Only what we need to publish your video. Stored encrypted, retained only while it’s useful, deletable on request. No ad tracking, no AI training on your content.
This Privacy Policy describes how Reelcycler (“Reelcycler”, “we”, “us”, “our”) collects, uses, shares, retains, and protects information when you use the Reelcycler website at reelcycler.com, the Reelcycler mobile applications for iOS and Android, and the Reelcycler API (collectively, the “Service”).
Reelcycler is the data controller for personal information processed through the Service. Our Terms of Service govern your use of the Service.
We collect only the information we need to operate the Service.
When you create a Reelcycler account we collect your email address and a salted hash of your password. We use these to authenticate you, to send transactional email (password resets, billing notices, service announcements), and to contact you about your account. We do not store your password in plain text.
When you create a Post, we collect the video file you upload, the default caption you write, the Platform accounts you select as publish targets, and any per-target caption overrides. We store the video on Amazon S3 in the us-west-2 region for the lifetime of the Post so that we can publish it and retry on failure, and we delete the video from S3 when you delete the Post or close your account. We do not analyze your video content, train any model on it, or use it for any purpose other than publishing it on your instruction.
When you connect a Platform account through the relevant OAuth flow, the Platform issues us an access token (and, where applicable, a refresh token) scoped to your account. We store these tokens encrypted at rest in our database (using Rails Active Record encryption) and use them only to publish content you have explicitly asked us to publish, to refresh expired tokens, and to read the minimum metadata required to display your connected accounts and to validate publish eligibility.
We request only the scopes we actually need:
instagram_basic, instagram_content_publish, pages_show_list, and business_management (final scope set subject to Meta App Review). We use them solely to (a) identify the Instagram Business or Creator account linked to your Facebook Page so we can display it in Reelcycler, and (b) create and publish a Reels media container on that account when you initiate a publish. We do not read your followers, your DMs, your Insights, or other people’s content. We do not store Insights or analytics data.https://www.googleapis.com/auth/youtube.upload, used solely to upload a video to your YouTube channel and to set the title, description, and Shorts-eligible metadata you have provided. We may also use a userinfo.email / userinfo.profile scope at the OAuth step solely to display which Google account you have connected. We do not request youtube.readonly, youtube.force-ssl, or any other YouTube scope in the MVP.video.upload and video.publish (and user.info.basic to display the connected account handle). We use these solely to upload and publish a video on the connected TikTok account when you initiate a publish.Reelcycler’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular, Reelcycler:
youtube.upload scope, which is the minimum scope needed to publish on your behalf;Subscriptions are processed by Stripe. We do not see or store your card number, CVC, or full bank-account details. We store the Stripe customer ID, subscription ID, plan, status, and current period end returned by Stripe so that we can show your billing state in Reelcycler and gate the Service on subscription status. We receive billing event notifications from Stripe by webhook and verify their signatures before acting on them. For Stripe’s own processing of your payment data, see Stripe’s Privacy Policy at https://stripe.com/privacy.
We collect basic operational logs from the Service — for example, which API endpoints you call, HTTP status codes, error stack traces, publish attempts and their outcomes, and aggregate counts of Posts per user — so we can keep the Service running, diagnose failures, prevent abuse, and improve reliability. These logs include your account ID and IP address. They do not include the contents of your video or your captions.
reelcycler.com uses strictly necessary cookies for sign-in, session management, and CSRF protection. We may also use a small number of first-party analytics cookies to measure aggregate marketing-site traffic; where required by law, we will request your consent through a cookie banner before setting non-essential cookies. The Reelcycler mobile application does not use third-party advertising SDKs, does not include any tracking identifier used across other companies’ apps and websites, and does not enable Apple’s App Tracking Transparency tracking.
We do not collect your real name, date of birth, address, phone number, government ID, precise geolocation, contacts, photos beyond the videos you upload, microphone audio, biometrics, health data, or financial-account numbers. We do not buy data about you from data brokers.
We use the information described above to:
We do not sell or rent personal information, we do not use personal information for cross-context behavioral advertising, and we do not profile you for automated decisions that produce legal or similarly significant effects.
We share personal information only with the sub-processors and third parties listed below, only for the purposes described, and only under contractual obligations consistent with this policy.
us-west-2) for your uploaded video and Reelcycler application infrastructure.When you publish a Post, we transmit your video file, the resolved caption (and, for YouTube, the derived title), and the necessary OAuth credentials to the Platform you have selected (Meta for Instagram, Google for YouTube, TikTok). Each Platform then handles your content under its own terms of service and privacy policy:
https://www.facebook.com/privacy/policyhttps://policies.google.com/privacyhttps://www.tiktok.com/legal/privacy-policyWe may share information when required by law, subpoena, or other valid legal process, when necessary to protect the rights, property, or safety of Reelcycler, our users, or the public, or in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor commitments at least as protective as this policy and will notify you of any change in controller.
Reelcycler is operated from the United States and processes data on infrastructure located in the United States (Amazon S3 us-west-2). If you access the Service from outside the United States, you understand and agree that your information will be transferred to, stored in, and processed in the United States. Where required (for example, transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland), we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism with our sub-processors.
SocialAccount rows are retained in a non-publishing state so historical publish records keep their reference to the Platform handle; the tokens themselves are cleared.We may retain information beyond these periods where necessary to comply with a legal obligation, to enforce our agreements, or to resolve disputes.
Depending on where you live, you may have rights to:
To exercise any of these rights, email privacy@reelcycler.com. We may need to verify your identity before acting on a request. We will respond within the timeframes required by applicable law (for example, 30 days under GDPR; 45 days under the CCPA, extendable by another 45 days).
You can delete your account at any time inside the Reelcycler app (Settings → Delete account) or by emailing privacy@reelcycler.com. Account deletion deletes your account record, your uploaded videos, your Posts, your PostTargets, and your encrypted OAuth tokens from production systems on the schedule described in Section 6. It does not remove content you have already published on Instagram, YouTube, or TikTok — those copies live on those Platforms and must be removed there.
A standalone account-deletion request page is available at /account/delete so that Meta, Google, TikTok, and the App and Play Stores can link to it from their developer consoles.
In the prior 12 months, we have collected the categories of personal information described in Section 2 (identifiers, internet/network activity, customer records, commercial information limited to subscription status, and audio/visual information limited to the videos you upload). We have not “sold” or “shared” personal information as those terms are defined under the CCPA, including for cross-context behavioral advertising. California residents have the rights to know, delete, correct, and limit use of sensitive personal information, and the right to non-discrimination for exercising those rights.
Our lawful bases are: performance of a contract (operating the Service), legitimate interests (security, abuse prevention, product improvement), consent (non-essential marketing-site cookies, where applicable), and legal obligation (tax and accounting).
Counsel to confirm EU representative under Article 27 and UK representative, if required; final DPA contact.
We use industry-standard administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+), encryption at rest of OAuth tokens, refresh tokens, and Stripe customer IDs in the application database (Rails Active Record encryption), encrypted S3 storage, the principle of least privilege for production access, code review, and regular security updates. Despite these measures, no system is perfectly secure; we cannot guarantee that unauthorized parties will never gain access.
If we become aware of a security incident that affects your personal information, we will notify you and the appropriate authorities as required by applicable law.
The Service is not directed to children under 13 (or the higher age of digital consent in your jurisdiction, such as 16 in parts of the EU), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verified parental consent, we will delete it.
The Service may contain links to third-party websites and Platform properties. We are not responsible for those parties’ privacy practices. Review their privacy policies before providing them with your information.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by an in-product notice and update the “Last updated” date at the top of this page. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of it.
Questions, complaints, or requests regarding this policy or your personal information:
privacy@reelcycler.comhello@reelcycler.comThe privacy address goes to a human. If you’d rather just delete everything, that’s one click in the app and one form on the web.