Privacy Policy

Last updated: 7 May 2026

1. Introduction

Occaly ("we", "our", "us") provides an AI-powered social media management platform that helps businesses create, schedule, publish, and manage reviews across social media channels and Google Business Profile. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at occaly.com.

By using Occaly, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of information:

  • Account information: Email address and password (hashed by Supabase Auth)
  • Business information: Company name, logo, brand tone, and product descriptions you provide
  • Social media tokens: OAuth access tokens for Instagram, Facebook, and Google Business Profile (see Section 4)
  • Content data: AI-generated captions, images, and hashtags associated with your account
  • Usage data: Pages visited, features used, and general analytics

3. How We Use Your Information

We use your information solely to provide and improve the Occaly service:

  • Authenticate and manage your account
  • Generate AI content tailored to your brand and Finnish special days
  • Publish approved content to your connected social media accounts
  • Monitor and display ad campaign performance data
  • Improve our AI models and service quality

We do not sell your data to third parties, use it for advertising, or share it with any party other than those listed in Section 5.

4. Social Media Credentials & Vault Encryption

๐Ÿ” Zero-Knowledge Token Storage

Your social media access tokens are never stored in plaintext in our database. All tokens are encrypted using AES-256-GCM (pgsodium) via Supabase Vault before storage. The master encryption key is managed by Supabase infrastructure โ€” not accessible to Occaly team members or any third party.

When you connect your Instagram or Facebook account, we receive an OAuth access token from Meta. When you connect your Google Business Profile, we receive an OAuth access token from Google. All tokens are immediately encrypted and stored in our vault. Even with full database access, the raw token values cannot be read without the Supabase-managed encryption key.

Google Business Profile data: Through the Google Business Profile API, Occaly reads your business reviews (star rating, review text, reviewer name) in order to display them in your dashboard and generate AI-assisted reply suggestions. With your explicit approval, Occaly posts your reply back to Google on your behalf. We do not share this data with any third party, use it for advertising, or process it for any purpose other than providing the Occaly review management feature.

When you disconnect an account, both the database record andthe encrypted vault entry are permanently deleted. For Google accounts, we also revoke the OAuth token via Google's token revocation endpoint.

5. Third-Party Services

Occaly uses the following third-party services:

Supabase

Database, authentication, and encrypted token storage

Privacy Policy โ†’

Anthropic (Claude)

AI-generated captions, content, and review reply suggestions

Privacy Policy โ†’

Pollinations.ai

AI image generation

Privacy Policy โ†’

Meta (Facebook/Instagram)

Social media posting via official Graph API

Privacy Policy โ†’

Google (Google Business Profile API)

Reading business reviews and posting reply responses via the official Google Business Profile API

Privacy Policy โ†’

Vercel

Application hosting and deployment

Privacy Policy โ†’

6. Data Retention

We retain your data for as long as your account is active. Upon account deletion:

  • All personal information is permanently deleted within 30 days
  • Social media tokens are immediately deleted from vault and database
  • AI-generated content drafts are permanently deleted
  • Anonymised usage statistics may be retained for service improvement

7. Your Rights (GDPR)

As a user based in the EU/EEA, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: Request a copy of the data we hold about you
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to portability: Receive your data in a machine-readable format
  • Right to object: Object to processing of your personal data

To exercise any of these rights, contact us at privacy@occaly.com. We will respond within 30 days.

8. Cookies

Occaly uses strictly necessary cookies for authentication (session management) only. We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by our application.

9. Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for all OAuth tokens (Supabase Vault)
  • Row-Level Security (RLS) ensuring strict data isolation between organizations
  • HTTPS enforcement on all connections
  • Service role key separation โ€” client-side code never has admin database access

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice in the application. Continued use of Occaly after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or requests, contact:

Occaly

Helsinki, Finland

privacy@occaly.com