Privacy Policy
Last updated: 2026-05-28
Wouchh ("we", "us", "our", "the Service") is operated by Wouchh, a company registered in Maharashtra, India ("Wouchh", "the Company"). The Service helps businesses manage customer engagement, publish content, and analyze performance across social media platforms including TikTok, Facebook, and Instagram.
This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, and the choices you have. By using Wouchh, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the Service.
1. Information We Collect
We collect only the data necessary to provide the features you authorize when connecting your social media accounts. We follow the principle of data minimization — we never request access to more data than is required for the functionality you use.
1.1 Data from TikTok
When you connect a TikTok Business account, we may access:
- Profile information — display name, username, avatar, bio, and verification status (scopes: user.info.basic, user.info.profile)
- Account statistics — follower count, following count, total likes, video count (scope: user.info.stats)
- Published video metadata — titles, captions, thumbnails, posting timestamps, and engagement metrics (views, likes, comments, shares) (scope: video.list)
- Comments on your owned videos — comment text, commenter display name, commenter username, commenter profile picture, like counts, timestamps, and reply status (scopes: comment.list, comment.list.manage)
- Brand mentions and tags — instances where your business account is mentioned or tagged by other users in video captions or comments, including post share URLs, engagement metrics, and poster/commenter identifiers (scope: biz.brand.insights)
- Direct message conversations — message content (text, images, video, stickers, and emoji), sender identifiers, conversation history, follower status, and timestamps. We access DMs only for conversations initiated by users who message your business first — TikTok prohibits initiating unsolicited messages. (scopes: message.list.read, message.list.manage)
- Creator analytics — audience demographics (age ranges, gender, geography), video performance metrics, profile views, reach, and engagement rates (scope: biz.creator.insights)
Regional limitation (EEA, Switzerland, UK): Due to TikTok's privacy restrictions, direct message features are limited for users in the European Economic Area, Switzerland, and the United Kingdom. For these users, we receive only message timestamps and recipient identifiers — message content is not available.
1.2 Data from Facebook & Instagram
When you connect Facebook Pages or Instagram Business accounts, we may access:
- Your name, Facebook user ID, and profile picture
- The list of Pages you manage, Page IDs, categories, tasks, and Page access tokens
- Connected Instagram Business account IDs, usernames, and profile metadata
- Content metadata for posts, stories, and reels (text, images, timestamps, engagement metrics)
- Page and Instagram Insights (impressions, reach, engagement, follower demographics)
- Messenger and Instagram Direct conversations on your managed Pages
- Comments on your Page posts and Instagram media
1.3 Usage Data
- Server logs — timestamps, IP addresses, request paths, and HTTP status codes for abuse prevention, debugging, and performance monitoring. Retained for up to 30 days.
- Session data — we use browser session storage (not cookies) to maintain your authenticated session within the dashboard. This data is stored locally in your browser and is cleared when you close the tab or log out.
1.4 Data We Do Not Collect
- We do not collect personal email addresses, phone numbers, or payment information through platform APIs.
- We do not access private/personal social media accounts — only business accounts you explicitly authorize.
- We do not use tracking cookies, third-party analytics, or advertising pixels.
2. Legal Basis for Processing
We process your data under the following legal bases (as defined by GDPR Article 6):
- Consent — You provide explicit consent when you connect your social media accounts via OAuth and agree to this Privacy Policy and our Terms of Service. You may withdraw consent at any time by disconnecting your accounts.
- Contractual necessity — Processing is necessary to deliver the Service features you requested (displaying analytics, managing messages, publishing content).
- Legitimate interest — We process limited usage data (server logs) to maintain Service security, prevent abuse, and debug errors. We have assessed that these interests do not override your fundamental rights and freedoms.
3. How We Use Your Data
We use collected data exclusively to provide, maintain, and improve the Service:
- Display your business profile, content, and performance metrics in your dashboard
- Monitor brand mentions and tags across connected platforms
- Read and reply to comments on your owned content
- Send and receive direct messages on your behalf, within each platform's rules and restrictions
- Publish and schedule content to platforms you authorize
- Surface analytics, engagement insights, and audience demographics
- Detect and prevent unauthorized access and abuse
We do not: sell your data, use it for advertising or profiling, share it with data brokers, use it to train machine learning models, or process it for any purpose beyond operating the Service.
4. How We Store and Protect Data
4.1 Encryption
- At rest: Access tokens and sensitive credentials are encrypted using AES-256.
- In transit: All data is transmitted exclusively over TLS 1.2 or higher.
4.2 Infrastructure Security
- Network segmentation separates application, database, and management tiers.
- Endpoint protection (anti-malware, host-based intrusion prevention) is deployed on all servers.
- Role-based access control enforces least-privilege and need-to-know principles.
- Multi-factor authentication (MFA) is required for all administrative access.
- Regular vulnerability scans and penetration testing are conducted.
4.3 Token Handling
Platform access tokens are decrypted in-memory solely to execute authorized API calls. Tokens are never logged, exposed in URLs, or transmitted to any party other than the respective platform provider. Refresh tokens are rotated according to each platform's schedule (TikTok: 24-hour access tokens, 1-year refresh tokens).
5. Data Sharing and Sub-processors
We share data only when strictly necessary to operate the Service:
- Platform providers — TikTok (ByteDance), Meta (Facebook/Instagram) — to execute API calls you triggered.
- Hosting provider — Netlify, Inc. (San Francisco, CA) — for application hosting, serverless functions, and CDN.
We maintain a list of sub-processors and will update this section if additional processors are engaged. We do not sell your data, share it with advertisers, or provide it to data brokers under any circumstances.
6. Data Retention
- Account data and tokens — retained for as long as your account is active and your platforms remain connected.
- Cached content metadata — refreshed periodically; older cached data is purged automatically.
- Server logs — retained for a maximum of 30 days.
- After disconnection or deletion request — all associated data is deleted within 30 days.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: You can view your connected account information, granted permissions, and stored data through the Wouchh dashboard at any time.
- Correction: You can update your connected account information through the dashboard or by contacting us.
- Deletion: You can request deletion of your data. See our Data Deletion page for detailed instructions, including platform revocation, email requests, and in-app disconnection.
- Data portability: You can request a copy of your stored data in a machine-readable format by emailing the contact below.
-
Revoke consent: You can disconnect Wouchh at
any time from your platform settings:
- TikTok: Settings → Manage account → Third-party apps
- Facebook: Settings → Business Integrations
- Lodge a complaint: If you believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority.
8. Age Requirements
The Service is intended for use by businesses and individuals who are at least 18 years of age. We do not knowingly collect personal data from anyone under 18. TikTok's Business APIs require all authorizing users to be 18 or older. If we become aware that we have collected data from a person under 18, we will delete that data promptly.
9. Cookies and Local Storage
Wouchh does not use cookies for tracking, analytics, or advertising. We use browser session storage (a temporary, tab-scoped storage mechanism) solely to maintain your authenticated session while using the dashboard. Session storage is automatically cleared when you close the browser tab. No persistent local storage or third-party cookies are used.
10. International Data Transfers
Your data may be processed in regions where our infrastructure and sub-processors operate, including the United States. When data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Compliance with applicable data protection frameworks (GDPR, UK GDPR, CPRA)
- Contractual obligations with sub-processors requiring equivalent protection standards
11. Incident Response
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify affected users within 72 hours of becoming aware of the breach
- Report the breach to relevant supervisory authorities as required by law
- Provide details of the breach, its likely consequences, and the measures taken or proposed to address it
- Revoke and rotate all potentially compromised access tokens immediately
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via the Service dashboard or email
- For significant changes affecting your rights, request renewed consent where required by law
Continued use of the Service after notification constitutes acceptance of the updated policy.
13. Contact
For privacy questions, data subject requests, or concerns about this policy, contact our designated privacy contact:
- Email: support@wouchh.com
- Subject line: "Privacy inquiry" or "Data subject request"
We aim to respond to all privacy-related inquiries within 30 days. For data subject access requests under GDPR, we will respond within the legally mandated timeframe.