Privacy Policy

Last updated: 21 April 2026

This Privacy Policy describes how MetaSnap ("we", "us", or "our") collects, uses, and protects information when you use our social media content generation and publishing platform (the "Service") available at metasnap.tyaplyap.com. By using MetaSnap, you agree to the practices described in this policy.

An Italian version of this policy is available at /privacy-it.html.

1. Data Controller

The entity responsible for operating MetaSnap and for the processing of your personal data is:

Tyaplyap — operator of the MetaSnap service.
Website: https://metasnap.tyaplyap.com
Contact: support form (preferred) — internal contact address: info@tyaplyap.com

All privacy-related requests (access, rectification, erasure, data portability, objection, withdrawal of consent) can be submitted through the support form linked above.

2. Scope

This policy applies to all users of the MetaSnap web application, including registered users, administrators, and visitors to our public pages.

3. Data We Collect

3.1 Data You Provide

Account information: email address, display name (optional), and password when you register. Passwords are never stored in plain text; they are hashed using PBKDF2-SHA512 with 100,000 iterations.
AI prompt configuration: custom system prompts and user prompt templates you create or modify.
Content you create: article URLs you submit, text descriptions, captions, hashtags, and call-to-action text you enter.
Media you upload: images for social card generation and audio files (MP3, WAV, M4A, AAC, OGG) for video background music. Image uploads are limited to 10 MB; audio files to 15 MB each, with a maximum of 10 audio files per account.
API keys: third-party API keys you provide for AI services (e.g., PublicAI, OpenAI, Anthropic, Google AI). These are encrypted at rest using AES-256-GCM.
Batch automation sources: RSS feed URLs and article source URLs you configure for automated content discovery.

3.2 Data Collected Automatically

Session data: a secure session cookie (session_token, httpOnly, Secure in production, SameSite: Lax) is set upon login. Sessions expire after 7 days of inactivity.
Technical identifiers: IP address and User-Agent string are recorded with each session and in audit logs.
Local storage: your preferred aspect ratio setting is stored in your browser's localStorage (ms_aspect). Your language preference is stored in localStorage (ms_locale).
Audit logs: we record key actions (login, logout, publishing, administrative actions) with timestamps, IP address, and User-Agent for security purposes.

3.3 Data from Social Platform Integrations

When you connect a social media account, the respective platform transmits OAuth tokens and basic profile information to MetaSnap:

Instagram (Meta): access token, page ID, Instagram business account ID, username.
TikTok: access token, refresh token, token expiry, open ID, display name, granted scopes.
YouTube (Google): access token, refresh token, token expiry, email address.

All OAuth tokens are encrypted at rest using AES-256-GCM. We do not access your social media messages, friend lists, or private content beyond what is strictly necessary to publish on your behalf.

4. How We Use Your Data

We process your data exclusively to provide and maintain the Service:

Account management: registration, authentication, session management, password changes.
Content generation: extracting article metadata from submitted URLs, generating social media cards with overlays and text, generating AI-enhanced captions using configured AI providers.
Video rendering: creating MP4 videos from generated cards using locally installed FFmpeg. Video processing occurs entirely on our servers.
Publishing: transmitting your content (captions, images, videos) to connected social media platforms via their official APIs.
Batch automation: automatically discovering articles from your configured RSS/URL sources, generating content, and optionally publishing on schedule.
Administration: enabling administrators to manage users, view aggregate statistics, and reset passwords.
Security and abuse prevention: monitoring sessions, validating OAuth states, detecting unauthorized access.

5. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we rely on the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): processing necessary to provide the Service you requested — account management, content generation, publishing to connected social accounts.
Legitimate interest (Art. 6(1)(f) GDPR): security monitoring, audit logging, abuse prevention, and service improvement, balanced against your privacy rights.
Consent (Art. 6(1)(a) GDPR): when you explicitly connect a social media account (Instagram, TikTok, YouTube), you consent to the specific scopes granted during the OAuth flow. You may withdraw consent at any time by disconnecting the account.
Legal obligation (Art. 6(1)(c) GDPR): compliance with applicable laws when required.

We do not process your data for advertising or profiling purposes. We do not send promotional emails.

6. Data Sharing and Third Parties

6.1 Social Media Platforms

When you publish content, we transmit your captions, images, and/or videos to the platform you selected:

Meta Platforms (Instagram) via the Meta Graph API
TikTok via the TikTok Content Posting API
YouTube via the Google YouTube Data API

Each platform processes data under its own privacy policy.

6.2 AI Service Providers

When AI-enhanced caption generation is enabled, we send article text, URLs, and your prompt configuration to the configured AI provider. The default provider is PublicAI (api.publicai.co). You may configure alternative providers (OpenAI, Anthropic, Google AI) using your own API keys. We do not send personal account information to AI providers.

6.3 Article Source Websites

When you submit a URL or configure batch sources, our server fetches publicly available metadata (OpenGraph tags, page content) from those websites. Our server identifies itself with the User-Agent string "metasnap/1.0" (configurable).

6.4 Infrastructure

MetaSnap is hosted on cloud infrastructure located within the European Economic Area (EEA). Application data, including encrypted OAuth tokens, generated content, and audit logs, is stored on servers operated on our behalf by our hosting provider. Database storage uses PostgreSQL with encryption at rest at the provider level; media assets are stored on the same hosting infrastructure.

6.5 No Data Sales

We do not sell, rent, or trade your personal data to third parties. We do not use your content, your generated posts, or data received from Google APIs to serve advertising or to train generalized AI/ML models.

6-bis. Google API Services — Limited Use Disclosure

MetaSnap's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Allowed use: MetaSnap accesses Google user data strictly to deliver the features the user enables — signing in, authorizing publishing to the user's own YouTube channel, and retrieving the minimum account metadata needed to display and operate on that connected account.
Transfer limits: we do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
Human access: MetaSnap personnel do not read or review Google user data except (a) with the user's explicit consent, (b) to resolve a specific security or abuse issue, (c) to comply with applicable law, or (d) where such data (including derivatives) has been aggregated and anonymized.
No advertising, no model training: we do not use Google user data for advertising, nor to train, fine-tune, or improve generalized AI/ML models (our own or third parties').
Revocation: you can revoke MetaSnap's access to your Google data at any time from within MetaSnap (Publish → Social Connections → Disconnect) or from your Google Account at myaccount.google.com/permissions.

The Google scopes requested by MetaSnap are limited to those strictly necessary to publish YouTube videos on your behalf. No scope is requested for reading private messages, contacts, Gmail, or Drive contents.

For a scope-by-scope breakdown of how MetaSnap uses YouTube data, including connect / disconnect instructions and our explicit-confirmation publishing rule, see the dedicated YouTube data use page.

7. Data Retention

Account data: retained while your account is active. Upon account deletion, data is removed within 30 days.
Generated content (posts, images, videos): retained until you delete them individually or close your account.
Social platform tokens: retained until you disconnect the platform or close your account.
Audio files: retained until you delete them or close your account.
Sessions: automatically purged after expiry (7 days). Expired session cleanup runs hourly.
Audit logs: retained for up to 12 months for security, abuse-prevention and compliance purposes. Older entries are automatically deleted or anonymized.
Batch job history: retained as part of your account data.

8. Data Security

We implement the following technical measures:

Password hashing: PBKDF2-SHA512 with 100,000 iterations and random 16-byte salt.
Encryption at rest: AES-256-GCM for all stored API keys and OAuth tokens, with per-value initialization vectors.
Session security: session tokens are 256-bit random values, stored as SHA-256 hashes. Cookies are httpOnly and Secure.
OAuth protection: CSRF protection via HMAC-SHA256 signed state parameters with 15-minute expiry. PKCE (S256) for TikTok.
Transport security: HTTPS enforced in production.
Security headers: Helmet middleware applies standard security headers (X-Content-Type-Options, X-Frame-Options, etc.).

No system is completely secure. We encourage you to use a strong, unique password and to keep your API keys confidential.

9. International Transfers

MetaSnap's application infrastructure is hosted within the European Economic Area (EEA). However, some third-party services we integrate with may process your data outside the EEA:

Social media platforms (Meta/Instagram, TikTok, YouTube/Google) process data according to their own privacy policies and transfer mechanisms.
AI providers you optionally configure (OpenAI, Anthropic, Google AI) may process prompts in regions outside the EEA. When you supply your own API key, your configuration controls where requests are routed.

Where such transfers occur, they rely on the European Commission's adequacy decisions or, where not applicable, on Standard Contractual Clauses (SCCs) and additional technical measures (encryption in transit and, where supported, at rest) implemented by the receiving provider. We do not transfer personal data to jurisdictions without appropriate safeguards in place.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

Access your personal data and obtain a copy.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten").
Restrict processing in certain circumstances.
Data portability: receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests.
Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us through our support form. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).

11. Cookies and Similar Technologies

MetaSnap uses only essential cookies and local storage:

Technology	Name	Purpose	Duration
Cookie	session_token	Login session (httpOnly, Secure, SameSite: Lax)	7 days
localStorage	ms_aspect	Preferred aspect ratio	Persistent
localStorage	ms_locale	Language preference	Persistent

We do not use third-party tracking cookies, advertising cookies, or analytics services that track users across websites.

12. Children

MetaSnap is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will update the "Last updated" date at the top of this page. For material changes, we will provide notice through the Service.

14. Contact

For privacy-related questions, to exercise your rights under this policy, or to report a security issue, please use one of the following channels:

Online form: metasnap.tyaplyap.com/support.html (recommended — no email client required)
Email: info@tyaplyap.com (reachable via the support form above)
Product: MetaSnap — metasnap.tyaplyap.com

We aim to respond to all privacy enquiries within 30 days.