Privacy Policy

SkedCast is a product of Alpha Exotic Tech LLC, a limited liability company organized in the State of Wyoming, USA, with a registered office at 30 N Gould St Ste R, Sheridan, WY 82801, United States. In this policy, “we”, “us”, and “our” refer to Alpha Exotic Tech LLC.

For any privacy question, to exercise your rights, or to reach our privacy team, email privacy@skedcast.com or write to us at the address above.

SkedCast is a multi-tenant service used by agencies, brands, and creators to schedule and publish content. Our role under data-protection law depends on whose data is involved:

• As a data controller — for personal data about our own account-holders (our direct customers): identity, login, billing, and usage data. This policy describes how we handle that data.
• As a data processor— for the connected-account data, post content, media, and analytics that a customer processes through the service on behalf of their own clients. The customer is the controller; we process that data only on the customer’s documented instructions, under our Data Processing Addendum.

Where you are an end user of one of our customers, that customer’s own privacy notice governs their use of your data; this policy explains the processing we carry out on their behalf.

We collect the following categories of personal data. We practise data minimization: we request only the data and platform permissions the service needs, and we do not intentionally collect special-category (“sensitive”) personal data.

We store OAuth tokens, never your platform passwords. Tokens are held in an encrypted vault — see Security and the OAuth-token section below.

We use personal data to provide, secure, and improve the service, to bill for it, to communicate with you, and to comply with law. Where the EU/UK GDPR applies, we rely on the following legal bases:

For connected-account data we process on a customer’s behalf, the customer (as controller) is responsible for establishing the legal basis for that processing.

When you connect a social account, you authorize SkedCast through the platform’s official OAuth flow to act on that account on your behalf. We request the minimum scopes needed to publish — typically the permission to create posts plus a read scope to identify the connected account — and nothing more. We never receive or store your platform password.

The OAuth access and refresh tokens we receive are stored encrypted with AES-256-GCM in our token vault under KMS-managed keys, are decrypted only by our backend to carry out your instructions, and are never logged, sold, or shared except with the originating platform to publish on your behalf. We do not use platform data for advertising, and we do not build profiles unrelated to providing the service.

You stay in control. You can disconnect any account at any time, which immediately revokes and erases the stored tokens for that account, and you can request deletion of your account and all platform-derived data (see our Data Deletion page).

SkedCast acts on a connected account only with your express, informed consent, captured through the platform’s OAuth consent screen and made clear in our connect experience. Publishing is an explicit, user-initiated action: we do not take actions on your account that you have not directed. Before you connect an account, we tell you what we will access, how we will use it, when we collect it, and how to withdraw consent or request deletion; where a platform’s token expires, we ask you to re-authorize. You can withdraw consent at any time by disconnecting the account.

We access only the account identifiers and the OAuth tokens needed to publish, and we use that access solely to schedule and publish the content you compose, at your direction. What we access, the purpose, and the retention/deletion behavior, per platform, is set out below and on our Platform API Data Use & Compliance page.

• Meta — Facebook, Instagram & Threads — we access your Page/professional-account identifiers and the OAuth access and refresh tokens needed to publish to the Facebook Pages, Instagram, and Threads you connect, solely to schedule and publish the content you compose to your connected Meta accounts, at your direction. tokens are held encrypted while the account is connected and are revoked and erased on disconnection or on a deletion request; we honor Meta’s data-deletion requirements through our data-deletion page and callback.
• Google — YouTube Data API — we access your YouTube channel identifiers and the OAuth tokens needed to upload and schedule videos to the channel you connect, solely to upload, schedule, and publish the videos you provide to your connected YouTube channel, at your direction. tokens are held encrypted while the channel is connected; on revocation through SkedCast we revoke the token and delete the associated authorized data, and on revocation through your Google security settings we delete related API data within the periods Google requires.
• X (Twitter) — we access your X account identifier and the OAuth tokens needed to post on your behalf, solely to publish the posts you compose to your connected X account, at your direction. tokens are held encrypted while the account is connected and erased on disconnection; if you delete content on X or ask us to, we delete or update any corresponding stored copy promptly (within 24 hours).
• TikTok — we access your basic TikTok creator info and the OAuth tokens needed to post content on your behalf, solely to publish the videos and photos you compose to your connected TikTok account, at your direction. tokens are held encrypted while the account is connected and erased on disconnection or on a deletion request.
• LinkedIn — we access your member or organization identifier and the OAuth tokens needed to publish to your personal profile or to a Company Page you administer, solely to publish the content you compose to your connected LinkedIn profile or Page, for your benefit and at your direction. we store only the member data needed to provide the posting feature, within LinkedIn’s storage limits, and we delete it on your request or when our access ends.
• Pinterest — we access your Pinterest business-account identifier and the OAuth tokens needed to create Pins and boards on your behalf, solely to publish the Pins you compose to the boards you choose on your connected Pinterest account, at your direction. tokens are held encrypted while the account is connected and erased on disconnection or on a deletion request; we do not retain Pinterest data beyond what the posting feature requires.
• Bluesky (AT Protocol) — we access your handle/DID and the per-account credential or session needed to post on your behalf, solely to publish the posts you compose to your connected Bluesky account, at your direction. credentials are held encrypted while the account is connected and erased on disconnection or on a deletion request.
• Telegram (Bot API) — we access the bot token you configure and the channel/chat identifiers needed to post where your bot is an administrator, solely to publish the messages you compose to the Telegram channels you choose, at your direction. the bot token and channel references are held encrypted while configured and erased on disconnection or on a deletion request.

Google API Services / YouTube — Limited Use

Where you connect a Google service (the YouTube Data API), SkedCast makes the affirmative commitment required by the Google API Services User Data Policy:

SkedCast’s use of information received from Google APIs (including the YouTube Data API) will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

SkedCast uses YouTube API Services. Consistent with the Limited Use requirements, we limit our use of YouTube API data to the upload and scheduling features that are visible in SkedCast; we do not transfer it to third parties except as that policy permits (for example, to provide those features with your consent, for security, or to comply with law); we do not allow humans to read it except in the narrow cases that policy allows; we never use it to serve advertisements or to determine credit-worthiness; and we never use it to train generalized artificial-intelligence or machine-learning models. The Google Privacy Policy is available at policies.google.com/privacy, and the YouTube Terms of Service apply to your use of YouTube. You can review or revokeSkedCast’s access to your Google account at any time via the Google security-settings permissions page at myaccount.google.com/permissions. On revocation through SkedCast we revoke the token and delete the authorized YouTube data; on revocation through your Google settings we delete related YouTube API data within the periods Google requires.

Meta Platform Data

Where you connect a Meta account (Facebook, Instagram, or Threads), we handle Platform Data in line with the Meta Platform Terms and Developer Policies: we use it only to provide the features you authorize, we do not sell or license it, we do not use it for surveillance, we keep it only as long as the feature needs it, and we delete it on request or when you no longer have an account, through the mechanism described on our Data Deletion page — the data-deletion instructions / callback URL we provide to Meta.

X (Twitter) content

For X, we act only with your express consent, our handling is no less protective than the X Privacy Policy, and we keep any stored X content current — if you delete or modify content on X, or ask us to, we delete or update the corresponding stored copy within 24 hours. We do not redistribute or sell X content or match it to off-X data.

We do not sell personal information, and we do not“share” it for cross-context behavioral advertising. We share personal data only with:

• Vetted sub-processors that process data on our behalf under a signed data-processing agreement — including Alpha Exotic Tech (Private) Limited, our intra-group engineering and support sub-processor. The current list is on our Sub-processors page.
• The social platforms you direct us to publish to, to carry out your instructions.
• Authorities or third parties where required to comply with law, enforce our terms, or protect rights, property, and safety; and a successor in a merger, acquisition, or asset sale, subject to this policy.

Alpha Exotic Tech LLC is based in the United States and works with sub-processors in multiple regions, including Alpha Exotic Tech (Private) Limitedin Pakistan. Where we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards — principally the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), and we rely on the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework where applicable — together with a transfer-impact assessment where required. These safeguards are incorporated into our Data Processing Addendum.

We keep personal data only as long as needed for the purposes above. Account and content data is retained for the life of your account and deleted after termination, subject to a short operational backup window. On disconnection of a social account, the stored OAuth tokens for that account are revoked and erased. We honor each platform’s retention rules — for example, keeping stored X content in sync within 24 hours, and refreshing or deleting authorized YouTube data within the periods Google requires. Some records (such as billing and tax records) are retained for the period required by law, and limited security/audit logs are retained for a bounded period. Deletion requests are handled as described on our Data Deletion & Account Removal page.

We protect personal data with row-level tenant isolation, an AES-256-GCM encrypted token vault under KMS-managed keys, encryption in transit (TLS 1.2+) and at rest, least-privilege role-based access, a separate MFA-protected operator surface, and append-only audit logging. Read more on our Security page. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify affected parties and authorities of incidents as required by law.

Depending on where you live, you may have the following rights over your personal data. We extend the core access and deletion rights to all users regardless of location.

• Access & portability — obtain a copy of the personal data we hold about you, in a portable, machine-readable format.
• Rectification & correction — have inaccurate or incomplete personal data corrected.
• Erasure / deletion — have your personal data deleted (the GDPR “right to be forgotten” and the CCPA right to delete), subject to limited legal exceptions.
• Restriction & objection — restrict or object to certain processing, including processing based on our legitimate interests.
• Opt out of sale or sharing — opt out of any “sale” or “sharing” of personal information — we do not sell or share personal information in this sense.
• Non-discrimination & complaint — exercise your rights without discriminatory treatment, and lodge a complaint with your data-protection supervisory authority.

EU / UK GDPR

You may submit a data-subject access request (DSAR) at any time, and you have the right to lodge a complaint with your supervisory authority. We verify your identity and respond within the timeframes the law requires, generally within one month (extendable for complex requests).

California (CCPA / CPRA)

California residents have the right to know, access, correct, and delete their personal information, and to opt out of any “sale” or “sharing”. We do not sell or share personal information and we do notuse or disclose sensitive personal information beyond the purposes permitted by the CPRA. You can exercise the opt-out through our “Do Not Sell or Share My Personal Information” control, and we honor the Global Privacy Control (GPC) browser signal. Exercising your rights will never result in discriminatory treatment. You may use an authorized agent to submit a request.

To exercise any right, email privacy@skedcast.com. Where you are an end user of one of our customers, we may direct your request to that customer as the controller and assist them in fulfilling it.

SkedCast is a business tool not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact privacy@skedcast.com and we will delete it.

We use a small number of essential cookies to run the service and, subject to your choices, analytics cookies to understand product usage. See our Cookie Policy for the categories, purposes, and how to opt out.

We may update this policy from time to time; material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to you. For any privacy question or request, contact our privacy team at privacy@skedcast.com or write to Alpha Exotic Tech LLC, 30 N Gould St Ste R, Sheridan, WY 82801, United States.