Last updated: 21 April 2026 · Version 1.0

Privacy Policy

This Privacy Policy explains how XEROTECH LTD (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you use AutoReel Studio and related services at autoreel.studio and app.autoreel.studio (the “Service”).

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international data protection laws.

1. Data Controller

2. What AutoReel Studio Does

AutoReel Studio is a content automation platform that enables creators and agencies to upload, manage and publish video content to social media platforms including TikTok. Users connect their social media accounts via OAuth 2.0 and use the platform to upload and publish video content on their behalf.

3. Information We Collect

3.1 Information You Provide

• Account information (name, email address) when you register
• Video files you upload through the platform
• Video metadata you enter (titles, descriptions, hashtags)
• Support communications and feedback

3.2 Information From Connected Accounts

When you connect your TikTok account, we receive:

• user.info.basic — Your TikTok display name, avatar and open ID
• video.upload — Permission to upload video files to your TikTok account
• video.publish — Permission to publish videos to your TikTok profile

We do not access your TikTok followers, following lists, liked videos, comments, direct messages, analytics or any other TikTok data beyond the scopes listed above.

3.3 Information Collected Automatically

• Usage data (features used, upload activity, session duration)
• Technical data (IP address, browser type, device information)
• Essential cookies for session management and security

4. How We Use Your Information

• Provide the Service — Upload and publish videos to your connected social media accounts (Contract performance)
• Manage your account — Authentication, session management, connected account display (Contract performance)
• Security — Rate limiting, origin validation, abuse prevention (Legitimate interests)
• Improve the Service — Usage analytics, error tracking, performance monitoring (Legitimate interests)
• Legal compliance — Respond to lawful requests, enforce terms (Legal obligation)

5. How We Handle Your Videos and TikTok Data

Video Files

• Videos you upload are sent directly to TikTok’s servers via their Content Posting API
• For files uploaded through our interface, the video data passes through our server temporarily during the upload process
• We do not retain copies of your video files after successful upload to TikTok
• Failed uploads are retried and then discarded

OAuth Tokens

• Your TikTok access token and refresh token are stored securely on our servers using httpOnly encrypted cookies or AES-256 encrypted database storage
• Access tokens expire every 24 hours and are refreshed automatically
• Refresh tokens are valid for 365 days
• All tokens are permanently deleted when you disconnect your TikTok account
• We do not store your TikTok password — authentication is handled entirely through TikTok’s OAuth 2.0 flow

Upload Metadata

• We store a record of each upload (video title, upload timestamp, publication status, TikTok publish ID) to provide upload history
• This metadata does not include the video content itself
• Upload history is retained for 90 days after successful publication

What We Do Not Do

• We do not access other TikTok users’ data through your account
• We do not post content to your account without your explicit action
• We do not sell, share or use your TikTok data for advertising or any purpose other than providing the Service
• We do not use your videos or TikTok data to train AI models

6. Data Sharing

We share your data only with the following service providers, under strict data processing agreements:

• Vercel Inc. (United States) — Application hosting
• TikTok / ByteDance (United States / Singapore) — Video publishing via Content Posting API
• MongoDB Inc. (Ireland, EU) — Database hosting (when applicable)

We do not sell your personal data to third parties.

7. International Transfers

Some service providers are located outside the UK/EEA. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or UK adequacy decisions.

8. Data Retention

• Account information — Duration of account + 30 days after deletion
• OAuth tokens — Duration of active connection; deleted immediately on disconnection
• Upload metadata — 90 days after successful publication
• Server logs — 90 days

9. Your Rights

Under UK GDPR, you have the right to: access your data, correct inaccurate data, request deletion, restrict processing, data portability, object to processing, and withdraw consent. To exercise any right, contact privacy@xerotech.io. We respond within one month.

Disconnecting Your TikTok Account

You can disconnect your TikTok account at any time through AutoReel Studio. Upon disconnection, all stored OAuth tokens are permanently deleted and any pending uploads are cancelled. You can also revoke access from TikTok directly via Settings → Security → Manage app permissions.

10. Data Security

We implement appropriate measures to protect your data including: encryption in transit (TLS 1.2+), encrypted token storage, rate limiting, origin validation, httpOnly secure cookies, and input sanitisation. Tokens are never exposed to client-side JavaScript.

11. Age Requirements

AutoReel Studio is intended for users aged 18 and over. TikTok requires users to be 18+ for API access. We do not knowingly collect data from anyone under 18.

12. Cookies

We use essential cookies for session management, authentication, and CSRF protection. These cookies are necessary for the Service to function and cannot be disabled. We do not use advertising or tracking cookies.

13. Changes to This Policy

We may update this policy from time to time. Significant changes will be posted on this page. The “Last updated” date at the top indicates the most recent revision.

14. Complaints

If you are unhappy with how we handle your data, you may lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or telephone 0303 123 1113.

15. Contact Us

Email: privacy@xerotech.io
Address: XEROTECH LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ