Privacy Policy

Scope and role

This Privacy Policy applies to our marketing site, product dashboard, APIs, automations, support workflows, billing flows, and related operational processes. It covers information that we collect directly from you, automatically from your use of the Services, from connected platforms such as TikTok, and from service providers that help us run the Services.

When we decide why and how personal information is processed, SlideCastle acts as the controller or business responsible for that processing. Some vendors act on our behalf as processors or service providers. Other third parties, including TikTok and other external platforms you choose to connect or publish to, may act as independent controllers under their own privacy notices.

Information we collect

We collect information reasonably necessary to operate, secure, improve, monetize, and support the Services. Depending on how you use SlideCastle, that may include:

• Account and profile information. Name, email address, authentication identifiers, account settings, timezone, subscription plan, and other information associated with account creation, access, and administration.
• Connected TikTok account data. TikTok open ID, display name, avatar URL, connection status, granted scopes, direct publish settings, connection history, publish status information, metrics information, and other TikTok account or publishing data made available through TikTok APIs, webhooks, or status endpoints.
• Sensitive credential material. Access tokens and refresh tokens needed to maintain TikTok connections and perform actions you request. In our application, TikTok tokens are stored separately from public account metadata and are encrypted before storage.
• Content and creative inputs. Slideshow titles, captions, text blocks, prompts, hook ideas, brand identity details, audience descriptions, tone guidance, things to avoid, call-to-action preferences, hashtags, offers, image style instructions, automation rules, delivery settings, scheduling instructions, and related workspace content.
• Uploaded, generated, and rendered assets. Images you upload, AI-generated images, rendered slide images, file names, sizes, formats, preview assets, storage metadata, and related asset history.
• Website analysis data. If you ask us to analyze a website to draft account setup, we may fetch the URL you provide, extract publicly accessible page content and metadata, and process that content through our AI workflows.
• Payment and billing information. Checkout, customer, subscription, invoice, refund, charge, tax, billing country, and transaction-related information. Full payment card numbers are typically processed by our payment providers rather than stored directly by us.
• Usage, device, and diagnostics data. IP address, browser type, device information, operating system, approximate location inferred from IP, referring URLs, pages or features visited, timestamps, request logs, error logs, job execution records, webhook payloads, analytics events, and other operational telemetry.
• Communications and support data. Messages you send to us, survey responses, support requests, feedback, and records of our communications with you.
• Information from third parties. Authentication data from Clerk, transaction or subscription data from Polar, analytics information from Umami, LLM observability data from Helicone, AI request and output data from model providers, and account, publishing, and metrics data from TikTok.

Please do not submit sensitive personal information, confidential business information, health information, financial account credentials, government identifiers, or personal information of third parties unless doing so is strictly necessary, lawful, and authorized by the affected person and by applicable law. If you upload or input personal information about another person, you are responsible for having the required rights, notices, and consents.

How we use information

We use personal information for business and commercial purposes, including to:

• Provide, authenticate, maintain, and secure the Services and your account.
• Connect and manage TikTok accounts, refresh tokens, deliver drafts, support direct publishing, poll publish status, and collect or display post metrics.
• Generate, regenerate, render, optimize, schedule, and store slideshow content and assets.
• Analyze websites and use AI-assisted features to help draft profile information, copy, images, and automation inputs.
• Process payments, administer subscriptions, send invoices, and manage commercial records.
• Measure usage, troubleshoot issues, improve product quality, develop new features, and analyze performance, latency, cost, and reliability.
• Detect, investigate, prevent, and remediate fraud, abuse, security incidents, policy violations, unlawful conduct, and technical misuse.
• Enforce our agreements, limits, and internal policies, including plan restrictions and platform or API restrictions.
• Communicate with you about account activity, support matters, product updates, legal notices, security alerts, and, where permitted, marketing messages.
• Create aggregated, statistical, or de-identified information for internal analytics, benchmarking, forecasting, product development, business planning, and lawful commercial purposes.
• Comply with legal obligations and establish, exercise, or defend legal claims.

Legal bases for processing

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we generally process personal information on one or more of the following legal bases:

• Contractual necessity to provide the Services, complete purchases, connect external accounts, and perform the workflows you request.
• Legitimate interests in operating, securing, improving, analyzing, monetizing, and supporting the Services, preventing abuse, and protecting our business.
• Consent where required by law, such as for certain marketing or optional processing activities.
• Legal obligations where processing is necessary to comply with applicable law, regulation, court order, or other lawful request.

Connected TikTok accounts and public publishing

If you connect a TikTok account, you direct us to exchange data with TikTok to authenticate the connection, maintain access, upload drafts or other content, receive webhooks, check publish status, and retrieve metrics or account-related data as needed for the features you use.

• We may receive account metadata, scopes, publish identifiers, post identifiers, raw webhook payloads, metrics, and related API responses from TikTok.
• If you publish or send a draft to TikTok, the content and any settings you choose, such as privacy settings or direct publish options, are transmitted at your direction.
• Content you publish through TikTok may become public or otherwise subject to TikTok's own privacy, moderation, retention, and disclosure practices.
• When you remove a TikTok connection, we delete stored TikTok credentials from our active systems, mark the connection as revoked in our application, remove linked automations and related account-profile data as applicable, and may cancel queued jobs tied to that connection. Historical slideshow and business records may remain where necessary for internal records, security, compliance, dispute handling, or product integrity.

We do not control TikTok's independent privacy practices. Review TikTok's privacy policy here: TikTok Privacy Policy.

AI features and LLM observability

If you use AI-assisted features, we may send inputs and outputs to AI providers and observability tools that help us deliver, measure, and improve those features. Depending on the feature and our configuration, that may include prompts, instructions, brand context, extracted website content, image instructions, uploaded assets, outputs, token usage, latency, model identifiers, and related metadata.

• We may use OpenAI for text generation and related AI processing.
• We may use fal.ai for AI image generation and related image workflows.
• We may use Helicone for LLM observability and analytics. Depending on configuration, Helicone may process prompt and response content plus metadata, or only metadata such as latency, token counts, request volume, model usage, and cost information.
• Do not use AI features to submit information you are not legally authorized to disclose or content you do not want processed by our AI-related vendors.
• AI features may produce inaccurate, incomplete, or undesired outputs. You are responsible for reviewing outputs before using, distributing, or publishing them.

Cookies, analytics, and similar technologies

We and our providers may use cookies, local storage, pixels, SDKs, session technologies, server logs, and similar tools to operate, secure, and measure the Services.

• Essential technologies. These help us with authentication, session continuity, security checks, CSRF or OAuth state handling, and remembering product preferences.
• Analytics technologies. We use Umami for website and product analytics. Depending on deployment and configuration, Umami may operate using cookies or cookieless analytics methods.
• Performance and diagnostics. We log technical events and operational metrics to understand service health, failures, and usage patterns.

You can usually control cookies through your browser settings, but blocking or disabling certain technologies may impair parts of the Services. We do not guarantee that the Services will respond to every "Do Not Track" signal or similar browser mechanism.

Payments and billing

We use Polar for payment processing, subscription management, checkout, invoicing, and related commercial operations. Polar and its banking or payment partners may collect and process payment method details, billing information, tax data, transaction records, and anti-fraud information in accordance with their own notices and contractual requirements.

We typically receive limited payment and commercial information needed to activate subscriptions, reconcile transactions, respond to billing issues, comply with tax or accounting obligations, prevent fraud, and enforce our commercial terms. We generally do not store full payment card numbers in our application.

How we disclose information

We may disclose personal information to the following categories of recipients:

• Service providers and infrastructure vendors that help us host, store, analyze, secure, authenticate, bill, communicate, monitor, and operate the Services.
• Connected platforms and integrations, such as TikTok, when you direct us to connect, upload, schedule, send, or publish content.
• Authentication, analytics, observability, and payment providers, including current notable providers such as Clerk, Umami, Helicone, Polar, OpenAI, fal.ai, and TikTok. This list is illustrative and may change as our stack evolves.
• Professional advisers and counterparties, such as lawyers, auditors, insurers, accountants, and transaction advisers, where reasonably necessary.
• Authorities and other third parties where we believe disclosure is appropriate to comply with law, protect rights or safety, investigate misconduct, recover amounts owed, enforce our agreements, or defend legal claims.
• Successors or acquirers in connection with a merger, financing, acquisition, bankruptcy, restructuring, sale of assets, or similar corporate transaction.
• Other parties at your direction or with your consent.

We may also disclose aggregated or de-identified information that does not reasonably identify you, and we may use such information for any lawful business purpose.

Data retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain records, resolve disputes, comply with legal obligations, protect the integrity of the Services, and enforce our rights. Retention varies by data type and business need.

• Account, profile, slideshow, automation, asset, and workspace information may be retained while your account is active and for a reasonable period afterward.
• TikTok credentials are retained while the connection is active and deleted from our active credential store when that connection is removed, subject to limited backup, security, or legal retention.
• TikTok webhook events, publish tracking data, job logs, error logs, analytics records, and metrics snapshots may be retained for operational, auditing, troubleshooting, fraud prevention, and historical reporting purposes.
• AI-generated library images that are not promoted into a saved custom library workflow may be eligible for removal after 14 days. Saved or otherwise referenced assets may be retained longer.
• Deleted data, revoked connections, and removed content may remain in backups, caches, disaster recovery systems, security systems, or legal archives for a limited additional period.
• We may retain information longer where necessary to comply with tax, accounting, audit, security, abuse-prevention, legal hold, or dispute-resolution requirements.

Data security

We use administrative, technical, and organizational safeguards designed to protect personal information. Those measures may include access controls, secure transport, encryption, monitoring, token segregation, audit logs, and vendor security controls. In our current product architecture, TikTok access and refresh tokens are encrypted before storage.

No security measure is perfect and no method of transmission or storage is guaranteed to be fully secure. To the maximum extent permitted by applicable law, we do not guarantee absolute security, and you use the Services and transmit information at your own risk. You are responsible for maintaining the confidentiality of your credentials and for controlling access to your devices and accounts.

International data transfers

We are based in Canada and may process information in Canada, the United States, and other jurisdictions where we or our vendors operate. Those jurisdictions may have data protection laws that are different from the laws of your jurisdiction.

Where required, we will use appropriate safeguards for cross-border transfers, such as contractual protections or other lawful transfer mechanisms. By using the Services, you understand that your information may be transferred to and processed in countries outside your place of residence.

Your rights and choices

Depending on where you live and the nature of your relationship with us, you may have rights to access, correct, update, delete, export, restrict, object to, or withdraw consent for certain processing of your personal information.

• You may update certain account information inside the Services.
• You may disconnect TikTok accounts, remove content, and delete certain assets or slideshows through product functionality where available.
• You may opt out of marketing emails using the unsubscribe link in the message. You will still receive transactional, billing, legal, and security communications when necessary.
• You may request access, correction, deletion, portability, or other applicable privacy rights by contacting us.
• We may request information to verify your identity and may deny or limit a request where permitted by law, including where we cannot reasonably verify the requestor, the request jeopardizes the rights of others, or an exemption applies.

U.S. state privacy disclosures

If you are a resident of a U.S. state with applicable privacy rights, you may have rights to know, access, correct, delete, obtain a portable copy of, or appeal decisions relating to your personal information, subject to applicable exceptions and verification requirements.

• As of the Last Updated date above, we do not sell personal information for monetary consideration.
• As of the Last Updated date above, we do not knowingly share personal information for cross-context behavioral advertising.
• We may disclose personal information to processors, contractors, service providers, and third parties for the business and commercial purposes described in this Privacy Policy.
• We will not unlawfully discriminate against you for exercising applicable privacy rights.

Children's privacy

The Services are not directed to children under 13 and are not designed for use by young children. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us in violation of this policy, contact us and we will take appropriate action.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time in our discretion. When we do, we will post the updated version here and revise the "Last updated" date above. Material changes may also be communicated through the Services or by email where appropriate. Your continued use of the Services after an updated Privacy Policy becomes effective indicates your acceptance of the revised policy, to the extent permitted by law.

Contact us

If you have questions, concerns, or privacy requests, you can contact:

SlideCastle operated by Sidewave Digital Inc.
Email: contact@sidewavedigital.com

If you are contacting us about a privacy request, please include enough information for us to identify your account and understand the request. We may need to verify your identity before taking action.