Autumn

Privacy Policy

Effective date: April 5, 2025

1. Who We Are

Autumn Social (“Autumn,” “we,” “us,” or “our”) is a social media management platform designed for independent hotels. We help hotel operators create, schedule, and publish content across social media platforms including Facebook and Instagram.

This Privacy Policy describes how we collect, use, store, and share your information when you use our website and services (collectively, the “Service”). By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Hotel or business name
  • Timezone preference

2.2 Social Media Account Data

When you connect your social media accounts (such as Facebook Pages or Instagram Professional accounts), we request specific permissions through Meta's OAuth flow. We receive and store:

  • Access tokens and refresh tokens (stored encrypted using AES-256-GCM)
  • Social media profile identifiers and page identifiers
  • Profile names and profile pictures
  • Follower counts and page metadata
  • Page engagement data (likes, comments, shares on your posts)
  • Instagram Professional account profile information

The specific Facebook and Instagram permissions we request, and the data each provides, are detailed in Section 6 below.

2.3 Content You Create

We store content you create through the Service, including:

  • Social media post text, images, and videos
  • Scheduling preferences and publish dates
  • Brand analysis data and brand kit information
  • Media files you upload

2.4 Usage Data

We automatically collect certain information when you use the Service, including:

  • Log data (IP address, browser type, pages visited)
  • Device information
  • Feature usage patterns

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Publish and schedule social media posts on your behalf to platforms you have connected
  • Analyze your brand presence to generate content recommendations
  • Authenticate your identity and manage your account
  • Communicate with you about the Service, including updates and support
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations

4. Legal Basis for Processing

We process your personal information on the following legal grounds:

  • Contractual necessity: Processing required to provide the Service you signed up for, including publishing posts to connected social media accounts and managing your content calendar.
  • Consent: When you connect a social media account via OAuth, you explicitly grant us permission to access and use your account data for the specific purposes described. You may withdraw consent at any time by disconnecting your social media accounts.
  • Legitimate interest: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud, provided these interests do not override your rights.
  • Legal obligation: Processing required to comply with applicable laws and regulations.

5. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

  • Social media platforms: When you use the Service to publish content, we transmit that content to the platforms you have connected (e.g., Facebook, Instagram) using their official APIs.
  • Service providers: We use third-party services for hosting, database management, and infrastructure (such as Supabase for data storage and authentication). These providers only access your data as needed to perform services on our behalf.
  • Legal compliance: We may disclose information if required by law, regulation, legal process, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Data from Facebook and Instagram

Our use of information received from Facebook and Instagram APIs adheres to the Meta Platform Terms and Developer Policies.

6.1 Permissions We Request

When you connect a Facebook or Instagram account, we request the following permissions:

public_profile

Reads your basic Facebook profile information (name, profile picture) to identify your account within the Service. This is a default permission included with Facebook Login.

pages_show_list

Lists the Facebook Pages you manage so you can choose which Page to connect to Autumn Social.

pages_manage_posts

Allows the Service to create and publish posts on your Facebook Page on your behalf when you schedule or publish content.

pages_read_engagement

Reads engagement metrics (likes, comments, shares) on your Page posts so you can view post performance within the Service.

instagram_basic

Reads your Instagram Professional account profile information (username, profile picture, follower count) to display it within the Service.

instagram_content_publish

Allows the Service to publish photos and videos to your Instagram Professional account on your behalf when you schedule or publish content.

business_management

Allows the Service to access the Facebook Business accounts associated with your Pages, which is required to identify and connect Instagram Professional accounts linked to your Facebook Pages.

6.2 How We Handle Meta Platform Data

  • We only request the permissions listed above, each necessary for a specific feature of the Service.
  • We do not use Facebook or Instagram data for purposes unrelated to providing the Service to you.
  • We do not sell, license, or share Facebook or Instagram data with third parties.
  • We do not use Facebook or Instagram data for advertising, profiling, or any purpose beyond providing the social media management features of the Service.
  • Access tokens from Facebook and Instagram are stored encrypted at rest (AES-256-GCM) and are only used to perform actions you have explicitly authorized (such as publishing posts).
  • If you disconnect your Facebook or Instagram account from the Service, we immediately delete the associated access tokens and platform data.
  • If you remove the Autumn Social app from your Facebook settings, Meta sends us a deauthorization callback and we automatically delete all associated tokens and account data.
  • Meta may also send us a data deletion request on your behalf. When this occurs, we delete all data associated with your Facebook or Instagram account and provide a confirmation code and status URL.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of social media access tokens at rest using AES-256-GCM
  • HTTPS encryption for all data in transit
  • Row-level security policies in our database to isolate data between accounts
  • Regular security reviews of our codebase and infrastructure

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal compliance).

Social media access tokens are deleted immediately when you disconnect a social media account or when Meta sends a deauthorization or data deletion callback.

Data obtained through Facebook and Instagram APIs is not retained after you disconnect the associated account or revoke our app's access, except where a brief retention period is necessary to complete an in-progress operation (e.g., a scheduled post that is about to be published).

9. Your Rights and Data Deletion

9.1 General Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate personal information
  • Request deletion of your personal information
  • Object to or restrict certain processing of your information
  • Request a portable copy of your data
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, email us at privacy@autumnsocial.com. We will respond within 30 days.

9.2 How to Delete Your Data

You can delete your data in several ways:

  • Disconnect a social account: Go to Settings in the Service and disconnect your Facebook or Instagram account. This immediately deletes the associated access tokens and platform data.
  • Remove our app from Facebook: In your Facebook Settings under Apps and Websites, remove Autumn Social. Meta will send us a deauthorization callback and we will automatically delete all data associated with your Facebook and Instagram accounts.
  • Delete your Autumn Social account: Contact us at privacy@autumnsocial.com to request full account deletion. We will delete all your personal data, content, and connected account data within 30 days.
  • Meta data deletion request: Meta may send us a data deletion request on your behalf. When we receive this, we delete all data associated with your Meta accounts and return a confirmation code with a status URL so you can verify the deletion.

10. Cookies

We use essential cookies to authenticate your session and maintain your login state. We do not use third-party advertising or tracking cookies. Because these cookies are strictly necessary to operate the Service, they cannot be disabled while using the Service. You can delete cookies through your browser settings at any time, though this will end your active session.

11. International Data Transfers

Your information may be stored and processed in any country where our service providers maintain facilities. By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules. We ensure that appropriate safeguards are in place when transferring data internationally, including standard contractual clauses where required.

12. Additional Rights for Specific Jurisdictions

12.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

  • The right to lodge a complaint with your local data protection authority
  • The right to data portability for data you provided to us
  • The right to object to processing based on legitimate interests (see Section 4 for our legal bases)

12.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect and how it is used
  • The right to request deletion of your personal information
  • The right to opt out of the sale of personal information (we do not sell your personal information)
  • The right to non-discrimination for exercising your privacy rights

13. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Autumn Social
Email: privacy@autumnsocial.com

← Back to sign inTerms of Service →

© 2026 Autumn. All rights reserved.