Privacy Policy

Last updated: April 19, 2026

1. Introduction
2. Information We Collect
3. How We Use Your Information
4. Data Security
5. Third-Party Services
6. Your Rights
7. Data Retention
8. Contact Us

1. Introduction

Samantha Makes Things ("we," "us," "our," or the "Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your information when you use our social media scheduling platform.

By accessing and using Samantha Makes Things, you acknowledge that you have read, understood, and agree to be bound by all the provisions of this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and securely hash your password using bcrypt encryption. This information is used to authenticate you and provide access to your account.

2.2 OAuth Authentication Data

To enable social media scheduling, we securely connect to your Instagram and Pinterest accounts through OAuth 2.0 authentication. During this process, we collect and store:

Instagram access tokens (encrypted with AES-256 encryption)
Pinterest access tokens and refresh tokens (encrypted with AES-256 encryption)
Your social media account names and account IDs
Account connection status and metadata

These tokens are encrypted at rest using the attr_encrypted gem with industry-standard AES-256 encryption and are never stored in plain text.

2.3 Post and Content Data

We collect information about the posts you schedule, including:

Post content and captions
Scheduled publish dates and times
Post status (draft, scheduled, published, failed)
Target social media platforms (Instagram, Pinterest)
Post type (single images, carousel posts for Instagram)

2.4 Image and Media Data

We handle images in two ways:

Design System Images: References to images from your existing Colorway/Design library
Custom Uploads: Images you directly upload to create posts, stored using AWS S3 or similar cloud storage integrated with Rails ActiveStorage

Images are uploaded securely over HTTPS and stored in encrypted cloud storage.

2.5 Email Communications

We use Mailgun to send transactional emails (account notifications, password resets, post scheduling confirmations). Your email address is shared with Mailgun only for these communications. Mailgun is GDPR compliant and maintains strict data protection standards.

2.6 Usage and Analytics Data

We may collect non-personally identifiable information about how you use the Service, including:

Pages visited and features used
IP address and browser information
Device information and operating system
Approximate geographic location (derived from IP address)

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To provide, maintain, and improve the social media scheduling platform
Authentication: To verify your identity and prevent unauthorized access to your account
OAuth Integration: To securely connect to your Instagram and Pinterest accounts and publish posts on your behalf
Post Publishing: To schedule and publish your posts to connected social media accounts
Background Jobs: To execute scheduled posts at the specified date and time using Sidekiq background processing
Communications: To send you service-related emails (account alerts, post publishing status, password resets)
Customer Support: To respond to your inquiries and provide technical assistance
Service Improvement: To analyze usage patterns and improve the platform's features and user experience
Legal Compliance: To comply with applicable laws and regulations

4. Data Security

We implement comprehensive security measures to protect your information:

Encryption

All sensitive data (OAuth tokens, passwords) is encrypted at rest using AES-256 encryption. Data transmitted between your browser and our servers is encrypted using HTTPS/TLS.

Access Control

Your information is only accessible to authorized personnel and systems that require access to perform their functions.

Database Security

Our application database is hosted on Heroku, which maintains enterprise-grade security, automated backups, and continuous monitoring.

Regular Updates

We regularly update our systems and dependencies to patch security vulnerabilities.

Note: While we implement strong security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your information.

5. Third-Party Services

Our Service integrates with third-party platforms and services. We are not responsible for their privacy practices:

5.1 Instagram (Meta)

We use Instagram's Graph API to publish posts to your Instagram accounts. Instagram collects and processes your data in accordance with Meta's privacy policy.

5.2 Pinterest

We use Pinterest's API to publish pins to your Pinterest accounts. Pinterest collects and processes your data in accordance with Pinterest's privacy policy.

5.3 Mailgun

We use Mailgun for transactional emails. Your email address is processed by Mailgun in accordance with Mailgun's privacy policy.

5.4 Heroku

The Service is hosted on Heroku. Your data is processed and stored according to Heroku's privacy policy.

5.5 Cloud Storage

Images you upload may be stored in cloud storage (such as AWS S3) via Rails ActiveStorage. Your images are processed according to your cloud provider's privacy policies.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right to Access

You have the right to request access to the personal data we hold about you.

Right to Correction

You have the right to request that we correct inaccurate or incomplete personal data.

Right to Deletion

You have the right to request deletion of your personal data, subject to certain legal exceptions. This includes the ability to delete your account and associated data.

Right to Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format.

Right to Withdraw Consent

If we process your data based on your consent, you have the right to withdraw that consent at any time by disconnecting your social media accounts or deleting your account.

Right to Object

You have the right to object to certain processing of your data, including for marketing purposes.

To exercise any of these rights, please contact us at the address provided in Section 8. We will respond to your request within 30 days.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Retention periods vary:

Account Data: Retained while your account is active. Upon account deletion, it will be deleted within 30 days (except as required by law).
OAuth Tokens: Stored until you disconnect the social media account. Automatically rotated and refreshed as needed.
Post History: Retained for 12 months after publication unless you request earlier deletion.
Uploaded Images: Retained until you delete them or close your account.
Email Communications: Retained for 6 months unless deletion is requested.
Backup Data: May be retained for up to 90 days for disaster recovery purposes.

We may retain certain data when required by law or regulation, or when necessary for legal proceedings.

8. Contact Us

If you have questions about this Privacy Policy, concerns about your data, or wish to exercise your privacy rights, please contact us:

Email: samantha.grimm@gmail.com

Service: Samantha Makes Things

We will respond to your inquiry within 10 business days.

This Privacy Policy may be updated from time to time. We will notify you of any changes by updating the "Last updated" date above. Your continued use of the Service following the posting of revised Privacy Policy means that you accept and agree to the changes.