Introduction
Welcome to CodivUpload ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share information about you when you use our website, mobile applications, and other online products and services (collectively, the "Services").
This Privacy Policy applies to the CodivUpload platform developed by Codivion LLC (Registered in Wyoming). By accessing or using our Services, you agree to this Privacy Policy.
Information We Collect
We collect information you provide directly to us when you use our Services.
Account Information
When you register for an account, we collect your name, email address, password, and other data you provide.
Platform Integration Data (OAuth)
When you connect social media platforms to CodivUpload, we collect OAuth access tokens, refresh tokens, profile identifiers, and metadata required to publish content on your behalf. All sensitive tokens are encrypted at rest using AES-256-GCM authenticated encryption. See Section 4 for platform-specific details.
Usage Data
We collect automatically generated information about your interactions with the Services, such as IP addresses, browser types, and usage patterns.
How We Use Your Information
We use the collected information for various purposes, including:
- To provide, maintain, and securely operate the CodivUpload dashboard infrastructure.
- To seamlessly execute your cross-platform content publishing and scheduling orders.
- To send you technical notices, updates, security alerts, and administrative messages.
- To understand and analyze how users interact with our Services, aiming strictly to improve platform performance.
Platform Integrations & Data Access
CodivUpload integrates with the following social media platforms via their official APIs. Below is a complete disclosure of the permissions we request, the data we access, and how we use it for each platform.
For all platforms: OAuth tokens (access and refresh) are encrypted at rest using AES-256-GCM authenticated encryption with unique random initialization vectors. Tokens are only decrypted momentarily in server memory during authorized API operations and are never stored in plaintext, written to logs, or accessible to any human.
Google (YouTube)
OAuth 2.0 (offline access)
| Permission | Data Accessed | Purpose |
|---|---|---|
| youtube.force-ssl | Manage YouTube account (SSL-enforced) | Upload videos, manage metadata, create & control live broadcasts |
| youtube.upload | Video upload capability | Upload & schedule videos on your behalf |
| youtube.readonly | Channel info (name, ID, avatar) | Display your channel in the dashboard |
| yt-analytics.readonly | View counts, engagement metrics | Display performance stats in your dashboard |
| openid | OpenID Connect token | Secure identity verification |
| userinfo.email | Email address | Account matching & identification |
| userinfo.profile | Display name, profile picture | Dashboard display |
Google Sign-In (Authentication)
OAuth 2.0 via Supabase Auth
| Permission | Data Accessed | Purpose |
|---|---|---|
| Email address | Account creation & login | |
| profile | Display name, profile picture | Dashboard display & identification |
OAuth 2.0
| Permission | Data Accessed | Purpose |
|---|---|---|
| pages_show_list | List of managed Facebook Pages | Let you select which Page to connect |
| pages_read_engagement | Page engagement metrics (likes, comments, shares) | Display analytics in your dashboard |
| pages_manage_posts | Create, edit, and delete Page posts | Publish & schedule posts on your behalf |
| publish_video | Video upload capability on Pages | Publish video content |
| business_management | Business Manager entities | Access managed business pages |
Instagram Login API (OAuth 2.0)
| Permission | Data Accessed | Purpose |
|---|---|---|
| instagram_business_basic | Basic account info (ID, username, profile picture) | Display your account in the dashboard |
| instagram_business_content_publish | Publish photos, videos, and reels | Schedule & publish content on your behalf |
| instagram_business_manage_insights | Engagement metrics and analytics | Display performance stats in your dashboard |
X (Twitter)
OAuth 2.0 with PKCE
| Permission | Data Accessed | Purpose |
|---|---|---|
| tweet.read | Read tweets and timeline data | Verify posting status |
| tweet.write | Create, update, and delete tweets | Publish posts on your behalf |
| users.read | Profile info (name, username, avatar) | Display your account in the dashboard |
| media.write | Upload images, GIFs, and videos | Attach media to scheduled posts |
| offline.access | Refresh token for persistent sessions | Maintain connection without re-auth |
TikTok
OAuth 2.0 with PKCE
| Permission | Data Accessed | Purpose |
|---|---|---|
| user.info.basic | Display name, avatar, open ID | Display your account in the dashboard |
| video.publish | Publish videos to your account | Schedule & auto-publish videos |
| video.upload | Upload draft videos | Upload video assets before publishing |
Threads
OAuth 2.0
| Permission | Data Accessed | Purpose |
|---|---|---|
| threads_basic | Account info (ID, username, name, avatar, bio) | Display your account in the dashboard |
| threads_content_publish | Create and publish posts | Schedule & publish posts on your behalf |
| threads_manage_insights | Engagement and performance metrics | Display analytics in your dashboard |
OAuth 2.0 with OpenID Connect
| Permission | Data Accessed | Purpose |
|---|---|---|
| openid | OpenID Connect authentication | Secure identity verification |
| profile | Name, profile picture | Display your account in the dashboard |
| Email address | Account matching & identification | |
| w_member_social | Post as yourself (personal profile) | Publish personal posts on your behalf |
| w_organization_social | Post as company/organization | Publish company posts on your behalf |
| rw_organization_admin | Manage organization pages | Access managed company pages |
| r_organization_social | Organization social content & stats | Display company analytics |
OAuth 2.0 with Basic Auth
| Permission | Data Accessed | Purpose |
|---|---|---|
| user_accounts:read | Account info (username, type, avatar) | Display your account in the dashboard |
| boards:read | Read boards list | Let you select target boards |
| boards:write | Create and manage boards | Organize published Pins |
| pins:read | Read pins and board content | Display existing content |
| pins:write | Create and publish Pins | Schedule & publish Pins on your behalf |
Bluesky
AT Protocol (App Password)
| Permission | Data Accessed | Purpose |
|---|---|---|
| atproto | Full AT Protocol access via app password | Create posts and manage content |
Bluesky uses the AT Protocol with app-specific passwords instead of OAuth. Your app password is encrypted and stored separately from your main account password.
Google API Services — Limited Use Disclosure
CodivUpload's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In accordance with Google's Limited Use requirements:
- We only use Google user data to provide and improve the user-facing features that are visible and prominent in CodivUpload's interface (video publishing and analytics display).
- We do not transfer Google user data to third parties unless necessary to provide or improve the service, comply with applicable laws, or as part of a merger/acquisition with prior user consent.
- We do not use Google user data for serving advertisements or for any advertising purpose.
- No human reads Google user data, except with explicit user consent, for security/abuse investigation, to comply with legal obligations, or when data is aggregated and anonymized for internal operations.
Third-Party Data Sharing & Sub-Processors
CodivUpload does NOT sell your personal data to any third-party data brokers or advertisers.
We share your information only with infrastructure providers (sub-processors) who are strictly required to operate the Service, under Data Processing Agreements (DPAs) and strict confidentiality obligations. These providers process data solely on our instructions and do not use your data for their own purposes.
Supabase
Database, Authentication & Real-time Infrastructure
Account data, encrypted OAuth tokens, post metadata, scheduling queues
Vercel
Application Hosting & Edge Network
Request logs, session cookies, server-side rendering
Cloudflare
DNS, SSL/TLS, DDoS Protection, CDN Proxy & Object Storage (R2)
DNS queries, HTTP traffic metadata, uploaded media files (R2)
Stripe
Payment Processing & Subscription Billing
Name, email, billing address, payment method (card details handled exclusively by Stripe — never stored on our servers)
All sub-processors maintain SOC 2 compliance and their own privacy policies linked above. We will update this list if we add or change sub-processors.
Data Security
Security is our paramount priority. We implement Zero-Trust architectures:
All API connections (OAuth tokens and App Passwords) are encrypted at rest via AES-256-GCM with unique random IVs per token.
Communications between our servers and third-party APIs are enforced securely over HTTPS/TLS 1.3.
Our Database architecture is protected via strict enterprise-grade Row Level Security policies.
Lawful Basis for Processing
Under the General Data Protection Regulation (GDPR) and similar frameworks, we are required to identify a lawful basis for each processing activity. The table below outlines the legal grounds on which we process your personal data.
| Processing Activity | Lawful Basis |
|---|---|
| Account creation & authentication | Contract performance |
| Content publishing to connected platforms | Contract performance |
| OAuth token storage & refresh | Contract performance |
| Analytics display in dashboard | Contract performance |
| Technical logs & security monitoring | Legitimate interest (platform security) |
| Service-related email notifications | Contract performance |
| Marketing emails & product updates | Consent (opt-in) |
| Payment processing & invoicing | Contract + Legal obligation (tax records) |
| Fraud prevention & abuse detection | Legitimate interest (platform integrity) |
Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting privacy@codivupload.com.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. The table below outlines our retention periods by data category.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data (name, email) | Duration of account + 30 days | Contract |
| OAuth tokens (all platforms) | Until revocation or account deletion | Contract |
| Post content & uploaded media | Until user deletes or account termination | Contract |
| Server & application logs | 90 days | Legitimate interest |
| Payment & billing records | 7 years | Legal obligation (IRS) |
| Subscription changes & scheduled plan modifications | Duration of subscription + 30 days | Contract |
| Support communications | 2 years after resolution | Legitimate interest |
When you delete your account, we will delete or anonymize your personal data within 30 days, except for data we are legally required to retain (e.g., payment records for tax compliance). Backup systems are purged on a rolling 30-day cycle following deletion.
Your Rights by Region
You can instantly revoke any connected platform's access and wipe associated tokens from our databases using your CodivUpload dashboard. For Google accounts, you can also revoke access from your Google Account Permissions page.
European Economic Area, UK & Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) grants you the following rights:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ("right to be forgotten").
Right to Restrict Processing
Request that we limit how we use your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interest.
Automated Decision-Making
You will not be subject to decisions based solely on automated processing.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based.
How to Submit a Request (DSAR)
Email privacy@codivupload.com with the subject line "GDPR Data Request". We will verify your identity and respond within 30 days. If the request is complex, we may extend this by up to 2 additional months, with notice. There is no fee for standard requests.
International Data Transfers (EU → US)
Your data is processed primarily in the United States. For transfers from the EEA/UK to the US, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) with our sub-processors. As supplementary measures, all sensitive data (OAuth tokens, credentials) is encrypted at rest using AES-256-GCM, and all data in transit is protected by TLS 1.3. You may request a copy of the applicable SCCs by contacting privacy@codivupload.com.
California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:
Right to Know
Request what personal information we collect, use, and disclose.
Right to Delete
Request deletion of your personal information.
Right to Opt-Out
Opt out of the sale or sharing of personal information.
Right to Non-Discrimination
We will not discriminate against you for exercising your rights.
We do not sell or share your personal information as defined by the CCPA/CPRA. We have not sold personal information in the preceding 12 months.
To exercise your CCPA rights, email privacy@codivupload.com with the subject line "CCPA Request". We will verify your identity and respond within 45 days.
Email Communications (CAN-SPAM)
In compliance with the CAN-SPAM Act and applicable email marketing laws:
- All commercial and marketing emails include a clear unsubscribe link in the footer.
- Opt-out requests are honoured within 10 business days.
- Every email includes our physical mailing address: 30 N Gould St #52487, Sheridan, WY 82801, USA.
- We do not use deceptive subject lines or false header information.
- Service-related transactional emails (password resets, security alerts, billing receipts) are not affected by opt-out preferences as they are necessary for the operation of your account.
Contact Us
If you have any questions or concerns regarding this Privacy Policy, please contact us:
Company
Codivion LLC
EIN
61-2264270
State of Formation
Wyoming, USA
Address
30 N Gould St #52487, Sheridan, WY 82801, USA
General Support
support@codivupload.comLegal Inquiries
legal@codivupload.comSecurity Reports
security@codivupload.comPrivacy Requests
privacy@codivupload.com