01Overview & scope
This covers data we collect as a company (your account, billing, usage) and the data we access from the social accounts you connect. For the content your clients' data lives inside, you're the controller and we just process it for you.
This Privacy Policy describes how Ovia, Inc. ("Ovia," "we," "us") handles personal data in connection with ovia (the "Service"). It applies to our website at ovia.co, the ovia app, and the client portals you run on ovia.
There are two roles to keep separate. For data about you and your team — account details, billing, and how you use ovia — Ovia is the controller, and this policy applies. For the Customer Content you and your clients put into ovia (which may contain personal data about your clients and their audiences), you are the controller and Ovia is your processor; that processing is governed by our Data Processing Addendum.
02What we collect
We collect:
- Account information — name, work email, password, agency name, and workspace settings you provide when you sign up or invite teammates.
- Billing information — plan, billing contact, and transaction records. Card details are collected and stored by our payment processor, Stripe; we don't store full card numbers.
- Content & connections — the posts, media, comments, approvals, messages, brand assets, and the social accounts you connect. We process this on your behalf as your processor.
- Social platform data — the account information, content, and metrics we retrieve from the social media accounts you connect, described in detail in Section 03.
- Usage & device data — log data, IP address, browser and device type, pages viewed, and feature usage, collected to operate, secure, and improve the Service.
- Support communications — messages you send us and the contents of those exchanges.
03Connected social accounts & platform data
When you connect a social account, we ask for the minimum access needed to publish the posts you approve and pull back analytics for your reports. We never see your passwords, we don't sell this data, and we don't use it for advertising or to train AI models.
ovia lets you connect social media accounts so your team can schedule, publish, and report on content. You can connect accounts from Instagram and Facebook (Meta), Google (YouTube and Google Business Profile), LinkedIn, TikTok, and Pinterest. Connections are made through each platform's official OAuth flow.
How we access it
We connect only when you explicitly authorize it, and we request the minimum permissions (scopes) needed for the features you use. We receive an access token from the platform; we never receive or store your social account password. Tokens are stored encrypted and used only to act on your behalf.
What we access, and why
- Account & profile information — account IDs, handles, names, profile pictures, and the pages, channels, or profiles you manage — so you can select where to publish and so your clients recognize their accounts.
- Content & publishing — the posts, captions, media, and scheduling metadata you create in ovia, published to your connected accounts at your direction.
- Insights & analytics — reach, impressions, engagement, follower counts, and post performance — used to generate the reports you and your clients see.
We use platform data only to provide the features you use — scheduling, publishing, and reporting. We do not sell platform data, use it for advertising or ad targeting, or use it to train AI or machine-learning models for unrelated purposes.
Compliance with platform policies
- Google: ovia's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Meta: our use of data from Instagram and Facebook complies with the Meta Platform Terms and Developer Policies.
- LinkedIn, TikTok & Pinterest: our use complies with each platform's developer terms, API terms, and data-use policies.
We only retain platform data for as long as your connection is active and as needed to provide the Service. When you disconnect an account, we stop accessing it and delete the associated data as described in Section 09.
04How we use it
We use data to run ovia, bill you, support you, keep it secure, and make it better. We don't sell it.
We use personal data to: provide and maintain the Service; authenticate accounts and process payments; publish content and retrieve analytics for the social accounts you connect; respond to support requests; monitor, secure, and prevent abuse; analyze and improve features and performance; and send you service, security, and (where permitted) product communications. We do not sell personal data, and we don't use the content or platform data you process in ovia to train AI models for unrelated purposes.
05Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on these legal bases: performance of a contract (to provide the Service and billing), legitimate interests (to secure, maintain, and improve the Service, and for limited product communications), consent (for optional cookies and marketing where required, which you can withdraw), and legal obligation (to comply with applicable law).
07Sub-processors
We use a small set of infrastructure and tooling providers to run ovia. We require each to protect personal data consistent with this policy and our DPA.
| Provider | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting & storage | US / EU |
| Stripe | Payment processing | US |
| Cloudflare | CDN, DNS & DDoS protection | Global |
| Postmark | Transactional email delivery | US |
| Sentry | Error monitoring & diagnostics | US |
We maintain an up-to-date list and will give notice of material changes as described in the DPA. To be notified of sub-processor changes, email hello@ovia.co.
08Data retention
We keep data while your account is active, then delete it after a short wind-down window — backups age out shortly after.
We retain account and Customer Content for as long as your account is active. After termination, Customer Content is available for export for 30 days, then deleted from active systems; encrypted backups are purged on a rolling cycle within 90 days. Social platform data and OAuth tokens are retained only while the relevant connection is active, and are deleted when you disconnect the account (see Section 09). We keep limited records (such as billing and legal compliance data) for as long as the law requires.
09Revoking access & deleting your data
You're in control. Disconnect any social account in one click, revoke access from the platform's own settings, or email us to delete your data entirely. This section is also our official data-deletion instructions for platform reviewers.
You can revoke ovia's access to a connected social account at any time, in either of two ways:
- In ovia — go to Settings → Connections and disconnect the account. This immediately revokes the stored access token and stops all further access.
- From the platform — remove ovia from your account's connected-apps settings directly on the platform (for example, Meta Business settings, your Google Account's third-party access, LinkedIn's permitted services, TikTok's app management, or Pinterest's connected apps).
When you disconnect an account, we delete the OAuth tokens and the platform-derived data associated with that connection from our active systems promptly (generally within 30 days); residual copies in encrypted backups age out within 90 days.
To request deletion of your personal data or platform data, email privacy@ovia.co (or hello@ovia.co) from the address associated with your account, or submit a request from within the app. We will verify your request and delete the relevant data within the timeframes required by applicable law. Deleting your ovia account removes your connected-account data as described in Section 08. If your request concerns content where your agency is the controller, we'll refer you to that agency or assist them as their processor.
10International transfers
We're based in the United States and use providers in the US and EU. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, for the UK, the UK International Data Transfer Addendum. You can request a copy of the relevant safeguards at hello@ovia.co.
11Your rights
You can access, correct, delete, or export your data, and object to certain uses. Email us and we'll help.
Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain uses. Under US state laws such as the CCPA/CPRA, you also have rights to know and delete, and to opt out of "sale" or "sharing" of personal information — and to be clear, we do not sell or share personal information in that sense.
To exercise any right, email privacy@ovia.co. If your request concerns content where your agency is the controller, we'll refer you to that agency or assist them as their processor. You also have the right to lodge a complaint with your local data-protection authority.
12Cookies & analytics
We use cookies and similar technologies that are strictly necessary to sign you in and run the app, plus a small amount of privacy-respecting analytics to understand product usage. We don't use third-party advertising or cross-site tracking cookies. Where required, we ask for consent to non-essential cookies, and you can manage preferences in your browser.
13Security
We protect personal data with encryption in transit and at rest, least-privilege access controls, and continuous monitoring. See our Security page for details. No system is perfectly secure, but we work hard to keep yours safe and will notify you of a breach as required by law and our DPA.
14Children
ovia is a business tool intended for users aged 18 and over. It isn't directed to children, and we don't knowingly collect personal data from anyone under 18. If you believe a child has provided us data, contact us and we'll delete it.
15Changes
We may update this policy as the Service evolves or the law changes. If we make material changes, we'll notify you by email or in-app before they take effect. The "Last updated" date above reflects the latest revision.
16Contact us
Questions, requests, or concerns about privacy? We're glad to help.