- Service administration: authorized Svmmon personnel can view post-level performance across connected accounts internally to operate and improve the Service.
- Comply with law: when required by valid legal process
04 Where data lives
| Data category | Storage |
|---|---|
| Account info, content, OAuth tokens | Cloud database (US region), encrypted at rest |
| Generated slideshows | Cloud object storage (US region), with retention policy |
| Billing data | Third-party payment processor (PCI-compliant) |
| Authentication state | Managed authentication provider |
| Server logs | Application and worker hosting (US region, encrypted in transit, retained up to 180 days) |
We do not transfer your data outside the United States unless required by law or to deliver functionality (our AI provider's API may process inference requests in different regions per its terms).
05 Third parties we share data with
We are not in the data-selling business. We share data only with the infrastructure providers needed to run the Service:
- Cloud hosting and storage: to run the app and store your account, content, and OAuth tokens
- A payment processor: to handle billing. They hold card data; we never see it.
- Our AI provider: your prompts are sent to generate text. Per its API policy, prompts are not used to train models.
- Sign-in provider: only if you sign in with Google, we receive your email, name, and profile picture
- Product analytics & error monitoring: we use a privacy-respecting product-analytics provider and an error-monitoring provider to operate and improve the product. They receive product-event and error data only — never your generated content, never for advertising, and not used to train models.
We do NOT share data with advertising networks or data brokers. The full, versioned sub-processor list — including every provider's name, purpose, location, and policy link — lives at app.svmmonapp.com/subprocessors.
YouTube API Services. When you connect a YouTube account, Svmmon uses YouTube API Services to publish content to your channel and to read performance metrics on your own videos. By using Svmmon's YouTube integration, you agree to be bound by the YouTube Terms of Service. Google's handling of any data accessed through YouTube API Services is governed by the Google Privacy Policy. You can revoke Svmmon's access to your YouTube account at any time via your Google Account permissions page at myaccount.google.com/permissions.
06 Cookies and tracking
- Authentication cookies: required to keep you logged in
- Billing cookies: set during checkout by our payment processor, required for payment processing
- No third-party tracking cookies on the application
- The marketing site (svmmonapp.com) uses one affiliate-attribution tracker, described below. In the EU, EEA, and UK it loads only after you consent; in other regions, where prior consent is not legally required, it loads automatically. No advertising cookies.
Affiliate attribution. Our marketing site uses a third-party affiliate-attribution provider to credit the affiliate who referred you. Once it loads, it stores persistent identifiers in your browser's localStorage and sends your IP address, browser user agent, and approximate geolocation to that provider to track clicks and conversions. The provider acts as a data processor for this. In the EU, EEA, and UK, this tracker loads only after you accept the cookie banner; if you decline, it never loads and none of these identifiers or data are sent. In other regions, where prior consent is not legally required, it loads automatically. You can contact us to have it disabled. The provider is named, with its policy and DPA links, on our sub-processor list.
07 Your rights
Under GDPR (EU residents), CCPA (California residents), and similar laws, you have rights regarding your data. Through Svmmon, you can:
- Access: see your data in the app at any time
- Export: use the account data export in Settings to download your full content history as a ZIP
- Correct: edit profile info, hooks, slideshows directly in the app
- Delete: delete your account from the account page (or by emailing us)
- Restrict processing: disable specific features (disconnect a social account) from settings
- Object: opt out of any non-essential processing (product update emails) from the account page
Account deletion soft-deletes your account for 7 days (sign back in within that window to restore it), then cancels your subscription and permanently removes your content from cloud storage, your database rows (cascades to all owned data), and your payment-processor customer record metadata. Residual copies in encrypted backups are purged within 90 days. Anonymized billing logs are retained as required by tax and financial regulations (typically 7 years).
To exercise any right, email support@svmmonapp.com. We aim to acknowledge requests within 7 days and to resolve them within the statutory period (up to 30 days under GDPR, extendable for complex requests as the law permits).
08 Children
Svmmon is not directed at children under 13 (or 16 in the EU). We don't knowingly collect data from children. If you believe a child has provided us data, contact us at support@svmmonapp.com and we'll delete it.
09 Security
We implement industry-standard practices:
- HTTPS on all network traffic
- Encrypted at rest for sensitive data (OAuth tokens, etc.)
- Database-level Row-Level Security ensures users can only access their own data
- Our payment processor handles all payment card data. We never see card numbers
- Strong session security with industry-standard rotation
No system is perfectly secure. If you suspect a breach, contact us at security@svmmonapp.com.
10 Data breach notification
In the event of a data breach affecting your personal information, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach, via the email associated with your account, in compliance with GDPR and applicable U.S. state laws.
11 Retention
| Data category | Retention |
|---|---|
| Active account data | While your account is active |
| Generated content | While your account is active, subject to per-tier storage caps (see Terms section 9) |
| Server logs | Up to 180 days |
| Billing records | 7 years (tax and financial regulation) |
| Deleted account data | 7-day grace, then permanently removed; backups purged within 90 days |
12 Changes to this policy
We may update this policy. Material changes will be announced via email at least 30 days in advance. The effective date at the top reflects the most recent revision.
13 Contact
Questions or requests? Email support@svmmonapp.com.
For security-specific inquiries: security@svmmonapp.com.