Privacy Policy

1. Introduction

Schedule & Chill ("we", "our", "us", or "the Service") is operated by Lomeyo LLC, a limited liability company registered in the United States. We respect your privacy and are committed to protecting the personal data you share with us. This Privacy Policy explains what information we collect, how we use it, how we share it, and your rights regarding that data.

By using Schedule & Chill, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). If you sign up via OAuth through a supported provider (Google, LinkedIn), we receive your public profile information (name, email, profile picture) from that provider.

2.2 Social Media Account Data

When you connect a social media account, we receive and store the following data through the platform's official API:

• Your platform account ID, username, display name, and profile picture
• OAuth access tokens and refresh tokens (encrypted at rest using AES-256)
• Token expiration timestamps and granted scopes
• For Facebook Pages and LinkedIn Pages: the list of Pages you administer and their IDs
• For YouTube: the channel ID, title, and thumbnail of your connected channel

We do not collect or store passwords for any connected social media platform. Authentication is handled entirely through OAuth 2.0 authorization flows.

2.3 Content You Create

We store the posts you draft, schedule, and publish through Schedule & Chill, including text, hashtags, mentions, scheduled publish times, target platforms, and any attached media files. We also store the status of each post (draft, scheduled, published, failed) and any error messages returned by platform APIs.

2.4 Media Library

We store images, videos, and other media files you upload to your media library. These files are stored on Cloudflare R2 (or a compatible S3-compatible object storage service) with access restricted to your account. We extract basic metadata (file size, dimensions, duration) but do not analyze the content of your media files.

2.5 Analytics Data

When permitted by the platform's API, we fetch public engagement metrics for posts you published through Schedule & Chill (likes, comments, shares, views, impressions). This data is displayed in your analytics dashboard and stored to show historical trends. We do not collect analytics data for posts you did not publish through our Service.

2.6 Usage and Technical Data

We collect limited technical information necessary to operate the Service: IP address, browser type and version, device type, pages visited within the Service, timestamps, and feature usage events. We do not use third-party advertising trackers, pixels, or analytics services that share your data with advertisers.

2.7 Billing Information

Payment information (credit card details, billing address) is collected and processed by our payment processor, Stripe, Inc. We never see or store your full credit card number — we store only your subscription status, plan, and a Stripe customer reference ID. Lomeyo, LLC is the seller of record for all purchases.

2.8 API and MCP Usage Logs

If you use our REST API or MCP (Model Context Protocol) server, we log request metadata (endpoint, timestamp, response status, user ID) for debugging, abuse prevention, and rate limiting. Logs are retained for 30 days and then automatically deleted.

3. How We Use Your Information

We use your information exclusively to:

• Provide, maintain, and improve the Schedule & Chill Service
• Publish and schedule posts to your connected social media accounts, only as directed by you
• Store and serve your media files through your authenticated account
• Display analytics and performance metrics for your published content
• Send transactional emails (account verification, password resets, billing receipts, trial expiration notices)
• Process payments and manage your subscription through Stripe
• Respond to your support requests and communicate about the Service
• Detect, prevent, and respond to fraud, abuse, or security incidents
• Comply with legal obligations

What we do NOT do with your data:

• We do NOT sell, rent, or trade your personal data to any third party
• We do NOT use your connected social media data to train artificial intelligence or machine learning models
• We do NOT use your data for advertising purposes or share it with advertisers
• We do NOT access your social media accounts for any purpose other than what you have explicitly authorized
• We do NOT read private messages, DMs, or non-public content from any connected platform

4. Third-Party Platform Integrations

Schedule & Chill integrates with third-party social media and developer platforms through their official APIs. Each integration is governed by the respective platform's terms and privacy policies. When you connect an account, your use of that platform's data through Schedule & Chill is also subject to the platform's developer and user policies.

4.1 Meta Platforms (Facebook Pages, Instagram, Threads)

When you connect a Facebook Page or Instagram Business/Creator account, we use the Facebook Pages API and Instagram Graph API to publish content on your behalf. We request only the minimum permissions required: pages_show_list, pages_read_engagement, pages_manage_posts, instagram_basic, and instagram_content_publish.

Schedule & Chill's use and transfer of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies. Meta's privacy policy is available at facebook.com/privacy/policy.

You may revoke Schedule & Chill's access to your Meta accounts at any time by visiting Facebook Business Integrations and removing Schedule & Chill from the list.

4.2 Google (YouTube)

Schedule & Chill uses YouTube API Services to allow you to upload videos and publish content to your YouTube channel. By connecting a YouTube channel, you agree to be bound by the YouTube Terms of Service.

Our use of information received from YouTube API Services complies with the YouTube API Services Developer Policies. Google's Privacy Policy is available at policies.google.com/privacy.

You may revoke Schedule & Chill's access to your Google account at any time by visiting the Google Security Settings page and removing Schedule & Chill from the list of connected apps.

We store only the data necessary to publish content you explicitly request: YouTube channel ID, channel title, thumbnail URL, and OAuth tokens. We do not retrieve private video data, comments, or analytics beyond what is strictly needed to display your account status and publishing results.

4.3 LinkedIn (Profile and Pages)

When you connect a LinkedIn profile or LinkedIn Page, we use the LinkedIn Marketing Developer Platform APIs to publish content on your behalf. We request only: r_liteprofile, r_emailaddress, w_member_social, and (for Pages) w_organization_social.

Our use of LinkedIn data complies with the LinkedIn API Terms of Use and the LinkedIn Privacy Policy. You may revoke access at LinkedIn Permitted Services.

4.4 X (formerly Twitter)

Schedule & Chill uses the X API v2 with the following scopes: tweet.read, tweet.write, users.read, and offline.access. Our use of X data complies with the X Developer Agreement and Policy.

You may revoke access at any time from your X account under Settings → Security and account access → Apps and sessions. The X Privacy Policy is available at x.com/en/privacy.

4.5 TikTok

Schedule & Chill uses the TikTok for Developers Content Posting API to publish videos to your TikTok account. Our use complies with the TikTok API Terms of Service. TikTok's Privacy Policy is at tiktok.com/legal/privacy-policy.

4.6 Pinterest

Schedule & Chill uses the Pinterest API v5 to create Pins on your behalf. Our use complies with the Pinterest Developer Guidelines. Pinterest's Privacy Policy is at policy.pinterest.com/en/privacy-policy.

4.7 Bluesky

Schedule & Chill uses the Bluesky AT Protocol to publish posts. Authentication is handled via app passwords. Bluesky's Privacy Policy is at bsky.social/about/support/privacy-policy.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:

• Connected social media platforms: Post content, media, and publishing metadata are transmitted to platforms you have explicitly connected, only when you schedule or publish a post
• Payment processor (Stripe): Billing information is processed by Stripe, Inc. See Stripe's Privacy Policy
• Infrastructure providers: Our hosting (Laravel Forge, AWS, or DigitalOcean), database, and storage (Cloudflare R2) providers process data strictly under data processing agreements compliant with GDPR
• Email delivery: Transactional emails are sent via Resend or Postmark, which process only the email address and message content necessary for delivery
• Legal requirements: We may disclose data if required by law, subpoena, court order, or to protect our legal rights, safety, or the safety of others
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction, subject to the protections of this Privacy Policy

6. Data Retention

We retain your data for as long as your account is active and as long as necessary to provide the Service. Specific retention periods:

• Account data: Retained until you delete your account
• OAuth tokens: Retained until you disconnect the corresponding social media account or delete your Schedule & Chill account
• Posts and media: Retained until you delete them or delete your account
• Analytics data: Retained for up to 90 days (Pro and Business plans) or 7 days (Starter plan)
• API/MCP logs: Automatically deleted after 30 days
• Billing records: Retained for 7 years as required by tax and accounting regulations
• Backups: Data may persist in encrypted backups for up to 30 days after deletion

7. Data Deletion

7.1 Deleting Your Account

You can delete your Schedule & Chill account at any time from Settings → Profile → Delete Account. When you delete your account, we will:

• Delete your personal data, posts, drafts, scheduled posts, and media files within 30 days
• Revoke all OAuth tokens for connected social media platforms
• Remove you from our email lists and stop all communications
• Delete your data from backups within an additional 30 days (up to 60 days total)

7.2 Requesting Data Deletion Without Deleting Your Account

If you want to delete specific data (e.g., a connected social account, a specific post, or all analytics data) without closing your account, you can do so from your account settings, or contact us at [email protected] with your request.

7.3 Meta Platform Data Deletion (User Data Deletion)

In compliance with Meta Platform Terms, users can request deletion of their Meta Platform data (Facebook Pages, Instagram) from Schedule & Chill by:

• Visiting Settings → Connected Accounts and disconnecting the Meta account, OR
• Removing Schedule & Chill from Facebook Business Integrations, OR
• Emailing [email protected] with "Meta Data Deletion Request" in the subject line

Upon disconnection or request, we will delete all stored data obtained from Meta APIs (Page access tokens, Page IDs, Instagram account data, and any cached content) within 30 days.

7.4 Contact for Data Deletion Requests

For any data deletion request, please email [email protected]. We will respond within 7 business days and complete the deletion within 30 days.

8. Data Security

We implement industry-standard technical and organizational security measures to protect your data, including:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed using bcrypt with a work factor of 12
• OAuth access tokens and refresh tokens are encrypted at rest using AES-256
• Database access is restricted by IP allowlist and requires authentication
• API keys use cryptographically random tokens and can be revoked at any time
• Two-factor authentication (2FA/TOTP) is available for all accounts
• Regular security updates and dependency patching

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data through your account settings or by contacting us
• Right to Erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Request your data in a structured, machine-readable format via our API
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing at any time

9.1 GDPR (European Users)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the rights above under the General Data Protection Regulation (GDPR). The legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) your consent (for optional features), and (c) our legitimate interests (security, fraud prevention). You may lodge a complaint with your local data protection authority.

9.2 CCPA (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) including the right to know what personal information we collect, the right to delete it, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Schedule & Chill is operated from the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to this transfer.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection of your personal data.

11. Cookies and Tracking

We use only strictly necessary cookies for authentication, session management, and security (CSRF protection). We do NOT use:

• Advertising or retargeting cookies
• Third-party analytics that share data with advertisers
• Social media tracking pixels
• Cross-site tracking

Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

12. Children's Privacy

Schedule & Chill is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

13. AI and Machine Learning

Schedule & Chill offers optional AI-powered features (such as content suggestions and best time to post). When you use these features, your input may be processed by third-party AI providers (such as Anthropic's Claude or OpenAI). We do not use your data to train any AI or machine learning models ourselves, and we do not permit our AI providers to train their models on your data. AI processing is opt-in and can be disabled from your account settings.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of any material changes via email or an in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this policy indicates the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: