Privacy Policy

We collect the following categories of information:

• Account information. Name, email address, password (hashed with bcrypt), timezone, profile handle, and avatar.
• Billing information. Subscription status, plan tier, and Stripe customer/subscription identifiers. We do not store full payment card numbers; payments are processed by Stripe, Inc.
• Connected account data. When you connect Instagram, TikTok, YouTube, or Twitter via our partner Zernio, we store an opaque account identifier and platform metadata (handle, follower counts). Platform OAuth tokens are held by Zernio, not by us.
• Google account data. Detailed in Section 3 below.
• Content you create. Scheduled posts, captions, drafts, link-in-bio pages, media kits, invoices, and uploaded media (images, video).
• Usage and device data. IP address, browser type, pages visited, and timestamps, collected via standard server logs and analytics.

We use information to:

• Provide, operate, and maintain the Service.
• Authenticate users and secure accounts.
• Schedule and publish posts to platforms you have connected.
• Generate AI drafts, classifications, and summaries when you explicitly request them.
• Process subscriptions, invoices, and payments via Stripe.
• Communicate with you about the Service (transactional emails).
• Detect, prevent, and respond to abuse, fraud, or security incidents.
• Comply with legal obligations.

If you connect a Google account to use Gmail or YouTube features, we request access to specific OAuth scopes. The data we access, why, and how we handle it:

• Profile and email (openid, email, profile). Used solely to authenticate your account.
• Gmail (gmail.readonly, gmail.modify, gmail.send). Used to display your inbox inside Krably, mark threads as read or labelled, and send replies that you compose and approve. We poll Gmail on a schedule; we do not subscribe to push notifications.
• YouTube (youtube.upload). Used to upload videos you schedule through Krably.

Limited Use disclosure. Krably’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not sell Google user data.
• We do not transfer Google user data for advertising, marketing, or any purposes unrelated to the Service.
• We do not allow humans to read your Gmail data, except (i) with your explicit consent for a specific message, (ii) when necessary for security purposes (e.g. investigating abuse), (iii) to comply with applicable law, or (iv) when data is aggregated and de-identified.
• We do not use Google user data to develop, improve, or train generalized AI or machine learning models. AI features (drafts, polishing, classification) run only when you explicitly trigger them, and the request is sent to OpenAI for inference; the response is returned to you and is not used for model training.

Google OAuth refresh tokens are encrypted at rest using libsodium secretbox. You can revoke Krably’s access at any time at myaccount.google.com/permissions.

When you invoke an AI feature (e.g. Draft reply, Polish, classify thread), the relevant message text or input is transmitted to our AI provider, OpenAI, for inference. OpenAI processes the request under their API data usage policies, which prohibit using API inputs to train OpenAI models. AI requests are transient on our side; we record the resulting draft and token usage, not the raw prompt history.

We share information only with:

• Service providers who help us run the Service: Render (hosting), Stripe (payments), Zernio (social platform APIs), OpenAI (AI inference), AWS S3 (media storage), Resend (transactional email), and Google (Gmail/YouTube APIs).
• Legal authorities when required by law, subpoena, or to protect our rights, users, or the public.
• A successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.

We do not sell your personal information.

We retain account data while your account is active. If you delete your account, we delete your personal information, scheduled content, drafts, media, connected-account references, and Google refresh tokens within 30 days, except where retention is required for legal, tax, accounting, or anti-abuse purposes (e.g. invoice records). Server logs are retained for up to 90 days.

We protect data with industry-standard measures including encrypted transport (TLS), encrypted token storage (libsodium secretbox), signed webhooks, hashed passwords, and least-privilege access. No system is perfectly secure; you use the Service at your own risk and should choose strong passwords.

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing or withdraw consent. To exercise these rights, email us at aagselim@gmail.com. You can also delete your account from the dashboard at any time.

Krably is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US and other countries where our service providers operate.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising cookies.

We may update this Policy from time to time. Material changes will be communicated by updating the “Last updated” date and, where appropriate, by email. Continued use of the Service after a change constitutes acceptance of the revised Policy.

Questions, requests, or complaints? Email aagselim@gmail.com.