Back to Soccial AI

Privacy Policy

Last updated: April 27, 2026

1. Who we are

Soccial AI ("Soccial AI", "we", "us") is an AI-powered assistant that helps operators run giveaways and manage related CRM, Instagram, and Shopify workflows through a chat interface at soccial.ai. This Privacy Policy explains what personal and business data we collect, why we collect it, and how we handle it.

2. Information we collect

We collect the following categories of data:

  • Account information. Your email address and (optionally) your name when you sign up. We use Supabase for authentication; your password is never stored by us directly.
  • Subscription and billing information. Your subscription tier, billing cycle, Stripe customer ID, and Stripe subscription ID. Payment card details are handled by Stripe and never touch our servers.
  • Integration credentials. When you connect GoHighLevel, Instagram, or Shopify, we store the resulting OAuth access tokens (and refresh tokens where applicable) encrypted at rest using AES-256-GCM. We never ask for or store your integration passwords.
  • Integration data accessed via tools.When you ask the AI to perform an action (e.g. "list my latest form submissions"), we call the relevant third-party API and pass the response through the AI model to generate your reply. We do not proactively crawl or cache integration data outside of the scope of a request.
  • Chat messages.The text you send to the AI and the AI's responses are stored in our database so you can see your conversation history. Retention varies by tier (7 days on Free, 30 days on Starter, unlimited on Professional and above).
  • Usage metrics. Daily message counts, monthly image generation counts, tokens consumed per request, and similar metrics needed to enforce plan limits and bill correctly.
  • Install/uninstall audit logs. When you connect or disconnect an integration, we log the event with timestamp, IP address, and user agent for security and support purposes.
  • Device session records.When you sign in to Soccial AI from a web browser or the iOS app, we record a device session containing the device kind (web / iOS / desktop), a friendly device label (e.g. "Chrome on macOS" or your iPhone's name and iOS version), the user-agent string, and the originating IP address (both first-seen and most-recently-seen). These records power the Devices page at /account/devices where you can review where your account is signed in and remotely sign out from any device. Inactive sessions are kept until you revoke them.
  • Account activity log. We keep a chronological log of meaningful changes on your account — link binds, device sign-ins and sign-outs, integration adds/removes, and subscription changes. You can view it at /account/activity. Each row carries a short summary, the related subject id, and (where relevant) the originating IP address. This data is what powers the security email we send when a new device signs in to your account.

3. How we use your information

  • To provide the service — running AI requests, executing integration actions you authorize, and returning results.
  • To enforce subscription limits (daily messages, monthly images, Deep Think reasoning quotas).
  • To process subscription payments via Stripe.
  • To respond to your support requests and investigate incidents.
  • To improve the product — aggregate, anonymized usage patterns may inform feature decisions. We do not train AI models on your chat content.
  • To comply with applicable law and legal requests.

4. Third parties we share with

We use a small set of service providers to operate Soccial AI. Each processes data only to provide its specific function:

  • Supabase — authentication, database, and row-level security.
  • Stripe — subscription billing and payment processing.
  • Vercel — hosting, deployments, and runtime logs.
  • xAI— the underlying AI model (Grok family) for chat responses and Grok Imagine for AI image generation. Chat content is sent to xAI for inference and is subject to xAI's data handling policies.
  • Your chosen integrations — GoHighLevel, Instagram (Meta), Shopify. When you ask Soccial AI to interact with one of these, we call their APIs on your behalf using the OAuth token you granted.

We do not sell your personal data. We do not share it with third parties for their marketing.

5. Security

  • All integration access tokens are encrypted at rest with AES-256-GCM using keys managed as server-side secrets.
  • Database access is governed by Supabase Row Level Security (RLS), so users can only read their own data.
  • All network traffic is served over HTTPS.
  • Webhook requests (Stripe, GHL) are verified via HMAC signatures before processing.
  • We rotate API keys and audit unusual activity. If we detect a material data incident affecting you, we will notify you within 72 hours by email.

6. Your rights

You have the right to access, correct, export, or delete your personal data. To exercise any of these rights, email privacy@givaway.ai and we will respond within 30 days. You can also delete your account directly from the billing page — doing so will immediately purge your integration tokens and schedule your chat history for deletion within 30 days.

7. Data retention

  • Chat history follows the tier retention settings above.
  • Integration tokens are retained until you disconnect the integration or uninstall Soccial AI from the integration's side (we receive and process the uninstall webhook to purge tokens automatically).
  • Billing records and audit logs are retained for 7 years to meet accounting and tax requirements.
  • Magic-link verification codes are deleted automatically 7 days after expiry (the codes themselves are stored hashed, never as plaintext).
  • Device session records are retained while active. When you sign out a device, the row is marked revoked and kept for audit purposes. Cascading delete on account closure removes all device sessions and the account activity log.
  • Closed accounts are purged within 30 days of closure except where law requires longer retention.

8. Children

Soccial AI is a business tool not directed to children under 13 (16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has submitted data to us, please email privacy@givaway.ai and we will delete it.

9. International transfers

Soccial AI operates in the United States. If you use Soccial AI from outside the U.S., your data will be transferred to, stored in, and processed in the U.S. We rely on standard contractual clauses and the service providers listed in section 4 for cross-border transfers.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. When we make material changes, we will update the "Last updated" date and, for significant changes, notify you by email.

11. Contact

Questions or concerns? Email privacy@givaway.ai.