1. Who is responsible for your data
Chaello Marketing Agency (“Chaello,” “SocialStudio,” “we,” “us,” or “our”) is the operator of SocialStudio and is responsible for personal data described in this Policy where it determines why and how that data is processed.
Privacy questions and requests may be sent to hello@chaello.com with the subject “SocialStudio Privacy.”
2. Scope and our data-protection roles
This Policy applies to the SocialStudio website, account system, dashboard, subscription, integrations, support, and publishing services.
For account, billing, security, website, and product-usage data, Chaello generally acts as a data controller or equivalent responsible organization. When a business customer submits personal data in Customer Content and instructs us to process or publish it, that customer may be the controller and Chaello may act as its service provider or processor. Customers remain responsible for providing required notices and establishing a lawful basis for Customer Content.
3. Personal data we collect
| Category | Examples |
|---|---|
| Account data | Name, email address, password hash, account identifiers, workspace settings, and subscription status. |
| Connected-account data | Platform name, account or Page identifiers, display names, approved permission scopes, encrypted access and refresh tokens, token expiry, and selected publishing destinations. |
| Customer Content | Campaign names, prompts, captions, hashtags, uploaded images or videos, public media URLs, drafts, schedules, and publishing results. |
| Billing data | Paddle customer, transaction, and subscription identifiers, plan, status, renewal information, and payment events. Paddle handles complete payment-card details as Merchant of Record. |
| Technical data | IP address, browser and device information, session identifiers, request times, security events, error logs, and diagnostic information. |
| Usage data | Features used, connected platforms, campaign and post status, publishing attempts, audit events, and support interactions. |
| Communications | Emails, support requests, feedback, legal notices, and other messages you send us. |
Please do not upload sensitive personal data, government identifiers, payment-card information, health information, or other high-risk data unless strictly necessary, lawful, and appropriate for publication.
4. Sources of personal data
We receive data:
- directly from you when you register, create content, subscribe, or contact us;
- from your browser and device when you use the Service;
- from social platforms when you authorize a connection;
- from payment providers concerning subscription status and transactions; and
- from team members or organizations that invite or authorize you.
5. Why we process data and our legal bases
| Purpose | Typical legal basis |
|---|---|
| Create accounts, authenticate users, provide dashboards, store drafts, schedule and publish posts. | Performance of our contract and steps requested before entering a contract. |
| Process subscriptions, maintain transaction records, and prevent payment fraud. | Contract, legitimate interests, and legal obligations. |
| Secure accounts, encrypt credentials, maintain audit logs, rate-limit abuse, troubleshoot, and prevent fraud. | Legitimate interests, contract, and legal obligations. |
| Provide AI-assisted caption and hashtag generation when requested. | Contract or your requested action; legitimate interests in providing and improving the feature. |
| Provide support, respond to inquiries, and communicate service or legal updates. | Contract, legitimate interests, consent where required, and legal obligations. |
| Analyze aggregate performance and improve reliability, usability, and platform compatibility. | Legitimate interests, with consent where required for non-essential analytics. |
| Comply with law, enforce agreements, protect rights, and respond to lawful requests. | Legal obligations and legitimate interests. |
Where processing relies on consent, you may withdraw consent at any time without affecting processing already completed. Where processing relies on legitimate interests, we consider necessity, proportionality, and your rights.
7. AI-assisted processing
If you request content generation, relevant campaign instructions and content may be sent to an AI service provider to produce a response. Avoid including sensitive or confidential information in prompts. We use output to provide the requested feature and may process limited operational data to detect abuse and troubleshoot.
SocialStudio does not make decisions producing legal or similarly significant effects solely through AI. You decide whether to accept, edit, schedule, or publish generated content.
9. International data transfers
SocialStudio and its providers may process data in countries other than yours. Those countries may have different data-protection laws. Where required, we use recognized transfer mechanisms and contractual protections, which may include adequacy decisions, standard contractual clauses, or equivalent safeguards.
10. Data retention
| Data | Typical retention approach |
|---|---|
| Account and workspace data | While the account is active, then deleted or anonymized after account deletion except where retention is legally required. |
| Drafts, campaigns, media, and schedules | Until deleted by the user, account deletion, or expiry under future storage-management rules. |
| OAuth credentials | Until connection removal, token expiry without renewal, or account deletion. |
| Billing records | For the period required for tax, accounting, fraud prevention, and legal compliance. |
| Security and audit logs | For a limited period proportionate to security, troubleshooting, abuse prevention, and legal needs. |
| Support and legal communications | As necessary to resolve the request and establish or defend legal rights. |
Retention periods may be extended for disputes, legal holds, security investigations, or legal obligations. Backups may persist temporarily until normal rotation completes.
11. Security
We use measures designed to protect data, including HTTPS, secure session cookies, request-forgery protection, password hashing, access controls, encrypted OAuth credentials, restricted server files, rate limiting, audit logs, media validation, and security headers. See our Security page.
No system is completely secure. You are responsible for using a strong unique password, protecting account access, controlling authorized team members, and promptly reporting suspected compromise.
12. Your privacy rights
Depending on your location and applicable law, you may have rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or information about processing. You may also have the right to complain to a competent data-protection authority.
You can delete your SocialStudio account from dashboard settings. For other requests, email hello@chaello.com. We may need to verify your identity and authority. We will respond within the period required by applicable law and explain any lawful exception.
Step-by-step instructions are available on our Social Account Data Deletion page.
Authorized agents may submit requests where permitted, subject to identity and authorization verification. We will not discriminate against you for exercising applicable privacy rights.
13. Additional notice for California residents
Subject to applicability thresholds and exceptions, California residents may have rights to know, access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and receive non-discriminatory treatment.
SocialStudio does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are generally defined under California law. Therefore, we do not currently offer a “Do Not Sell or Share” link. If our practices change, we will update this Policy and provide required controls, including recognition of applicable opt-out preference signals.
Categories collected and disclosed for business purposes are described in Sections 3 and 8. We do not knowingly sell or share personal information of consumers under 16.
15. Children's privacy
SocialStudio is a business service and is not directed to children under 18. We do not knowingly collect personal data from children. Contact us if you believe a child provided data, and we will investigate and delete it where appropriate.
16. Changes to this Policy
We may update this Policy to reflect product, legal, security, or operational changes. We will publish the updated version with a new effective date and provide additional notice for material changes where appropriate or legally required.
17. Contact and complaints
Send privacy requests or questions to hello@chaello.com with the subject “SocialStudio Privacy.” Include enough information for us to understand and verify your request, but do not email passwords or social-platform access tokens.
You may also have the right to complain to the data-protection or privacy authority responsible for your location.
6. Connected social accounts
When you choose “Connect,” the social platform handles your login and asks you to approve specific permissions. SocialStudio does not receive your social-platform password. We receive authorization tokens and account details allowed by the approved scopes and use them to display destinations, publish content, refresh authorization where supported, and report status.
Tokens are encrypted at rest. You may disconnect a platform through SocialStudio, and you can also revoke access through the platform's own security settings. Disconnecting stops future access but does not remove posts already published on that platform.
Each social platform independently processes personal data under its own privacy policy. Review the platform's policy and account settings for its practices.