Privacy Policy

Last updated: June 23, 2026

OAuth scope details (per-service)

The tables below are derived directly from the platform source code that performs the actual authorization requests.

Primary integrations (review-sensitive providers)

Google Workspace (Gmail, Drive, Sheets, Calendar)

Send email, read and write user-granted spreadsheets, create app-owned Drive files, and manage calendar events on the user's behalf when the user's workflow requires it.

ScopeWhat it authorizesHow Epic Saaz uses it
openid / email / profileIdentify the signed-in Google account (email, display name, avatar).Display the connected account in the dashboard.
https://www.googleapis.com/auth/gmail.sendSend email messages from the user's Gmail account.Deliver outbound email that the user's automation produces (for example, approval notifications or templated messages). We do not read, list, or access inbox content.
https://www.googleapis.com/auth/drive.fileCreate, read, and modify only the Drive files that the application itself creates or that the user explicitly opens with the application via Google Picker.Store generated media, documents, or logs in Drive when a workflow outputs to Drive. Read and write Google Sheets the user has explicitly picked via the Google Picker SDK — this replaces the previously-requested broader spreadsheets scope, which we deprecated in June 2026. We cannot enumerate or access any file in the user's Drive that was not created by Epic Saaz or explicitly picked by the user.
https://www.googleapis.com/auth/calendarRead and write events on the user's Google Calendar.Create events, read availability, or update events when a workflow integrates with Calendar (for example, a booking-driven automation).

What we do not do with your Google Workspace (Gmail, Drive, Sheets, Calendar) data:

  • We do not request and have never requested the restricted gmail.readonly scope. Inbox message bodies, attachments, and metadata remain inaccessible to Epic Saaz.
  • The drive.file scope is intentionally chosen over the broader drive scope so that files not created by Epic Saaz are never visible to the application.
  • We deprecated the spreadsheets scope in June 2026 in favour of drive.file plus the Google Picker SDK. Cell-level Google Sheets operations work on user-picked files only — no sheet in the user's Drive that they have not explicitly picked is visible to Epic Saaz.
  • We do not use Google account data to build advertising profiles or resell it to third parties.

YouTube (separate Google OAuth consent)

Upload and manage videos on the user's YouTube channel when a workflow includes YouTube publishing.

ScopeWhat it authorizesHow Epic Saaz uses it
https://www.googleapis.com/auth/youtube.uploadUpload videos to the user's YouTube channel.Publish video content that the user's automation produces (for example, the Social Media Queue Publisher blueprint).
https://www.googleapis.com/auth/youtube.readonlyRead channel metadata, upload status, and video information.Confirm uploads have completed, surface upload status back to the dashboard, and display the connected channel name.
openid / emailIdentify the YouTube channel owner.Display the connected channel in the dashboard.

What we do not do with your YouTube (separate Google OAuth consent) data:

  • We do not access other videos on the channel beyond what is required to confirm the status of an upload initiated by Epic Saaz.
  • We do not manipulate comments, subscribers, or monetisation settings.

TikTok (Content Posting API)

Publish videos on the creator's behalf via the TikTok Content Posting API when a workflow includes TikTok publishing. The creator configures how their posts behave on the automation activation page: privacy level is a required dropdown with no default whose options are sourced live from TikTok's creator_info.privacy_level_options; comment / duet / stitch are Yes/No selectors that are greyed out automatically when TikTok has disabled them for the account; and commercial-content disclosure (Your Brand / Branded Content) is selected there too — choosing Branded Content disables the "Only Me"/private privacy option (and selecting private disables Branded Content), with the tooltip "Branded content visibility cannot be set to private." The creator then gives final express consent per post in the in-app Telegram approval message, which displays "By posting, you agree to TikTok's Music Usage Confirmation" (or "…Branded Content Policy and Music Usage Confirmation" when branded content is disclosed). The Approve button click IS the per-post consent.

ScopeWhat it authorizesHow Epic Saaz uses it
user.info.basicRead the creator's public profile (open_id, display name, avatar) and the creator_info API capabilities for the connected account.Display the connected creator's nickname and avatar in the dashboard and in-app approval message. Call creator_info to (a) populate the activation-page privacy dropdown dynamically from the creator's privacy_level_options, (b) gate publishing on creator_can_post, (c) enforce max_video_post_duration_sec, and (d) grey out the comment / duet / stitch Yes/No selectors that the creator has disabled at their TikTok account level — per TikTok Content Sharing Guidelines Points 1 + 2c. creator_info is queried fresh and held only in a short-lived in-memory cache per credential to debounce repeated form loads; the cache is never persisted to disk and is invalidated on credential disconnect.
video.uploadUpload videos to the creator's Inbox (drafts) on TikTok.Inbox path — the creator reviews the video on the TikTok mobile app before publishing manually. Files are passed via PULL_FROM_URL from an Epic Saaz-owned domain (www.modkrib.com) with verified ownership; we do not use FILE_UPLOAD when files originate on our servers, per TikTok Content Sharing Guidelines technical considerations. After init, we poll publish/status/fetch for up to 2 minutes (12 attempts × 10s) and only mark the file as published when status reaches PUBLISH_COMPLETE.
video.publishPublish videos directly to the creator's profile.Direct Post path for scheduled publishing. Every post carries the creator's selections made on the automation activation page and confirmed in the in-app approval message: privacy level (a required dropdown sourced from creator_info.privacy_level_options, with the private "Only Me" option disabled when Branded Content is selected per Guideline 3b), interactions (comment / duet / stitch Yes/No selectors, individually greyed when the creator has disabled them at the TikTok account level), and commercial-content disclosure (Off / Your Brand / Branded Content / both). Files are passed via PULL_FROM_URL from www.modkrib.com (verified-ownership domain). publish_id is persisted to audit_logs for the lifetime of the polling loop (max 2 minutes), then discarded.

What we do not do with your TikTok (Content Posting API) data:

  • We do not read, download, or otherwise access videos that exist on the creator's account outside of the videos we publish on the creator's behalf.
  • We do not access direct messages, followers, analytics, or any surface beyond the upload, publish, status/fetch, and creator_info endpoints.
  • We do not retain TikTok video URLs after the post has been published — they are passed through PULL_FROM_URL and discarded post-publish.
  • We do not use creator_info data for analytics, advertising, or profiling — it is used only to populate the activation-page selectors (privacy dropdown options, interaction selector availability, duration enforcement, capability check) and is not persisted to disk.
  • We do not add watermarks, logos, branding, or promotional overlays to creator content — videos are passed to TikTok unmodified per TikTok Content Sharing Guidelines Watermark Guidelines.
  • We do not store per-post consent acknowledgements as configuration. There are no Setup-form 'agree to terms' checkboxes — instead the per-post Telegram approval message displays the matching declaration text (Music Usage Confirmation only, or Branded Content Policy + Music Usage Confirmation when Branded is selected), and the creator's tap of the Approve button IS the explicit per-post consent.
  • We do not bypass per-post creator approval — there is no 'skip approval' toggle. Every Direct Post and every Inbox Upload routes through the Telegram approval gate first.
  • We do not exceed the audited daily limit — a per-tenant 24-hour post counter blocks the next publish attempt when ≥25 successful posts have landed in the prior 24 hours; the file stays queued for the next day.
  • We do not edit creator content automatically — captions are AI-generated as a draft, but the creator can edit the caption per-post by replying to the Telegram approval message, regenerate with a new variant, or reject. Posting only proceeds after explicit Approve.
  • We do not retry on duplicate Telegram callbacks — the workflow tracks processed callback IDs in workflow state and silently drops retries to prevent accidental double-posts.

Facebook (Meta)

Publish posts, schedule posts, and read basic engagement data on Facebook Pages the user administers.

ScopeWhat it authorizesHow Epic Saaz uses it
public_profileIdentify the Facebook user account.Basic login identity for the connection.
pages_show_listList the Facebook Pages the user administers.Let the user pick which Page a given automation will post to. We store only the Page IDs the user selects.
pages_read_engagementRead engagement metrics on posts published to selected Pages.Pull analytics (likes, comments, reach) into the dashboard reporting view for Pages the user has connected.
pages_manage_postsCreate, schedule, edit, and delete posts on selected Pages.The "post to Facebook" action in automations (Queue Publisher, approval-driven publishers, etc.).

What we do not do with your Facebook (Meta) data:

  • We do not request access to user personal timelines, friends lists, messages, or photos outside of Pages the user has explicitly connected.
  • We do not access ads accounts, audience data, or any audience-building surface.
  • We do not post to Pages the user has not explicitly connected to a specific automation.

Instagram Business (Meta Business Login)

Publish Feed posts, Reels, and carousels to Instagram Business accounts the user has connected.

ScopeWhat it authorizesHow Epic Saaz uses it
instagram_business_basicRead account metadata (Instagram Business Account ID, username, account type).Identify the connected account in the dashboard.
instagram_business_content_publishPublish Feed posts, Reels, and carousels on the connected account.The "post to Instagram" action in automations (Reels Generator, Queue Publisher, scheduled posters).

What we do not do with your Instagram Business (Meta Business Login) data:

  • We do not access personal (non-Business) Instagram accounts via this connection.
  • We do not read or moderate comments on the user's posts.
  • We do not send or read Instagram Direct Messages.
  • We do not use account data for audience profiling, lookalike audiences, or advertising.

WhatsApp Business (Meta Embedded Signup)

Send and receive WhatsApp messages via the Cloud API on the user's WhatsApp Business Account (WABA) for connected phone numbers.

ScopeWhat it authorizesHow Epic Saaz uses it
whatsapp_business_managementManage the user's WhatsApp Business Account, including registering and reading phone numbers.Register the phone number with Cloud API, associate the WABA with Epic Saaz, and read phone number status.
whatsapp_business_messagingSend and receive WhatsApp messages via the Cloud API on the WABA.The "send WhatsApp message" action in workflows, inbound-message-triggered automations, and approval-flow message delivery.
business_managementRead the user's Meta Business Portfolio to surface available WABAs during the Embedded Signup flow.Required by Meta's Embedded Signup so the user can pick which WABA to connect. We do not use it to read or modify other Business Portfolio objects.

What we do not do with your WhatsApp Business (Meta Embedded Signup) data:

  • We do not access business assets other than the WABAs and phone numbers the user connects.
  • We do not export contact lists, and we do not use message content to train AI models.
  • Inbound message bodies are forwarded to the user-configured workflow and are not retained for analytics, advertising, or profiling.

Other supported integrations

LinkedIn

Publish posts to the connected member profile.

ScopeWhat it authorizesHow Epic Saaz uses it
openidBasic OpenID identity.Identify the connected LinkedIn member.
profileRead basic member profile (name, headline).Display the connected member in the dashboard.
emailRead the member's email address.Display the connected member in the dashboard.
w_member_socialCreate posts on the member's behalf.Publish posts that the user's automation produces (for example, LinkedIn Blogger).

X (formerly Twitter)

Read and publish posts on the connected account.

ScopeWhat it authorizesHow Epic Saaz uses it
tweet.readRead tweets accessible to the authenticated user.Pull tweet references or quote content into a workflow when the workflow requires it.
tweet.writePublish tweets on the user's behalf.The "post to X" action in automations.
users.readRead the authenticated user's profile.Display the connected handle in the dashboard.
offline.accessRefresh access tokens silently.Keep the connection alive between scheduled automation runs without forcing re-authorization.

Slack

Post messages, read channel lists and history, and manage files in the workspace the user has installed the app to.

ScopeWhat it authorizesHow Epic Saaz uses it
chat:writePost messages to channels the app is added to.Send messages generated by the user's automation (approval requests, notifications, output).
channels:readList public channels in the workspace.Let the user pick which channel a workflow will post to.
channels:historyRead message history in channels the app is in.Workflows triggered by incoming Slack messages (inbound-message-triggered automations).
users:readList workspace members.Resolve user mentions in approval and notification messages.
files:writeUpload files to channels.Deliver generated documents, images, or exports into Slack channels when a workflow outputs a file.

HubSpot

Sync contacts and deals between Epic Saaz workflows and the user's HubSpot portal.

ScopeWhat it authorizesHow Epic Saaz uses it
crm.objects.contacts.readRead contact records.Pull contact data into workflows that reference HubSpot contacts.
crm.objects.contacts.writeCreate and update contact records.Write new leads or update contact fields when a workflow outputs to HubSpot.
crm.objects.deals.readRead deal records.Pull deal data into workflows that reference HubSpot deals.
crm.objects.deals.writeCreate and update deal records.Create or advance deals when a workflow outputs to HubSpot.

Pinterest

Publish pins to the connected account's boards.

ScopeWhat it authorizesHow Epic Saaz uses it
boards:readList the user's boards.Let the user pick which board a pin will be published to.
pins:readRead the user's pins.Confirm pin publishing status and avoid duplicates.
pins:writeCreate pins on the user's boards.The "publish to Pinterest" action in automations.
user_accounts:readRead the connected account's profile.Display the connected account in the dashboard.

Reddit

Read subreddits and submit posts from the connected account.

ScopeWhat it authorizesHow Epic Saaz uses it
identityRead the connected account's username.Display the connected account in the dashboard.
submitSubmit posts to subreddits the user has permission to post in.The "post to Reddit" action in automations.
readRead public posts and comments.Pull reference content into workflows that operate on Reddit posts.

ClickUp

Create and update tasks in the user's ClickUp workspaces.

ScopeWhat it authorizesHow Epic Saaz uses it
(application-level permissions granted at connect time)ClickUp's OAuth issues an access token with permissions defined at the app level in ClickUp's developer portal, not per-authorization scopes.Read lists, spaces, and tasks referenced by the user's workflow; create or update tasks when a workflow outputs to ClickUp.

Common commitments across all integrations

  • OAuth access and refresh tokens are encrypted at rest with AES-256-GCM before being written to our database. The encryption key is held in environment configuration and is not accessible to other tenants.
  • All data transmitted between Epic Saaz, you, and any third-party API is encrypted in transit using TLS 1.2 or higher. Epic Saaz does not accept unencrypted HTTP connections. HSTS is enforced on all production domains.
  • Each customer tenant's data is isolated by tenant identifier with database-level Row-Level Security (RLS) policies. Data belonging to one tenant is never visible to or accessible by another tenant.
  • No OAuth-granted data (message content, calendar events, contacts, media, analytics, etc.) is used to train artificial-intelligence models, either ours or third-party models.
  • No OAuth-granted data is shared with advertising networks, data brokers, or any third party outside the sub-processors strictly required to operate the platform (payment processing, transactional email delivery, cloud infrastructure). Sub-processors are bound by data-processing agreements and do not receive third-party access tokens.
  • Tokens are refreshed automatically only while an automation that uses them is active. When a user disconnects a credential in the dashboard, or deletes their account, the associated encrypted tokens are irreversibly destroyed.
  • Users may revoke authorization at any time from Dashboard → Credentials → Disconnect, or from the third-party provider's own account settings (for example, myaccount.google.com/permissions, facebook.com/settings?tab=business_tools, tiktok.com/setting/connected-apps).