Privacy Policy

Effective date: May 24, 2026

This Privacy Policy explains what data Fozato ("we," "our," or "the Service") collects when you use the platform at fozato.com, how we use and protect that data, and the choices you have. By using the Service you agree to the practices described here.

1. Data we collect

We collect only what is needed to operate the Service:

  • Account information: Name, email address, profile picture, and Google account identifier when you sign in with Google OIDC.
  • Workspace / tenant data: Workspace name, slug, optional custom domain, billing plan, member roles.
  • Business profile: Business name, description, website URL, category, target language, and brand voice you enter during onboarding or funnel creation.
  • Funnel content: Topics, keywords, scripts, generated voice tracks, generated videos, captions, and the metadata of every reel produced for you.
  • OAuth tokens for connected social platforms: When you connect YouTube, Facebook, Instagram, Threads, LinkedIn, Pinterest, or Tumblr we receive access tokens (and refresh tokens, where the provider issues them). Tokens are encrypted at rest and used only to publish content you explicitly request.
  • Published-post metadata: Remote post IDs, permalinks, and basic engagement metrics (views, likes, comments) fetched from the platform after a successful publish.
  • Payment information: Billing is handled by Razorpay. We do not store full card numbers — we receive only a tokenized identifier and the order/subscription status from Razorpay.
  • Operational logs: Request timestamps, IP address, user agent, and error traces used for security and debugging. Retained for up to 90 days.

2. How we use your data

  • Provide and operate the Service (account, workspace, billing).
  • Generate short-form video content using your business context, language preference, and topic keywords.
  • Publish content to social platforms you have explicitly connected, only when you schedule or manually trigger a publish.
  • Fetch public post metrics (impressions, views, likes) from connected platforms so we can show you reel performance.
  • Send transactional emails (login confirmations, billing receipts, security alerts).
  • Detect abuse, prevent fraud, and enforce our Terms.

We do not sell your data, use it to train third-party AI models outside the scope of generating your own content, or use it for advertising profiles.

3. Third-party services we rely on

The Service integrates with the following processors. Each provider has its own privacy policy.

Fozato AI's use and transfer of information received from Google APIs to any other app will adhere to Google Data API Services User Data Policy, including the Limited Use requirements. (developers.google.com/terms/api-services-user-data-policy#limited-use)

4. How we handle social-platform tokens

Tokens issued by YouTube, Facebook, Instagram, Threads, LinkedIn, Pinterest, and Tumblr are used solely to publish content you explicitly request, fetch engagement metrics on posts we published for you, and delete those posts when you remove them in the Service.

  • Tokens are encrypted at rest using AES-256 with keys held in our backend secrets store.
  • We do not browse your social account, read DMs, post without your trigger, or share tokens with any third party.
  • You can revoke any connection at any time inside the Service (Settings → Connected accounts → Disconnect) or at the social provider (e.g. Facebook → Settings → Business Integrations → Remove).
  • We honor data-deletion callbacks from Meta and other providers — when a user revokes our app at the provider, the corresponding tokens and connection rows are deactivated on our side automatically.

5. Storage, security, and retention

  • Multi-tenant isolation: data is partitioned per workspace using PostgreSQL row-level security so one tenant cannot access another tenant's rows even in the event of an application-layer bug.
  • Encryption in transit: all traffic to the Service uses HTTPS (TLS 1.2+).
  • Encryption at rest: the database is encrypted by our hosting provider; OAuth tokens and refresh tokens are additionally encrypted at the application layer.
  • Retention: account, workspace, and funnel data are retained for as long as your account is active. Generated videos hosted on Cloudinary are kept while the associated reel record exists in the Service. Operational logs are kept up to 90 days.
  • Deletion: deleting your account removes your profile, workspaces, funnels, social-account tokens, and generated videos within 30 days. Some records may be retained longer when required by law (e.g. tax invoices for paid plans).

6. Your rights

Depending on your jurisdiction (GDPR, CCPA, DPDP Act, etc.) you have the following rights over your personal data:

  • Access — request a copy of the data we hold about you.
  • Correction — fix inaccurate or incomplete data.
  • Deletion — ask us to erase your account and associated data, subject to legal retention obligations.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — revoke any OAuth connection at any time.
  • Lodge a complaint with your local data-protection authority if you believe we have violated your rights.

To exercise any of these rights, email support@fozato.com from the email address associated with your account. We respond within 30 days.

7. Cookies and local storage

We use browser local storage to keep your authentication token between sessions and to remember your active workspace. We do not use third-party advertising cookies or cross-site tracking pixels.

8. AI-generated content

Reel scripts, voice tracks, and assembled videos are generated using third-party AI models. The prompts we send include only the business context you have provided. We do not send your OAuth tokens, customer lists, or payment data to any AI provider.

You are responsible for reviewing AI-generated content before publishing and for ensuring it complies with the terms of the platforms you publish to.

9. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email support@fozato.com and we will delete it promptly.

10. International data transfers

Our infrastructure runs on cloud providers located in multiple regions. By using the Service you consent to your data being processed in jurisdictions outside your own, including the European Union, India, and the United States. Where required by law we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or in the Service at least 14 days before they take effect. The "Effective date" at the top of this page is always current.

12. Contact us

Questions, requests, or concerns about this policy or how we handle your data:

support@fozato.com

© 2026 Fozato. All rights reserved.