MKT POST — Privacy Policy

MKT POST does not sell or share your personal data for advertising purposes. We only retain the data necessary for you to log in, connect your TikTok account, and publish videos via the official APIs.

• Google Sign-in is used — we do not store your passwords.
• TikTok Tokens are encrypted using AES-256-GCM before storage.
• Video content is routed directly to TikTok and is not stored long-term on MKT POST.
• You can request the deletion of all your data at any time.

When you use MKT POST, we collect the following types of data:

• Google Account Information (via Firebase Auth): display name, email address, profile picture, and Google UID. We do not receive your password.
• Connected TikTok Account Information: display name, username, avatar URL, open ID, and union ID; access token and refresh token provided by TikTok (encrypted before storage). This data is retrieved using the user.info.basic and user.info.profile scopes.
• Post Metadata: title, caption, privacy / comment / duet / stitch settings, processing status (PROCESSING_UPLOAD / PUBLISH_COMPLETE / FAILED), publish ID returned by TikTok, and creation time.
• Video Content: the video file you upload will be transmitted to MKT POST servers during the publishing process to be forwarded to TikTok. We do not store the video file after TikTok confirms successful receipt.
• Session Cookies: a signed HTTP-only cookie (JWT, HMAC-SHA256) to maintain your login session — it contains your Google UID, email address, display name, and profile picture URL as originally provided by Google Sign-In.
• Basic Technical Logs: IP address, user-agent, access time — for debugging, abuse prevention, and legal compliance. Logs are regularly rotated and automatically deleted.

MKT POST requests the following TikTok API permissions (scopes) when you connect your TikTok account:

• user.info.basic & user.info.profile — to read your TikTok display name, username, avatar, open ID, and union ID so we can identify your connected account in the dashboard.
• video.publish & video.upload — to publish videos directly to your TikTok profile via the Content Posting API on your behalf.
• video.list — to retrieve metadata about your published videos for display in the post history dashboard.

We do not use third-party advertising trackers, nor do we integrate Google Analytics or Meta Pixel.

The collected data is used to:

• Authenticate you upon login and maintain a secure session.
• Call the TikTok Content Posting API to publish videos on your behalf according to your settings.
• Display your connected TikTok accounts, post history, and processing statuses; retrieve your published video list via the video.list scope to populate the history dashboard.
• Automatically refresh your TikTok access token to prevent service interruptions.
• Detect and prevent abuse, protecting the system and other users.

We do not use your data to train AI models or sell it to third parties.

Data is stored on Google Cloud Firestore (region: asia-southeast1 — Singapore). Firestore access is strictly routed through the Firebase Admin SDK on the server-side — browsers do not query the database directly.

• TikTok Tokens: encrypted via AES-256-GCM with a private key stored securely in server environment variables. In the event of a key leak, we will rotate the keys and require users to reconnect.
• MKT POST Login Session: HMAC-SHA256 signed JWT cookie containing your Google UID, email, display name, and profile picture URL, flagged with HttpOnly and Secure in production environments.
• Transmission: all connections are secured via HTTPS/TLS.

Although we implement reasonable security measures, no internet system is 100% secure. You should keep your Google account and access devices secure.

We only share data with the following third parties, to the minimum extent necessary to operate the service:

• Google / Firebase (Auth, Firestore, hosting): provides authentication and storage infrastructure. See the Firebase Privacy Policy.
• TikTok: we call TikTok's API using the access token you authorized to publish videos. Data processing by TikTok is subject to the TikTok Privacy Policy.
• Authorized Authorities: if we receive a lawful request (court order, law enforcement request), we will comply to the extent required by law.

MKT POST uses the following cookies, all essential for the operation of the service:

• mktpost_session: Session JWT, HttpOnly, expires 7 days after the last login.
• tiktok_oauth_state, tiktok_oauth_verifier: short-lived cookies used for the OAuth PKCE flow, automatically deleted upon callback completion.

We do not use cookies for advertising purposes or cross-site tracking.

You have the following rights regarding your personal data:

• Access: view the data we hold about you.
• Rectification: update incorrect or outdated information (e.g., display name) via your Google account.
• Erasure: request the deletion of your entire account and data (see section 11).
• Disconnect TikTok Account: can be done within the dashboard or at TikTok's connected apps settings.
• Object / Restrict Processing: if you believe your data is being processed improperly, please contact us.

• Account & TikTok Tokens: retained until you disconnect or delete your MKT POST account.
• Post History: retained until you delete your account or explicitly request deletion.
• Uploaded Video Files: only exist in server memory during the transfer to TikTok, and are immediately released thereafter. MKT POST does not backup video files.
• Technical Logs: up to 90 days, then automatically deleted.
• Firestore Backups: may exist for up to 30 days from the time of deletion for disaster recovery purposes, after which they are permanently deleted.

MKT POST is not intended for users under 13 years old. If you are aware that a child has created an MKT POST account without parental consent, please contact us to have that account deleted.

When updating this policy, we will change the “Last Updated” date at the top of the page. For significant changes that increase the scope of collection or alter usage purposes, we will notify you via email or an in-app notice prior to implementation.

For data rights requests, account deletion, or questions about this policy:

• Email: support@mkt-soft.com
• See also our Terms of Service.