Privacy Policy
Last updated: June 23, 2026
This Privacy Policy applies to the Epic Saaz platform and the Epic Saaz application (“Epic Saaz”, “we”, “us”, or “our”), operated by Epic Saaz. Epic Saaz is a social media and workflow automation application that integrates with third-party platforms including Google (Gmail, Drive, Sheets, Calendar, YouTube), Meta (Facebook, Instagram, WhatsApp Business), TikTok, LinkedIn, and others to help users publish, transform, and manage content.
By using Epic Saaz you agree to the terms of this policy. If you are an EEA, UK, or California resident, see section 7 — Your rights for jurisdiction-specific rights.
1. Information we collect
We collect information you provide directly, including your name, email address, organization name, and any other details you submit through our forms or account registration. We also collect usage data automatically (pages visited, features used, execution counts) for the limited purpose of operating, securing, and improving the platform.
When you connect third-party accounts to Epic Saaz we collect OAuth access tokens, refresh tokens, and the profile data returned by the connection flow (such as account IDs, usernames, and display names) solely to enable automation features on your behalf. The full list of OAuth permissions we request, per service, is enumerated in section 3 — Third-party integrations and OAuth scopes.
2. How we use your information
We use your information exclusively to provide and improve the Epic Saaz platform and the Epic Saaz application, send transactional emails, respond to support requests, and (only with your express consent) send marketing communications. Third-party account data (for example, Google Workspace tokens, TikTok tokens, or Meta tokens) is used exclusively to perform the automation actions you configure.
We do not use third-party account data for advertising, profiling, audience-building, or sale to third parties. We do not train artificial-intelligence or machine-learning models on it. For the per-service breakdown of what data each scope permits and how we use it, see section 3 below.
3. Third-party integrations and OAuth scopes
When you connect a third-party account, Epic Saaz requests only the OAuth permission scopes strictly required for the automation features the integration supports. We practice scope minimisation:
In April 2026 we deprecated the Google gmail.readonly scope because no shipped blueprint used it.
In June 2026 we deprecated the Google spreadsheets scope in favour of the narrower drive.file scope, paired with the Google Picker SDK for user-driven file selection — see section 3.4 Limited Use disclosure.
For Drive access we use only drive.file — never the broader drive or drive.readonly scopes.
The detailed per-service scope tables, including the Limited Use disclosure for Google Workspace APIs (section 3.4), are rendered below this editorial content. They are derived directly from the source code that performs the actual authorization requests and are kept in sync automatically.
3.4 Limited Use disclosure for Google Workspace APIs
Epic Saaz's use of information received from Google Workspace APIs will adhere to the Google Workspace API user data and developer policy, including the Limited Use requirements.
Specifically, Epic Saaz accesses Google Workspace user data ONLY to provide the automation features you have configured and authorized, and the data is used exclusively for the following purposes:
Gmail (
gmail.send) — used solely to send email messages your automation produces. We do not read, list, or access inbox content. Message bodies, attachments, headers, and metadata of received mail remain inaccessible to Epic Saaz.Google Drive (
drive.file) — used solely to create and manage files that Epic Saaz creates on your behalf, or files you explicitly open in Epic Saaz via the Google Picker. We cannot enumerate, search, or access any file in your Drive that you have not explicitly granted access to.Google Sheets — accessed via the same
drive.filescope on files you select with the Google Picker. We use the Sheets API to read configuration tables and append automation output rows only to sheets you have picked. No other sheets are visible to Epic Saaz.Google Calendar (
calendar) — used solely to create, read, or update calendar events when your workflow integrates with Calendar (for example, a booking-driven automation).YouTube (
youtube.upload+youtube.readonly) — used solely to upload videos to your YouTube channel and poll upload status. We do not access other videos, manipulate comments, or modify channel settings.
Epic Saaz does NOT use Google Workspace user data for any of the following purposes:
Advertising, marketing, profiling, or audience-building.
Training, fine-tuning, or developing generalized artificial-intelligence or machine-learning models — neither our own (we do not operate any models) nor any third-party provider's models.
Selling, renting, or sharing with third parties for those parties' independent commercial use.
Any purpose other than providing the specific user-facing automation features you have explicitly authorized.
Human review of Google Workspace user data:
Epic Saaz personnel do not access Google Workspace API data except in the following narrowly-scoped cases, each of which requires the express consent of the affected user:
To investigate a security incident or fraud, where required by applicable law.
To perform user-requested support (the user must submit a support ticket explicitly authorizing access to a specific resource for a specific debugging session).
For internal compliance audits, in aggregated and anonymized form only, where no individual user data is identifiable.
This commitment is permanent and applies even after you revoke a connection. Upon revocation, all encrypted Google Workspace tokens are irreversibly destroyed from our systems within minutes — see section 6 Data retention and token handling.
4. Sub-processors and data sharing
We do not sell your personal data. We share data only with the named sub-processors below, each of which is bound by a Data Processing Agreement (DPA) and contractually prohibited from using your data outside the narrow purpose described:
4.1 Cloud infrastructure
Supabase — managed Postgres database + authentication. Stores encrypted OAuth tokens, user account data, and automation configurations. Supabase does not have visibility into the unencrypted values of OAuth tokens because tokens are encrypted by Epic Saaz before they reach the database.
Amazon Web Services (AWS) — underlying cloud compute and storage for Supabase and for Epic Saaz application servers. See section 10 Data storage location for the specific region.
4.2 Payment processing
Stripe — processes subscription payments and invoices. Receives only the data required for payment processing (email address, subscription tier, billing address, payment method). Does not receive any OAuth tokens, Google Workspace data, or automation content.
4.3 Transactional email delivery
Resend — sends transactional emails Epic Saaz generates (password-reset, billing receipts, approval-flow notifications). Receives only the email body and recipient address of the messages Epic Saaz authors itself. Does not receive any third-party OAuth tokens or any data Epic Saaz reads from Google Workspace.
4.4 Platform-managed third-party AI providers (optional, user-triggered only)
When your automation includes an AI generation step (for example, drafting a TikTok caption or generating an image), Epic Saaz routes the generation request to a third-party LLM or image-generation provider. The data sent to these providers is only the text or image content the user’s automation asks them to generate — never Google Workspace user data, OAuth tokens, or other sensitive credentials.
Anthropic (Claude models) — text generation. Anthropic does not use API content to train its models by default.
OpenAI (GPT models, embedding models, Whisper) — text generation, embedding for vector search, audio transcription. Per OpenAI’s policy effective March 2023, API content is not used to train OpenAI models.
Groq — inference and Whisper transcription.
Fal.ai (Recraft, nano-banana) — image generation.
Tavily — web search API for research automations.
4.5 Bring Your Own Key (BYOK) — paid-tier, explicit opt-in only
The following providers are available exclusively via Bring Your Own Key (BYOK). When you bring your own key, the connection is opt-in, the API key is held in our encrypted credential vault under your tenant, and usage is governed by your direct contract with the provider — not Epic Saaz. The platform does NOT operate a managed fleet of keys for any provider in this list.
Google Gemini (Generative Language API) — paid tier only, explicit opt-in. BYOK only — the platform-managed fleet does NOT include free-tier or paid-tier Gemini access. When you opt in by adding your own paid-tier API key, your usage is governed by your contract with Google.
Mistral, Cohere, Perplexity, xAI Grok — additional LLM providers available via BYOK. When you bring your own key, your usage is governed by your direct contract with the provider, not Epic Saaz.
Sub-processors do NOT receive third-party OAuth tokens. Google Workspace user data, Meta tokens, TikTok tokens, LinkedIn tokens, and other connected-account credentials are used exclusively by Epic Saaz infrastructure to execute the automation actions you configure. They are never shared with any sub-processor named above.
All sub-processors are contractually obligated to maintain the confidentiality and security of personal data and to comply with applicable privacy laws (GDPR, CCPA, etc.). We will notify users of material changes to this sub-processor list via the Last-Updated date at the top of this policy and (for material changes) via email to the account contact.
5. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies for advertising purposes.
5.5 Data protection — encryption, isolation, access control
5.5.1 Encryption at rest
OAuth access and refresh tokens (including Google Workspace API tokens), user API keys, and other sensitive secrets are encrypted at rest using AES-256-GCM, a cryptographically authenticated encryption algorithm. Each value is encrypted with a unique 12-byte initialization vector (IV) generated via cryptographically secure randomness. The encryption key is held in environment configuration with strict file-system access controls and is rotated on a documented schedule. The encryption key is never written to the database.
5.5.2 Encryption in transit
All data transmitted between you and Epic Saaz, and between Epic Saaz and any third-party API (including Google, Meta, TikTok, LinkedIn, and our sub-processors), is encrypted in transit using TLS 1.2 or higher. Epic Saaz does not accept unencrypted HTTP connections. HSTS (HTTP Strict Transport Security) is enforced on all production domains.
5.5.3 Tenant isolation
Each customer’s data — including Google Workspace OAuth tokens, automation configurations, file storage, and execution history — is isolated by tenant identifier with database-level Row-Level Security (RLS) policies. The database enforces that data belonging to one tenant is never visible to or accessible by another tenant, even at the row-level via direct SQL queries. Tenant isolation is enforced uniformly across all tables that contain customer data.
5.5.4 Internal access control
Access to production systems containing user data is restricted to a small named group of Epic Saaz personnel (engineering and operational support roles only). Access is governed by least-privilege principles, requires multi-factor authentication, and is logged in an immutable audit trail. Sales, marketing, finance, and external personnel do not have access to user OAuth tokens or Google Workspace data. Internal access to a specific user’s data — for example, during user-requested support troubleshooting — requires the express consent of that user via a support-ticket authorization.
5.5.5 Credential refresh and destruction
OAuth tokens are refreshed automatically only while an automation that uses them is active. When you disconnect a credential from Dashboard → Credentials, or when you delete your account, the associated encrypted tokens are irreversibly destroyed within minutes and cannot be recovered. This is enforced by application logic and database constraints, not by manual review.
6. Data retention and token handling
We retain your account data for as long as your account is active. OAuth access and refresh tokens issued to Epic Saaz are encrypted at rest (see section 5.5.1) and are refreshed automatically only while an automation that uses them is active. When you disconnect a credential from Dashboard → Credentials, the associated encrypted tokens are irreversibly destroyed within minutes. You can request deletion of all your data at any time by contacting privacy@epicsaaz.ai. Upon verified request, account data is deleted within 30 days except where retention is required by law.
Specific retention windows for Google Workspace API data:
Gmail sent-message metadata — not retained. Once the send call returns, no record of the message body remains in Epic Saaz beyond the workflow execution log (purged after 90 days).
Sheets cell values — held only in workflow-execution memory; not persisted to the database beyond the workflow log (purged after 90 days).
Drive file contents — held only in transit between your Drive and the destination workflow node; not retained on Epic Saaz infrastructure.
Calendar events — held only in workflow execution; not persisted.
YouTube uploads — the video file is streamed to YouTube’s upload API and immediately discarded from Epic Saaz disk; only upload-status metadata (video URN, upload completion timestamp) is retained for the workflow log.
OAuth tokens — held in encrypted form for the lifetime of the credential connection, destroyed on disconnect or account deletion.
6.5 Incident response and breach notification
In the event of a security compromise, unauthorized access, or suspected breach of Epic Saaz systems or your account credentials, Epic Saaz will:
Begin investigation within 24 hours of detection.
Notify the South African Information Regulator as soon as reasonably possible after becoming aware of the compromise, in accordance with POPIA section 22, by submitting the prescribed Form SCN1 via the Regulator’s eServices portal at eservices.inforegulator.org.za.
Notify affected data subjects as soon as reasonably possible after becoming aware of the compromise (POPIA s.22), and in no case later than 72 hours for EEA / UK residents (per GDPR Article 34) or 30 days for users in jurisdictions without statutory timelines.
Provide affected users with details of the compromise sufficient to take protective measures: the categories of data affected, the steps Epic Saaz has taken to remediate, and the actions affected users should take (for example, disconnecting and reconnecting affected credentials).
File required notifications with other regulators (GDPR Article 33 for EEA breaches, state attorneys general under CCPA, etc.) as required by law.
You may report a suspected security incident to privacy@epicsaaz.ai with the subject line “SECURITY INCIDENT REPORT”. All incident reports are reviewed within 24 hours.
7. Your rights
You have the right to access, correct, or delete your personal data. To exercise these rights, contact us at privacy@epicsaaz.ai. Depending on your jurisdiction, you may also have additional rights as described below.
7.1 South Africa residents (POPIA)
Under the Protection of Personal Information Act, 2013 (POPIA), as a data subject you have the right to:
Be notified that personal information about you is being collected (POPIA s.18).
Access your personal information held by Epic Saaz (POPIA s.23).
Correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully (POPIA s.24).
Withdraw consent to processing at any time where processing is based on consent (POPIA s.11(2)(b)).
Object to processing on reasonable grounds related to your particular situation (POPIA s.11(3)).
Object to direct marketing by means of unsolicited electronic communications (POPIA s.69).
Not be subject to automated decision-making that has legal or material consequences for you, without human review (POPIA s.71).
Lodge a complaint with the Information Regulator of South Africa.
Information Regulator of South Africa — JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001 · Tel: +27 (0)10 023 5200 / 5207 · Web: inforegulator.org.za.
7.2 EEA / UK residents (GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection. You may lodge a complaint with your local supervisory authority.
7.3 California residents (CCPA / CPRA)
You have the rights to know which categories of personal information we collect, to access, correct, and delete your personal information, and to opt out of sale or sharing. Epic Saaz does not sell or share personal information.
7.4 PAIA — Promotion of Access to Information Act
As a South African private body, Epic Saaz publishes a PAIA Manual under section 51 of the Promotion of Access to Information Act, 2000. The PAIA Manual is available at /legal/paia-manual. Requests for access to records under PAIA must be lodged on Form 2 (Form C) addressed to the Information Officer (see section 9).
8. Data deletion
You may request deletion of your personal data at any time. You can submit a deletion request in one of the following ways:
From within the platform: go to Dashboard → Settings → Account and select Delete Account.
By email: send a request to info@epicsaaz.ai with the subject line “Data Deletion Request” and include the email address associated with your account.
We will verify your identity and process the request within 30 days. Upon deletion:
Your account, profile, and all associated personal data will be permanently deleted.
All automation workflows, credentials (including encrypted third-party OAuth tokens), and files stored under your account will be removed.
Active subscriptions will be cancelled immediately with no further charges.
Certain data may be retained beyond this period where required by law (e.g. billing records for tax compliance, fraud prevention records). Retained data is isolated and not used for any other purpose.
For full step-by-step instructions, see our Data Deletion Instructions page.
Meta user data deletion callback
If you revoke Epic Saaz from Facebook or Instagram via Meta’s Privacy Settings → Apps and Websites, Meta sends an automated deletion request to our platform. We process it at POST /api/meta/data-deletion-callback, which:
Verifies Meta’s signed request using our per-app HMAC secret.
Deallocates every stored Meta OAuth credential matching your Meta user ID (access and refresh tokens are marked invalid and are no longer used by any automation on the platform).
Returns a confirmation URL and alphanumeric code to Meta, which is shown back to you so you can verify the deletion outcome.
Completes within seconds, not days — there is no background queue.
Your confirmation URL is /data-deletion/status/<code>, which shows the timestamp of deletion, the number of credentials removed, and the status. This page is publicly viewable without an Epic Saaz account — the confirmation code itself is the access token.
The deletion is scoped to your Meta OAuth credentials. It does not cascade to other automations, files, or tenant-workspace data you may have on Epic Saaz beyond the Meta credential record itself. If you want a fuller Epic Saaz account deletion, use the primary path described above.
Google deauthorization
You may revoke Epic Saaz’s access to your Google Workspace at any time from myaccount.google.com/permissions. When you revoke, Google immediately invalidates the access and refresh tokens issued to Epic Saaz. Our automated credential refresh logic detects the revocation on the next refresh attempt and marks the credential as invalid in our system. To complete the deletion of stored token data on our side, additionally disconnect the credential from Dashboard → Credentials.
9. Data controller (Responsible Party) and Information Officer
Responsible Party under POPIA (Data Controller under GDPR):
Epic Saaz (Pvt) Ltd
Company Registration Number: K2026251004
24 Kengies Gate, Frederick Road
Broadacre, Fourways
Johannesburg 2191, South Africa
Information Officer (POPIA section 55, designated under section 56):
George Senzere, Founder and Chief Architect
Email: privacy@epicsaaz.ai
The Information Officer is registered with the Information Regulator of South Africa under POPIA section 55.
Privacy contact:
Email: privacy@epicsaaz.ai
Subject lines for privacy matters: “Privacy: <your request>” (for example, “Privacy: Data Access Request”).
For privacy inquiries, complaints, or to exercise your rights under POPIA (South Africa), GDPR (EEA / UK), CCPA (California), or similar privacy laws, contact privacy@epicsaaz.ai. We aim to acknowledge within 5 business days and respond substantively within 30 calendar days, in line with POPIA section 23 and PAIA section 56.
9.1 The 8 conditions for lawful processing under POPIA section 8
Epic Saaz processes personal information in accordance with the 8 conditions for lawful processing set out in Chapter 3 of POPIA:
Accountability (s.8) — Epic Saaz is responsible for ensuring all conditions are met.
Processing Limitation (ss.9–12) — minimum data necessary; collected lawfully and with consent or other valid basis.
Purpose Specification (ss.13–14) — collected for specific, explicitly defined purposes documented in this policy.
Further Processing Limitation (s.15) — not used for incompatible secondary purposes.
Information Quality (s.16) — kept accurate, complete, and updated.
Openness (ss.17–18) — this policy itself satisfies the s.18 notification requirement.
Security Safeguards (ss.19–22) — see section 5.5 Data protection and section 6.5 Incident response.
Data Subject Participation (ss.23–25) — see section 7 Your rights.
10. Data storage location and trans-border information flows
Epic Saaz is registered and operates as a South African company (see section 9 Data controller). Customer data — including personal information, automation configurations, and encrypted OAuth tokens — is stored on Amazon Web Services (AWS) infrastructure. AWS is the sub-processor providing the underlying compute and storage capacity. The AWS region currently in use is eu-central-1 (Frankfurt, Germany).
10.1 Trans-border information flows under POPIA section 72
POPIA section 72 permits the transfer of personal information about South African data subjects to a country outside the Republic only where one of the s.72(1) conditions is met. Epic Saaz relies on the following lawful bases for the transfer of South African personal information to AWS in Germany:
Primary basis — POPIA section 72(1)(a): The third party (AWS Europe) is subject to a law (the EU General Data Protection Regulation, GDPR) that provides an adequate level of protection for personal information substantially similar to POPIA. Germany is a Member State of the European Union and AWS Europe executes EU Standard Contractual Clauses (SCCs) with Epic Saaz as part of the AWS Data Processing Addendum (DPA).
Secondary basis — POPIA section 72(1)(c): The transfer is necessary for the performance of the service contract between Epic Saaz and the data subject, who has subscribed to a platform service that requires cloud-hosted infrastructure.
10.2 EEA / UK and other jurisdictions
Transfers of personal data between EEA / UK data subjects and South Africa (the controller’s jurisdiction) are governed by the European Commission’s Standard Contractual Clauses (SCCs) where required, and the UK International Data Transfer Addendum where applicable.
10.3 Onward processing
Some processing (for example, AI generation requests routed to third-party LLM providers) may occur on infrastructure operated by sub-processors in other regions including the United States. The data sent for AI generation is limited to the content the user’s automation explicitly requests to be generated — never Google Workspace user data, OAuth tokens, or other sensitive credentials (see section 4.5).
If you have specific concerns about data transfers, contact privacy@epicsaaz.ai.
11. Voluntary vs mandatory information (POPIA section 18)
When Epic Saaz collects personal information from you, the following is voluntary or mandatory:
Mandatory at account registration: email address (used as account identifier), display name. Without these, we cannot provide the platform.
Mandatory for billing: billing address, payment method details. Without these, paid subscriptions cannot be processed. Payment method details are processed by Stripe (our payment sub-processor) and are not stored by Epic Saaz directly.
Mandatory for connected third-party integrations: OAuth access and refresh tokens issued by the third-party provider (Google, Meta, TikTok, etc.). Without these, automations cannot execute. You may disconnect any integration at any time without affecting your Epic Saaz account.
Voluntary: organization name, role, profile picture, marketing-consent preferences. These improve the platform experience but are not required.
Consequences of failure to provide mandatory information: if you do not provide mandatory information at the point of collection, the corresponding service (account registration, paid subscription, or specific automation integration) cannot be activated. You can still browse our public marketing pages without providing any information.
This policy was last updated on the date shown at the top. Material changes will be communicated via email to the account contact. Historical versions are available on request.
OAuth scope details (per-service)
The tables below are derived directly from the platform source code that performs the actual authorization requests.
Primary integrations (review-sensitive providers)
Google Workspace (Gmail, Drive, Sheets, Calendar)
Send email, read and write user-granted spreadsheets, create app-owned Drive files, and manage calendar events on the user's behalf when the user's workflow requires it.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
openid / email / profile | Identify the signed-in Google account (email, display name, avatar). | Display the connected account in the dashboard. |
https://www.googleapis.com/auth/gmail.send | Send email messages from the user's Gmail account. | Deliver outbound email that the user's automation produces (for example, approval notifications or templated messages). We do not read, list, or access inbox content. |
https://www.googleapis.com/auth/drive.file | Create, read, and modify only the Drive files that the application itself creates or that the user explicitly opens with the application via Google Picker. | Store generated media, documents, or logs in Drive when a workflow outputs to Drive. Read and write Google Sheets the user has explicitly picked via the Google Picker SDK — this replaces the previously-requested broader spreadsheets scope, which we deprecated in June 2026. We cannot enumerate or access any file in the user's Drive that was not created by Epic Saaz or explicitly picked by the user. |
https://www.googleapis.com/auth/calendar | Read and write events on the user's Google Calendar. | Create events, read availability, or update events when a workflow integrates with Calendar (for example, a booking-driven automation). |
What we do not do with your Google Workspace (Gmail, Drive, Sheets, Calendar) data:
- We do not request and have never requested the restricted gmail.readonly scope. Inbox message bodies, attachments, and metadata remain inaccessible to Epic Saaz.
- The drive.file scope is intentionally chosen over the broader drive scope so that files not created by Epic Saaz are never visible to the application.
- We deprecated the spreadsheets scope in June 2026 in favour of drive.file plus the Google Picker SDK. Cell-level Google Sheets operations work on user-picked files only — no sheet in the user's Drive that they have not explicitly picked is visible to Epic Saaz.
- We do not use Google account data to build advertising profiles or resell it to third parties.
YouTube (separate Google OAuth consent)
Upload and manage videos on the user's YouTube channel when a workflow includes YouTube publishing.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
https://www.googleapis.com/auth/youtube.upload | Upload videos to the user's YouTube channel. | Publish video content that the user's automation produces (for example, the Social Media Queue Publisher blueprint). |
https://www.googleapis.com/auth/youtube.readonly | Read channel metadata, upload status, and video information. | Confirm uploads have completed, surface upload status back to the dashboard, and display the connected channel name. |
openid / email | Identify the YouTube channel owner. | Display the connected channel in the dashboard. |
What we do not do with your YouTube (separate Google OAuth consent) data:
- We do not access other videos on the channel beyond what is required to confirm the status of an upload initiated by Epic Saaz.
- We do not manipulate comments, subscribers, or monetisation settings.
TikTok (Content Posting API)
Publish videos on the creator's behalf via the TikTok Content Posting API when a workflow includes TikTok publishing. The creator configures how their posts behave on the automation activation page: privacy level is a required dropdown with no default whose options are sourced live from TikTok's creator_info.privacy_level_options; comment / duet / stitch are Yes/No selectors that are greyed out automatically when TikTok has disabled them for the account; and commercial-content disclosure (Your Brand / Branded Content) is selected there too — choosing Branded Content disables the "Only Me"/private privacy option (and selecting private disables Branded Content), with the tooltip "Branded content visibility cannot be set to private." The creator then gives final express consent per post in the in-app Telegram approval message, which displays "By posting, you agree to TikTok's Music Usage Confirmation" (or "…Branded Content Policy and Music Usage Confirmation" when branded content is disclosed). The Approve button click IS the per-post consent.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
user.info.basic | Read the creator's public profile (open_id, display name, avatar) and the creator_info API capabilities for the connected account. | Display the connected creator's nickname and avatar in the dashboard and in-app approval message. Call creator_info to (a) populate the activation-page privacy dropdown dynamically from the creator's privacy_level_options, (b) gate publishing on creator_can_post, (c) enforce max_video_post_duration_sec, and (d) grey out the comment / duet / stitch Yes/No selectors that the creator has disabled at their TikTok account level — per TikTok Content Sharing Guidelines Points 1 + 2c. creator_info is queried fresh and held only in a short-lived in-memory cache per credential to debounce repeated form loads; the cache is never persisted to disk and is invalidated on credential disconnect. |
video.upload | Upload videos to the creator's Inbox (drafts) on TikTok. | Inbox path — the creator reviews the video on the TikTok mobile app before publishing manually. Files are passed via PULL_FROM_URL from an Epic Saaz-owned domain (www.modkrib.com) with verified ownership; we do not use FILE_UPLOAD when files originate on our servers, per TikTok Content Sharing Guidelines technical considerations. After init, we poll publish/status/fetch for up to 2 minutes (12 attempts × 10s) and only mark the file as published when status reaches PUBLISH_COMPLETE. |
video.publish | Publish videos directly to the creator's profile. | Direct Post path for scheduled publishing. Every post carries the creator's selections made on the automation activation page and confirmed in the in-app approval message: privacy level (a required dropdown sourced from creator_info.privacy_level_options, with the private "Only Me" option disabled when Branded Content is selected per Guideline 3b), interactions (comment / duet / stitch Yes/No selectors, individually greyed when the creator has disabled them at the TikTok account level), and commercial-content disclosure (Off / Your Brand / Branded Content / both). Files are passed via PULL_FROM_URL from www.modkrib.com (verified-ownership domain). publish_id is persisted to audit_logs for the lifetime of the polling loop (max 2 minutes), then discarded. |
What we do not do with your TikTok (Content Posting API) data:
- We do not read, download, or otherwise access videos that exist on the creator's account outside of the videos we publish on the creator's behalf.
- We do not access direct messages, followers, analytics, or any surface beyond the upload, publish, status/fetch, and creator_info endpoints.
- We do not retain TikTok video URLs after the post has been published — they are passed through PULL_FROM_URL and discarded post-publish.
- We do not use creator_info data for analytics, advertising, or profiling — it is used only to populate the activation-page selectors (privacy dropdown options, interaction selector availability, duration enforcement, capability check) and is not persisted to disk.
- We do not add watermarks, logos, branding, or promotional overlays to creator content — videos are passed to TikTok unmodified per TikTok Content Sharing Guidelines Watermark Guidelines.
- We do not store per-post consent acknowledgements as configuration. There are no Setup-form 'agree to terms' checkboxes — instead the per-post Telegram approval message displays the matching declaration text (Music Usage Confirmation only, or Branded Content Policy + Music Usage Confirmation when Branded is selected), and the creator's tap of the Approve button IS the explicit per-post consent.
- We do not bypass per-post creator approval — there is no 'skip approval' toggle. Every Direct Post and every Inbox Upload routes through the Telegram approval gate first.
- We do not exceed the audited daily limit — a per-tenant 24-hour post counter blocks the next publish attempt when ≥25 successful posts have landed in the prior 24 hours; the file stays queued for the next day.
- We do not edit creator content automatically — captions are AI-generated as a draft, but the creator can edit the caption per-post by replying to the Telegram approval message, regenerate with a new variant, or reject. Posting only proceeds after explicit Approve.
- We do not retry on duplicate Telegram callbacks — the workflow tracks processed callback IDs in workflow state and silently drops retries to prevent accidental double-posts.
Facebook (Meta)
Publish posts, schedule posts, and read basic engagement data on Facebook Pages the user administers.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
public_profile | Identify the Facebook user account. | Basic login identity for the connection. |
pages_show_list | List the Facebook Pages the user administers. | Let the user pick which Page a given automation will post to. We store only the Page IDs the user selects. |
pages_read_engagement | Read engagement metrics on posts published to selected Pages. | Pull analytics (likes, comments, reach) into the dashboard reporting view for Pages the user has connected. |
pages_manage_posts | Create, schedule, edit, and delete posts on selected Pages. | The "post to Facebook" action in automations (Queue Publisher, approval-driven publishers, etc.). |
What we do not do with your Facebook (Meta) data:
- We do not request access to user personal timelines, friends lists, messages, or photos outside of Pages the user has explicitly connected.
- We do not access ads accounts, audience data, or any audience-building surface.
- We do not post to Pages the user has not explicitly connected to a specific automation.
Instagram Business (Meta Business Login)
Publish Feed posts, Reels, and carousels to Instagram Business accounts the user has connected.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
instagram_business_basic | Read account metadata (Instagram Business Account ID, username, account type). | Identify the connected account in the dashboard. |
instagram_business_content_publish | Publish Feed posts, Reels, and carousels on the connected account. | The "post to Instagram" action in automations (Reels Generator, Queue Publisher, scheduled posters). |
What we do not do with your Instagram Business (Meta Business Login) data:
- We do not access personal (non-Business) Instagram accounts via this connection.
- We do not read or moderate comments on the user's posts.
- We do not send or read Instagram Direct Messages.
- We do not use account data for audience profiling, lookalike audiences, or advertising.
WhatsApp Business (Meta Embedded Signup)
Send and receive WhatsApp messages via the Cloud API on the user's WhatsApp Business Account (WABA) for connected phone numbers.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
whatsapp_business_management | Manage the user's WhatsApp Business Account, including registering and reading phone numbers. | Register the phone number with Cloud API, associate the WABA with Epic Saaz, and read phone number status. |
whatsapp_business_messaging | Send and receive WhatsApp messages via the Cloud API on the WABA. | The "send WhatsApp message" action in workflows, inbound-message-triggered automations, and approval-flow message delivery. |
business_management | Read the user's Meta Business Portfolio to surface available WABAs during the Embedded Signup flow. | Required by Meta's Embedded Signup so the user can pick which WABA to connect. We do not use it to read or modify other Business Portfolio objects. |
What we do not do with your WhatsApp Business (Meta Embedded Signup) data:
- We do not access business assets other than the WABAs and phone numbers the user connects.
- We do not export contact lists, and we do not use message content to train AI models.
- Inbound message bodies are forwarded to the user-configured workflow and are not retained for analytics, advertising, or profiling.
Other supported integrations
Publish posts to the connected member profile.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
openid | Basic OpenID identity. | Identify the connected LinkedIn member. |
profile | Read basic member profile (name, headline). | Display the connected member in the dashboard. |
email | Read the member's email address. | Display the connected member in the dashboard. |
w_member_social | Create posts on the member's behalf. | Publish posts that the user's automation produces (for example, LinkedIn Blogger). |
X (formerly Twitter)
Read and publish posts on the connected account.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
tweet.read | Read tweets accessible to the authenticated user. | Pull tweet references or quote content into a workflow when the workflow requires it. |
tweet.write | Publish tweets on the user's behalf. | The "post to X" action in automations. |
users.read | Read the authenticated user's profile. | Display the connected handle in the dashboard. |
offline.access | Refresh access tokens silently. | Keep the connection alive between scheduled automation runs without forcing re-authorization. |
Slack
Post messages, read channel lists and history, and manage files in the workspace the user has installed the app to.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
chat:write | Post messages to channels the app is added to. | Send messages generated by the user's automation (approval requests, notifications, output). |
channels:read | List public channels in the workspace. | Let the user pick which channel a workflow will post to. |
channels:history | Read message history in channels the app is in. | Workflows triggered by incoming Slack messages (inbound-message-triggered automations). |
users:read | List workspace members. | Resolve user mentions in approval and notification messages. |
files:write | Upload files to channels. | Deliver generated documents, images, or exports into Slack channels when a workflow outputs a file. |
HubSpot
Sync contacts and deals between Epic Saaz workflows and the user's HubSpot portal.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
crm.objects.contacts.read | Read contact records. | Pull contact data into workflows that reference HubSpot contacts. |
crm.objects.contacts.write | Create and update contact records. | Write new leads or update contact fields when a workflow outputs to HubSpot. |
crm.objects.deals.read | Read deal records. | Pull deal data into workflows that reference HubSpot deals. |
crm.objects.deals.write | Create and update deal records. | Create or advance deals when a workflow outputs to HubSpot. |
Publish pins to the connected account's boards.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
boards:read | List the user's boards. | Let the user pick which board a pin will be published to. |
pins:read | Read the user's pins. | Confirm pin publishing status and avoid duplicates. |
pins:write | Create pins on the user's boards. | The "publish to Pinterest" action in automations. |
user_accounts:read | Read the connected account's profile. | Display the connected account in the dashboard. |
Read subreddits and submit posts from the connected account.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
identity | Read the connected account's username. | Display the connected account in the dashboard. |
submit | Submit posts to subreddits the user has permission to post in. | The "post to Reddit" action in automations. |
read | Read public posts and comments. | Pull reference content into workflows that operate on Reddit posts. |
ClickUp
Create and update tasks in the user's ClickUp workspaces.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
(application-level permissions granted at connect time) | ClickUp's OAuth issues an access token with permissions defined at the app level in ClickUp's developer portal, not per-authorization scopes. | Read lists, spaces, and tasks referenced by the user's workflow; create or update tasks when a workflow outputs to ClickUp. |
Common commitments across all integrations
- OAuth access and refresh tokens are encrypted at rest with AES-256-GCM before being written to our database. The encryption key is held in environment configuration and is not accessible to other tenants.
- All data transmitted between Epic Saaz, you, and any third-party API is encrypted in transit using TLS 1.2 or higher. Epic Saaz does not accept unencrypted HTTP connections. HSTS is enforced on all production domains.
- Each customer tenant's data is isolated by tenant identifier with database-level Row-Level Security (RLS) policies. Data belonging to one tenant is never visible to or accessible by another tenant.
- No OAuth-granted data (message content, calendar events, contacts, media, analytics, etc.) is used to train artificial-intelligence models, either ours or third-party models.
- No OAuth-granted data is shared with advertising networks, data brokers, or any third party outside the sub-processors strictly required to operate the platform (payment processing, transactional email delivery, cloud infrastructure). Sub-processors are bound by data-processing agreements and do not receive third-party access tokens.
- Tokens are refreshed automatically only while an automation that uses them is active. When a user disconnects a credential in the dashboard, or deletes their account, the associated encrypted tokens are irreversibly destroyed.
- Users may revoke authorization at any time from Dashboard → Credentials → Disconnect, or from the third-party provider's own account settings (for example, myaccount.google.com/permissions, facebook.com/settings?tab=business_tools, tiktok.com/setting/connected-apps).