Privacy Policy

When you create an account we collect basic authentication data: your email address, a hashed password (or your Google/GitHub OAuth identifier if you use social sign-in), and a display name. We also collect the IP address and user-agent of the device you sign in from so we can detect suspicious access.

When you connect a social platform we collect and store the OAuth access and refresh tokens issued by that platform, plus the metadata each platform requires us to keep on file in order to publish on your behalf. The platforms we currently integrate with are Facebook Pages, Instagram Business accounts, Threads, TikTok, YouTube, X (Twitter), LinkedIn (personal and Company Pages), Bluesky, and Truth Social. For each connection we store the platform user/page ID, the display handle, the avatar URL, the granted scopes, and the token expiry timestamp.

When you use the product we collect content drafts, scheduled posts, uploaded media, the results of AI generations you trigger, the publishing status returned by each platform, and the engagement and reach analytics we retrieve on your behalf.

We use OAuth tokens for one purpose: to publish the content you have authored or approved to the platforms you have connected, and to retrieve the metrics those platforms expose for the posts we published. We do not browse your inbox, scrape your followers, or read content unrelated to the posts you create through Sage Map.

We use your prompts and brand-voice settings to generate content variants through our AI providers. We use your account email to send transactional messages (billing receipts, security notifications, scheduled-post failure alerts) and, only if you opt in, product announcements.

When you connect a Facebook Page or Instagram Business account, Meta returns to Sage Map a Page access token, the Instagram Business Account ID linked to that Page, the Page metadata (name, category, profile picture, follower count), and — once posts have been published — post-level insights such as reach, impressions, engaged users, video views, and saves.

We use Meta-issued tokens only to (a) publish content you have scheduled in Sage Map to the Pages and Instagram accounts you explicitly connected, and (b) read insights for those posts so we can show you analytics inside the dashboard. We do not sell, rent, or onward-transfer Meta data, we do not use it to build advertising profiles, and we do not use it for any purpose outside the scope you granted at connection time. If you revoke Sage Map's access in Facebook Business Settings or by clicking "Disconnect" inside our dashboard, we delete the corresponding tokens immediately and stop all Meta-side processing.

Account data, content, and analytics are stored in a managed Supabase Postgres database hosted in the United States. All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM with a key managed outside the database; ciphertext is what lives in Postgres, plaintext only exists in memory during a publish or refresh call.

All traffic between your browser, our application servers, our database, and the social platform APIs is encrypted in transit using TLS 1.2 or higher. Backups are encrypted with the same standard and retained for 30 days.

We do not sell your data, and we do not share it with advertisers. We share strictly the data needed for the product to function with a small set of subprocessors:

• Stripe — billing, subscription state, and payment methods. Card numbers never touch our servers.
• Supabase — database, authentication, and file storage.
• Vercel — application hosting and edge network.
• OpenAI and Anthropic — large language model inference for AI content generation. Prompts are sent under enterprise terms that prohibit training on our data.
• MindStudio — orchestration of certain AI workflows (brand-voice extraction, content frameworks).

We may also disclose information when legally required (subpoena, court order) or to protect our rights, property, or safety, or that of our users.

You have the right to access, correct, export, and delete the personal data we hold about you. Most of these are self-serve in the dashboard: you can export your content and analytics from /settings/export, and you can delete your entire account by calling /api/account/delete from the settings page. If you would prefer a human to handle it, email support@sagemap.org and we will respond within 30 days.

If you are in the European Economic Area, the United Kingdom, or California you have additional statutory rights under the GDPR, UK GDPR, and CCPA respectively, including the right to object to processing and the right to lodge a complaint with your local data protection authority.

We keep your account data for as long as your account is active. When you delete your account, we revoke every OAuth token immediately (so the connected platforms no longer grant Sage Map access on your behalf), and we hard-delete your content, drafts, analytics, and account record from primary storage within 90 days. Encrypted backups roll off on their normal 30-day cycle, after which no copy remains.

When you click "Disconnect" on a single platform connection, the OAuth token for that connection is revoked and deleted immediately, even if your account stays active.

Sage Map is a SaaS dashboard, not a consumer marketing site. We use a single first-party cookie to keep you signed in (a session JWT issued by Supabase Auth) and a small handful of localStorage entries to remember your UI preferences (which workspace you last opened, dark/light, calendar zoom level). We do not run third-party advertising trackers, and we do not load Google Analytics or similar pixels on the authenticated dashboard.

Sage Map is built for professional content operators and is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe a minor has created an account, email us and we will delete it.

When we change this policy in a way that affects how we handle your data, we will update the "Last updated" date at the top of this page and notify all active account holders by email at least 14 days before the change takes effect. Continued use of Sage Map after the effective date means you accept the revised policy.

Questions, requests, or complaints about this policy should go to support@sagemap.org. We read every one of them and respond within five business days.