1. Data controller

The data controller is Vabo, with registered office in Italy, European Union.

For personal data requests, exercising your rights, or data deletion, use the privacy contact form: https://www.vabo.tools/privacy-contact/

2. Scope

This policy applies to the website https://www.vabo.tools, the Vabo application, and OAuth flows that redirect to our authorized domains (e.g. oauth.vabo.tools).

It does not apply to third-party sites or services (Meta, Google, TikTok, GitHub, LinkedIn, X), which are governed by their own privacy policies.

3. Data we collect

Account data: email address, sign-in credentials, and additional authentication factors (authenticator app or passkey), managed through Amazon Cognito.

Profile data: display name, profile type (person or organization), public slug, bio, links, profile image, profile fields synced from connected social identities, verification status, and trust score shown on the public page.

Social identities: when you connect an account (Meta/Facebook, Google, TikTok, GitHub, LinkedIn, or X) we receive provider identifiers, name, avatar, profile URL, email (if made available by the provider), and OAuth tokens needed to maintain the connection. Some providers may supply additional demographic data (e.g. date of birth, location) only if you authorize it in the OAuth consent screen.

Publishing connections: for Facebook, Instagram, and TikTok we store identifiers of the pages or accounts you select, access tokens, and metadata needed to publish content at your request.

Content: text, images, and videos you upload for publishing or the media library, stored on Amazon S3.

Technical data: usage logs, IP address, browser and device type, timestamps, and security information required to operate the service.

4. Purposes and legal bases

To provide the service, manage accounts and profiles, and enable identity verification (performance of a contract, Art. 6.1.b GDPR).

To connect social identities and publish content to channels you select (performance of a contract and, where required by the provider, your consent).

To sync profile fields from connected identities, prevent abuse, and ensure security (legitimate interest, Art. 6.1.f GDPR).

To comply with legal obligations and respond to authority requests (Art. 6.1.c GDPR).

5. Third-party services and OAuth

When you authorize a social connection, we redirect you to the chosen provider. We receive only the data and scopes you accept on the provider's consent screen.

We use Meta APIs for identity and publishing to Facebook/Instagram; Google for identity (OpenID); TikTok for identity and video publishing; GitHub, LinkedIn, and X for identity.

OAuth tokens are stored securely, used only for actions you request (connection, profile sync, publishing, revocation), and can be invalidated through "Revoke" / "Disconnect" in the dashboard or by contacting privacy support.

Your use of third-party services is also governed by the privacy policies and terms of Meta, Google, TikTok, GitHub, LinkedIn, and X.

6. Recipients and transfers

Data is hosted on Amazon Web Services infrastructure (EU and, where necessary, other regions with adequate safeguards).

Data may be processed by vendors acting as data processors (hosting, transactional email) and by the social platforms you connect, limited to what is needed for the service.

Any transfers outside the EU rely on adequate safeguards, including the European Commission's Standard Contractual Clauses.

7. Retention

We retain data for as long as necessary to provide the service and meet legal obligations.

When you delete your account, we delete, unless retention is required by law, your Cognito account, user record, profile data, social identities, publishing targets, and associated tokens.

Media content may be deleted with the account or on request; residual copies in technical backups are removed according to standard retention cycles.

8. Your rights

You may exercise your rights of access, rectification, erasure, restriction, portability, and objection (Arts. 15-22 GDPR) via the privacy contact form: https://www.vabo.tools/privacy-contact/

You may withdraw consent, where processing is based on consent, without affecting the lawfulness of prior processing.

You have the right to lodge a complaint with your local supervisory authority.

9. Data deletion

You can delete your account and associated data from dashboard settings, where available, or via the privacy contact form: https://www.vabo.tools/privacy-contact/

You can revoke individual social identities or channel publishing through "Revoke" / "Disconnect" in the dashboard; we remove local tokens and, where supported by the provider, revoke the app's access.

After deletion, data is no longer accessible through the service. Some information may remain in security logs for a limited period or be retained where required by law.

10. Cookies and similar technologies

We use cookies and local storage strictly necessary for authentication, security, and operation of the service.

We do not use third-party advertising profiling cookies in the main service flow.

11. Children

The service is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us for removal.

12. Changes

We may update this policy. The last updated date is shown at the top of this page. Material changes will be communicated through the service or by email where appropriate.

13. Contact and related documents

Privacy contact form: https://www.vabo.tools/privacy-contact/

Website: https://www.vabo.tools

Terms of service: https://www.vabo.tools/terms/