Privacy Policy

This Privacy Policy explains how Mediux AI ("we," "us," or "our") collects, uses, stores, and shares information when you use our AI-powered social media management platform (the "Service"). This policy applies to all users of the Service, including visitors to our website.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and the data use policies of the social media platforms we integrate with, including Meta, Google, TikTok, LinkedIn, X, Pinterest, and Reddit.

2.1 Information You Provide Directly

• Account information: Name, email address, password (hashed), and profile details when you register.
• Payment information: Billing name, address, and payment method details processed by Stripe. We do not store full card numbers on our servers.
• Brand information: Brand names, logos, descriptions, keywords, and target audience data you configure in the Service.
• User Content: Captions, images, videos, and other content you create or upload through the Service.
• Communications: Messages you send to our support team, survey responses, and feedback.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, clicks, time spent, and actions taken within the Service.
• Device & technical data: IP address, browser type and version, operating system, device identifiers, and time zone.
• Log data: Server logs including access times, error reports, and API request details.
• Cookies & tracking technologies: Session cookies, preference cookies, and analytics identifiers. See Section 13 for details.

2.3 Information from Connected Social Accounts

When you connect a social media account, we receive data from that platform as described in Section 3 below.

When you connect social media accounts to the Service, we access data from those platforms strictly to provide the features you have requested. Here is a breakdown by platform:

3.1 Meta (Facebook & Instagram)

Data accessed: Page name, page ID, profile picture, posts, reach, engagement metrics, follower counts, audience demographics, ad account data (if connected), and comment/message data for inbox features.

Purpose: Publishing posts, scheduling content, retrieving analytics, displaying your content calendar, and managing comments/messages.

Restrictions: We comply with Meta's Platform Terms. We do not use Meta Platform Data to build user profiles for advertising, sell this data to third parties, or use it for any purpose other than providing the Service. Meta Platform Data is retained only as long as necessary to deliver the requested features.

Data deletion: You may disconnect your Meta accounts at any time. Upon disconnection or account deletion, we will delete all associated Meta Platform Data within 30 days. You may also submit a data deletion request to privacy@mediuxai.com.

3.2 Google (YouTube & Google Analytics)

Data accessed: YouTube channel name, channel ID, video metrics (views, likes, comments, watch time), subscriber counts, and playlist data.

Purpose: Displaying YouTube analytics, scheduling video uploads, and tracking content performance.

Restrictions: Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for serving advertisements, building user profiles beyond the Service, or any purpose not explicitly authorized.

Revocation: You can revoke access at any time at myaccount.google.com/permissions.

3.3 X (Twitter)

Data accessed: Profile information, post metrics (impressions, engagements, link clicks), follower counts, and timeline data.

Purpose: Scheduling posts, analytics display, and engagement tracking. We comply with the X Developer Agreement and Policy.

3.4 LinkedIn

Data accessed: Profile data, company page information, post metrics, follower demographics, and impression data.

Purpose: Publishing and scheduling content, analytics, and audience insights. We comply with LinkedIn API Terms of Use.

3.5 TikTok

Data accessed: Account information, video metrics (views, likes, shares, comments), follower counts, and audience data.

Purpose: Content scheduling, analytics display, and performance tracking. We comply with TikTok's Platform Terms.

3.6 Pinterest & Reddit

We access only the minimum data required to deliver the specific features you have enabled for these platforms (scheduling, analytics). Data use is governed by Pinterest's and Reddit's respective API terms.

3.7 General Principles for All Social Data

• We access only the permissions you explicitly grant.
• We do not sell social platform data to any third party.
• We do not use social platform data for advertising targeting.
• You can disconnect any social account at any time from your account settings.
• Upon disconnection, associated platform data is deleted within 30 days.

We use the information we collect for the following purposes:

• To provide the Service: Operate, maintain, and improve the platform and its features.
• To personalize your experience: Tailor content suggestions, analytics insights, and AI recommendations to your brands and goals.
• To process transactions: Manage subscriptions, billing, and payment processing.
• To communicate with you: Send account notifications, security alerts, product updates, and support responses.
• To improve our AI: We may use aggregated, anonymized usage patterns to improve our AI models. We do not use your specific User Content or social platform data to train AI models without explicit consent.
• To ensure security: Detect, prevent, and address fraud, abuse, and technical issues.
• To comply with legal obligations: Meet applicable legal requirements and enforce our Terms of Service.
• For analytics: Understand how users interact with the Service to improve our product.

Our legal bases for processing (under GDPR) include: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, product improvement), legal obligations, and consent (where obtained).

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

• Service providers: We work with trusted vendors who assist us in operating the Service (cloud hosting, payment processing, analytics, email delivery). These providers access data only as needed to perform services on our behalf and are contractually bound to protect it.
• Connected social platforms: When you publish content through our Service, that content is transmitted to the platforms you have connected.
• Business transfers: If we are involved in a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
• Legal requirements: We may disclose information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• With your consent: We may share data for any other purpose with your explicit consent.

We use the following categories of third-party services:

• Cloud infrastructure: Google Cloud Platform for hosting and data storage. Data is stored in secure, access-controlled environments.
• Payment processing: Stripe, Inc. for subscription billing. Stripe's privacy policy governs their handling of payment data.
• AI processing: Anthropic for AI-powered content generation features. Content sent to Anthropic's API for processing is governed by Anthropic's privacy policy and API terms.
• Email delivery: Transactional email providers for account notifications and support.
• Analytics: Privacy-respecting analytics tools to understand Service usage.

We require all third-party service providers to maintain appropriate data security measures and use your data only as instructed by us.

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained for the duration of your account and deleted within 60 days of account deletion.
• Social platform data: Deleted within 30 days of disconnecting the relevant account or deleting your Mediux AI account.
• Payment records: Retained for 7 years as required by financial regulations.
• Log data: Retained for up to 12 months for security and debugging purposes.
• Analytics data: Aggregated, anonymized data may be retained indefinitely.
• Content you have published: Once published to social platforms, data on those platforms is governed by those platforms' retention policies.

We implement industry-standard security measures to protect your data:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Passwords are hashed using bcrypt and never stored in plain text.
• Access to production systems is restricted to authorized personnel using multi-factor authentication.
• We conduct regular security reviews and vulnerability assessments.
• Our infrastructure is hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and other security certifications.

Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. If you believe your account has been compromised, please contact us immediately at support@mediuxai.com.

Regardless of where you are located, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data (subject to legal obligations).
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing of your data in certain circumstances.
• Restriction: Request restriction of processing in certain circumstances.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at privacy@mediuxai.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

Social platform data deletion: For data obtained from Meta, Google, or other connected platforms, you may submit a data deletion request by emailing privacy@mediuxai.com with the subject line "Data Deletion Request." We will process such requests within 30 days.

If you are located in the European Economic Area (EEA) or United Kingdom, additional rights and protections apply under the General Data Protection Regulation (GDPR) and UK GDPR.

Legal Bases for Processing

• Contract performance: Processing necessary to fulfill our contract with you (providing the Service).
• Legitimate interests: Security monitoring, fraud prevention, improving the Service, and sending service-related communications.
• Legal obligation: Processing required by applicable law.
• Consent: Marketing communications and optional features (you may withdraw at any time).

Data Protection Officer

You may contact our Data Protection Officer at dpo@mediuxai.com for any GDPR-related inquiries.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data in accordance with applicable law.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to Delete: You may request deletion of personal information we hold about you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising.
• Right to Limit Sensitive Data Use: You may limit our use of sensitive personal information to the purposes specified in the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@mediuxai.com with "California Privacy Request" in the subject line. We will respond within 45 days.

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address), commercial information (subscription data), internet activity (usage logs), inferences (content preferences), and professional information (brand/business details). We collect this information for business purposes as described in Section 4.

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child under 16 has provided us with personal information, please contact us at privacy@mediuxai.com and we will take steps to delete such information promptly.

If you are between 16 and 18, you must have your parent or guardian's permission to use the Service. We comply with the Children's Online Privacy Protection Act (COPPA) and similar regulations globally.

We use cookies and similar tracking technologies to operate the Service and improve your experience:

• Essential cookies: Required for authentication, security, and core Service functionality. Cannot be disabled.
• Preference cookies: Remember your settings and preferences across sessions.
• Analytics cookies: Help us understand how users interact with the Service (e.g., pages visited, features used). Data is aggregated and anonymized where possible.
• Session tokens: Secure, HTTP-only cookies used to maintain your login session.

We do not use third-party advertising cookies or tracking pixels for ad targeting. You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

We are headquartered and our infrastructure is primarily based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US.

For users in the EEA, UK, or Switzerland, we rely on appropriate transfer mechanisms to ensure your data is protected, including Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other countries where we or our service providers operate.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Sending an email to the address associated with your account, and/or
• Displaying a prominent notice within the Service at least 14 days before changes take effect.

The "Last updated" date at the top of this policy indicates when it was most recently revised. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For Meta-specific data deletion requests, please email privacy@mediuxai.com with the subject "Meta Data Deletion Request." For Google-specific requests, you may also revoke access via myaccount.google.com/permissions.