Samantha Makes

Privacy Policy

Last updated: April 27, 2025

Table of Contents

1. Introduction

Samantha Makes ("we," "us," "our," or the "Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your information when you visit our website at samantha-makes.com.

This website is operated by a sole proprietor as a personal portfolio and business administration tool for a surface pattern design business. Any integrations with third-party platforms such as Instagram and Pinterest are used solely by the business owner to manage and publish content on their own accounts — this is not a multi-user platform or SaaS product.

By accessing and using this website, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

2. Information We Collect

2.1 Account Information

The administrative area of this site is accessible only to the business owner. We store an email address and a securely hashed password (using bcrypt) to authenticate access to the admin panel.

2.2 Social Media OAuth Data

To enable scheduling and publishing content to our own Instagram and Pinterest accounts, we connect to those platforms via OAuth 2.0. We collect and store the following data from those integrations:

  • Instagram and Pinterest access tokens and refresh tokens (encrypted at rest with AES-256)
  • Account names and platform-specific account IDs
  • Account connection status and token expiry metadata
  • Basic account information: username, follower count, and total post/media count
  • Pinterest analytics data for our own account: impressions, outbound clicks, pin clicks, saves, and engagement totals
  • Instagram post engagement data for our own posts: like counts and comment counts

All OAuth tokens are encrypted at rest using AES-256 encryption and are never stored in plain text. This data is accessed solely to operate the features of this private admin tool and is not used for any other purpose.

2.3 Post and Content Data

We store information about posts created and scheduled through the admin panel, including:

  • Post captions and content
  • Scheduled publish dates and times
  • Post status (draft, scheduled, published, failed)
  • Target platform (Instagram, Pinterest)
  • Post type (single image or carousel)

2.4 Image and Media Data

Images used in posts come from two sources:

  • Design library images: Images from our own pattern design catalog, already stored on the platform
  • Custom uploads: Images uploaded directly to create posts, stored securely via AWS S3 using Rails ActiveStorage

All images are uploaded over HTTPS and stored in encrypted cloud storage.

2.5 Website Visitor Data

We use Google Analytics to understand how visitors use our public website. This may include:

  • Pages visited and time spent on the site
  • Approximate geographic location (derived from IP address)
  • Device type, browser, and operating system
  • Referring website or traffic source

This data is collected in aggregate and is not used to identify individual visitors.

2.6 Email Communications

If you contact us via email or submit an inquiry through the site, we collect your email address and any information you include in your message in order to respond to you. We use Mailgun to send transactional emails. Your email address is shared with Mailgun only for this purpose. Mailgun is GDPR compliant and maintains strict data protection standards.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To operate the private admin panel, including scheduling and publishing content to our own social media accounts
  • Authentication: To verify identity and prevent unauthorized access to the admin area
  • Social Media Integration: To connect to our own Instagram and Pinterest accounts and publish posts on behalf of this business
  • Analytics and Reporting: To view performance data (such as Pinterest impressions and Instagram engagement) for our own published content, solely for internal business reporting
  • Background Processing: To execute scheduled posts at the specified date and time
  • Customer Inquiries: To respond to messages and questions submitted through the site
  • Site Improvement: To understand how the public website is used and improve its content
  • Legal Compliance: To comply with applicable laws and regulations

We do not sell, rent, license, or share data obtained through Instagram or Pinterest APIs with any third parties for their own commercial use, advertising purposes, or any purpose other than operating this private admin tool. We request only the minimum API permissions necessary to perform the functions described in this policy.

4. Data Security

We implement comprehensive security measures to protect stored information:

Encryption

All sensitive data (OAuth tokens, passwords) is encrypted at rest using AES-256 encryption. Data transmitted between browsers and our servers is encrypted using HTTPS/TLS.

Access Control

The admin panel is protected by authenticated login and is not accessible to the public. Social media credentials are only accessible by the systems that require them to publish content.

Infrastructure Security

Our application is hosted on Heroku, which maintains enterprise-grade security, automated backups, and continuous monitoring.

Minimal Data Collection

We only request the minimum API permissions (scopes) from Instagram and Pinterest that are necessary to perform the publishing and reporting functions described in this policy. We do not request or store any data from those platforms beyond what is listed in Section 2.

Note: While we implement strong security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your information.

5. Third-Party Services

This site integrates with the following third-party platforms and services:

5.1 Instagram (Meta)

We use the Instagram Graph API to publish posts and retrieve basic engagement data (likes, comments) for our own Instagram account. Data accessed via the Instagram API is used solely to operate this private admin tool. It is not sold, shared, or transferred to any third party. Instagram's data practices are governed by Meta's Privacy Policy.

5.2 Pinterest

We use the Pinterest API to publish pins and retrieve analytics (impressions, clicks, saves, engagement) for our own Pinterest account. Data accessed via the Pinterest API is used solely for internal business reporting within this private admin tool. It is not sold, shared, licensed, or transferred to any third party for any purpose. Pinterest's data practices are governed by Pinterest's Privacy Policy.

5.3 Google Analytics

We use Google Analytics to collect aggregate, anonymized data about how visitors use our public website. Google Analytics may use cookies to collect this information. For more information, see Google's Privacy Policy.

5.4 Mailgun

We use Mailgun for transactional emails. Your email address is processed by Mailgun only for the purpose of delivering messages. Mailgun is GDPR compliant. See Mailgun's Privacy Policy.

5.5 Heroku

This site is hosted on Heroku (Salesforce). Data is stored and processed in accordance with Heroku's Privacy Policy.

5.6 Amazon Web Services (AWS S3)

Uploaded images are stored in Amazon S3. AWS data practices are governed by the AWS Privacy Notice.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right to Access

You have the right to request access to the personal data we hold about you.

Right to Correction

You have the right to request that we correct inaccurate or incomplete personal data.

Right to Deletion

You have the right to request deletion of your personal data, subject to certain legal exceptions.

Right to Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format.

Right to Withdraw Consent

You have the right to withdraw consent at any time. For Instagram or Pinterest integrations, you can revoke our access directly through the platform's app permissions settings, which will immediately invalidate any stored tokens.

Right to Object

You have the right to object to certain processing of your data.

To exercise any of these rights, please contact us at the email address in Section 8. We will respond to your request within 30 days.

7. Data Retention

We retain information for as long as necessary to provide the Service and fulfill the purposes outlined in this policy:

  • Account Data: Retained while the account is active. Deleted within 30 days of account closure, except where required by law.
  • OAuth Tokens: Retained until the connected social media account is disconnected, either through this admin panel or by revoking access directly on the platform.
  • Social Media Analytics Data: Not stored persistently — fetched live from the API on demand and not written to our database.
  • Post History: Retained for 12 months after publication unless earlier deletion is requested.
  • Uploaded Images: Retained until deleted by the account owner or upon account closure.
  • Email Communications: Retained for 6 months unless deletion is requested.
  • Backup Data: May be retained for up to 90 days for disaster recovery purposes.

We may retain certain data when required by law, regulation, or legal proceedings.

8. Contact Us

If you have questions about this Privacy Policy, concerns about your data, or wish to exercise your privacy rights, please contact us:

Business: Samantha Makes

Website: samantha-makes.com

Email: samantha.grimm@gmail.com

We will respond to your inquiry within 10 business days.

This Privacy Policy may be updated from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the site following any changes constitutes your acceptance of the revised policy.