Privacy Policy

Last updated: April 10, 2026

1. Introduction

Four Hawk Social ("we," "us," "our," or the "Company") operates the Four Hawk Social platform (the "Service"), a social media management application that enables businesses and agencies to schedule, create, publish, and analyze social media content across multiple platforms.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including when you connect third-party social media accounts. We are committed to protecting your privacy and handling your data transparently and responsibly.

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree with any part of this policy, please do not use our Service.

2. Information We Collect

2.1 Account Information

When your organization creates an account or you are invited to join, we collect:

  • Name and email address
  • Organization/agency name
  • Role within the organization (e.g., admin, manager, member)
  • Authentication credentials (managed securely via AWS Cognito)

2.2 Social Media Account Data

When you connect third-party social media accounts to our Service via OAuth, we may collect and store:

  • Profile information: Account name, username, profile picture URL, account/page ID, and account type
  • Access tokens: OAuth access tokens and refresh tokens required to interact with the platform APIs on your behalf (stored encrypted using AES-256-GCM encryption)
  • Page and account lists: Lists of pages, business accounts, or profiles you manage, so you can select which ones to connect
  • Post and content data: Content you create within our Service for publishing, including text, images, videos, links, hashtags, and scheduling information
  • Analytics data: Engagement metrics, reach, impressions, follower counts, and other performance data retrieved from connected platform APIs

2.3 Platform-Specific Data

Depending on which social media platforms you connect, we may access and store the following data through authorized API access:

Platform Data Accessed
Facebook / Instagram (Meta) Pages you manage, page access tokens, post content, post performance metrics (reach, engagement, impressions), Instagram business/creator account data, media URLs, comment/reply data for engagement inbox
X (Twitter) Account profile, tweets and post content, engagement metrics (likes, retweets, replies, impressions), direct message metadata for engagement inbox
LinkedIn Profile and organization page information, post content, engagement metrics (impressions, clicks, reactions, comments, shares), organization follower counts
Pinterest Account profile, board information, pin content and media, pin analytics (impressions, saves, clicks)
TikTok Account profile, video content and metadata, video performance metrics (views, likes, shares, comments)
YouTube (Google) Channel information, video content and metadata, video analytics (views, likes, comments, watch time), channel subscriber counts

2.4 Usage Data

We automatically collect certain information when you interact with our Service:

  • IP address and approximate geographic location
  • Browser type and version
  • Pages visited and features used within the Service
  • Date and time of access
  • Referring URL
  • Device type and operating system

2.5 Media Content

When you upload images, videos, or other media files for use in social media posts, we store those files securely in our cloud storage infrastructure (Amazon S3) and deliver them via a content delivery network (Amazon CloudFront). Media files are associated with your organization's account and specific client profiles.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: To schedule, create, and publish social media content on your behalf to connected platforms
  • Analytics and reporting: To retrieve and display engagement metrics, audience insights, and performance data from connected social media accounts
  • Engagement management: To aggregate comments, replies, and messages from connected accounts into a unified inbox
  • Account management: To manage your user account, organization settings, team members, and client configurations
  • Approval workflows: To facilitate content approval processes between your team and your clients
  • Service improvement: To understand how the Service is used and make improvements
  • Security: To detect, prevent, and address technical issues and security threats
  • Communication: To send you service-related notifications, such as approval requests, post status updates, and account alerts
  • Legal compliance: To comply with applicable laws, regulations, and legal processes

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:

4.1 Social Media Platforms

When you use our Service to publish content, we transmit that content (text, media, metadata) to the social media platforms you have connected, using their official APIs. This sharing is initiated by you and is necessary to provide the core functionality of the Service.

4.2 Service Providers

We use trusted third-party service providers to operate our infrastructure. These providers process data only on our behalf and are contractually obligated to protect your information:

  • Amazon Web Services (AWS): Cloud hosting, database, storage, authentication, and compute services
  • Cloudflare: DNS management, CDN, and web application firewall

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal processes, such as a court order, subpoena, or government request.

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information for any other purpose with your explicit consent.

5. Data Storage and Security

5.1 Data Storage

Your data is stored on secure servers provided by Amazon Web Services (AWS) in the United States. Our database runs on Amazon Aurora Serverless, and media files are stored in Amazon S3.

5.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption at rest: All data stored in our databases and file storage is encrypted at rest
  • Encryption in transit: All data transmitted between your browser and our servers, and between our servers and third-party APIs, uses TLS 1.2 or higher
  • Token encryption: Social media OAuth tokens are encrypted using AES-256-GCM before storage. Encryption keys are managed via AWS Secrets Manager
  • Authentication: User authentication is managed via AWS Cognito with industry-standard password policies and JWT-based session management
  • Access control: Role-based access control (RBAC) ensures users can only access data and perform actions appropriate to their assigned role
  • Infrastructure security: Our backend services run within a Virtual Private Cloud (VPC) with security groups, and are protected by Cloudflare's web application firewall
  • Audit logging: We maintain audit logs for significant actions within the system

5.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

6. Data Retention

We retain your data as follows:

  • Account data: Retained for as long as your account is active. Upon account deletion, your personal data will be deleted or anonymized within 30 days, except where retention is required by law
  • Social media tokens: OAuth tokens are retained while the social media connection is active. When you disconnect a social media account, we delete the associated access tokens immediately
  • Published content: Records of content published through the Service are retained for reporting and audit purposes for the duration of your subscription
  • Analytics data: Aggregated analytics data may be retained for performance reporting. Raw analytics data is refreshed periodically per platform API guidelines
  • Media files: Uploaded media files are retained while your account is active and deleted within 30 days of account termination
  • Usage logs: Server logs and usage data are retained for up to 90 days for security and debugging purposes

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 All Users

  • Access: You can request a copy of the personal data we hold about you
  • Correction: You can request correction of inaccurate or incomplete data
  • Deletion: You can request deletion of your personal data, subject to legal retention requirements
  • Disconnect accounts: You can disconnect any connected social media account at any time through the Service settings, which will revoke our access to that platform and delete stored tokens
  • Data export: You can request an export of your data in a machine-readable format

7.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis for processing: We process your data based on: (a) your consent (e.g., connecting social media accounts), (b) performance of a contract (providing the Service), (c) legitimate interests (improving the Service, security), and (d) legal obligations
  • Right to restrict processing: You can request that we limit how we process your data
  • Right to data portability: You can request your data in a structured, machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority

Data transfers: Your data is stored and processed in the United States. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses where applicable.

7.3 California Residents — CCPA / CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You can request details about the categories and specific pieces of personal information we have collected
  • Right to delete: You can request deletion of your personal information
  • Right to opt out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
  • Right to correct: You can request correction of inaccurate personal information
  • Right to limit use of sensitive personal information: You may limit the use and disclosure of sensitive personal information

To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable requests within 45 days.

8. Social Media Platform-Specific Disclosures

Our use of data received from social media platform APIs complies with each platform's developer policies and terms of service:

8.1 Meta (Facebook and Instagram)

Our use and transfer of information received from Meta APIs adheres to the Meta Platform Terms and Meta Developer Policies. Specifically:

  • We only request permissions that are necessary to provide the Service features you use
  • We do not use Facebook or Instagram data for purposes unrelated to providing our Service
  • We do not sell data obtained from Meta APIs
  • We delete all data received through Meta APIs when a user disconnects their account or requests deletion
  • We provide a mechanism for users to request deletion of their data
  • We comply with all applicable Meta Platform Terms regarding data handling, retention, and security

8.2 X (Twitter)

Our use of data received from the X API complies with the X Developer Agreement and Policy. We:

  • Only access data necessary to provide the Service
  • Do not sell or sublicense X data to third parties
  • Respect user privacy settings and content deletion requests
  • Delete X data when users disconnect their accounts

8.3 LinkedIn

Our use of data received from LinkedIn APIs complies with the LinkedIn API Terms of Use. We:

  • Only access data with explicit user authorization
  • Use LinkedIn data solely to provide the Service functionality
  • Do not use LinkedIn data for advertising, recruiting, or any purpose beyond social media management
  • Delete LinkedIn data when users disconnect their accounts

8.4 Pinterest

Our use of data received from the Pinterest API complies with the Pinterest Developer Guidelines. We only use Pinterest data to enable pin creation, scheduling, and analytics within our Service.

8.5 TikTok

Our use of data received from the TikTok API complies with TikTok's API Terms of Service. We:

  • Only collect and use TikTok data to provide the Service
  • Do not sell TikTok user data
  • Provide users the ability to disconnect their TikTok account and delete associated data
  • Comply with TikTok's data deletion callback requirements

8.6 YouTube (Google)

Our use of data received from the YouTube API complies with the YouTube API Services Terms of Service and Google Privacy Policy. By using our Service to connect a YouTube account, you are also agreeing to be bound by the Google Privacy Policy. We:

  • Only access YouTube data that users have explicitly authorized
  • Use YouTube data solely for providing social media management features
  • Allow users to revoke our access to their YouTube data at any time via the Service settings or via Google's security settings page
  • Delete stored YouTube data when access is revoked
  • Do not use YouTube API data for advertising targeting

9. Cookies and Tracking Technologies

Our Service uses the following types of cookies and similar technologies:

  • Essential cookies: Required for the Service to function, including authentication session cookies. These cannot be disabled
  • Analytics cookies: Help us understand how the Service is used so we can improve it. These can be disabled

We do not use advertising or tracking cookies. We do not engage in cross-site tracking or behavioral advertising.

10. Children's Privacy

Our Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at [email protected].

11. Third-Party Links

Our Service may contain links to third-party websites or services, including social media platforms. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you interact with.

12. Data Deletion Requests

You can delete your data through three channels, depending on what you want to remove:

12.1 Disconnect a single social account

In Four Hawk Social, go to Settings → Clients, open the client whose account you want to disconnect, and click Disconnect next to the platform. We immediately delete the encrypted OAuth tokens for that connection and stop fetching engagement or analytics data from that platform. Posts you've already published remain on the platform itself; revoking the connection does not retract them. If you also want to revoke our app's access on the platform side, you can do so in the platform's app settings (Facebook: Settings → Business Integrations; Instagram: Settings → Apps and Websites; LinkedIn: Settings → Data Privacy → Other Applications; Pinterest, YouTube, TikTok: similar locations).

12.2 Delete an entire workspace (full account deletion)

Workspace owners can delete their entire Four Hawk Social workspace by emailing [email protected] from the email address associated with the workspace owner role. Include "Delete my workspace" in the subject line and the workspace name in the body. We will:

  • Acknowledge the request within 2 business days.
  • Within 30 days, permanently delete: all OAuth tokens, all uploaded media, all post drafts and scheduled posts, all analytics history, all team-member records, the workspace itself, and the underlying authentication user records.
  • Confirm completion via the same email thread.

12.3 Platform-side deletion

Independent of any action in Four Hawk Social, you can revoke our access at any time directly through the social platform's app permissions. When you revoke, the platform itself terminates our token. The next time we attempt to use the connection we receive an authentication error and mark it inactive in our database; the encrypted token blob is deleted within 24 hours of the next use attempt.

12.4 What is retained, and why

After a workspace deletion, we retain only the minimum required for legal and billing compliance:

  • Billing records (invoices, payment receipts): retained for 7 years to satisfy tax and audit requirements. These contain only the workspace name, billing email, amount, and date — no social account data.
  • Audit-log entries flagged for legal hold: retained until the legal matter is resolved, typically <2 years.
  • Aggregated, anonymized analytics: may be retained indefinitely for product analytics. These cannot be associated with you, your workspace, or the social accounts you connected.

Everything else — OAuth tokens, media, posts, comments, engagement history, team metadata — is permanently deleted within 30 days of your request.

13. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We implement appropriate safeguards for international data transfers, including:

  • Standard Contractual Clauses (SCCs) for transfers from the EEA
  • Data processing agreements with all service providers
  • Technical and organizational security measures

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify active users via email for material changes
  • Post a prominent notice on the Service for significant changes

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.