Privacy Policy — Pumpkii Media Hub

2.1 Account Data (Pumpkii staff)

• Email address and display name
• Password hash (we never store passwords in plain text)
• Login timestamps and IP address (for security audit)
• Role (admin, operator, viewer)

2.2 OAuth Tokens

When a Pumpkii staff member connects a Pumpkii brand account on YouTube, Instagram, or TikTok, we store:

• OAuth access_token and refresh_token (encrypted at rest)
• Platform identifier of the brand account (YouTube Channel ID, Instagram Business Account ID, TikTok Open ID)
• Token expiry timestamps and granted OAuth scopes

We never request OAuth tokens from any account other than Pumpkii's own brand accounts.

2.3 Content and Analytics

• Video files (deleted 30 days after successful publication), cover images, titles, descriptions, hashtags
• AI generation prompts (if used) — for internal archival
• Publish status per platform and the platform's post ID after success
• Daily snapshots of view count, like count, comment count, follower count for Pumpkii's own posts (fetched from each platform's official API)

2.4 What We Do NOT Collect

• Personal data of YouTube / Instagram / TikTok end users (viewers, followers, commenters)
• Direct messages, private content, or content from accounts other than Pumpkii's brand accounts
• Payment information
• Device sensors, location, or contacts from any user's device

5.1 YouTube API Services

The Service uses YouTube API Services. By using the Service to publish to YouTube, the authorizing Pumpkii staff member acknowledges that use is also subject to the YouTube Terms of Service (https://www.youtube.com/t/terms) and Google Privacy Policy (https://policies.google.com/privacy). You may revoke the Service's access to your Google account at any time via Google Security settings (https://security.google.com/settings/security/permissions). The Service complies with the YouTube API Services Terms of Service and Developer Policies.

5.2 Instagram / Meta

The Service uses the Instagram Graph API provided by Meta Platforms, Inc. By authorizing the Service, you agree to Meta's Platform Terms (https://developers.facebook.com/terms) and Privacy Policy (https://www.facebook.com/privacy/policy). You may revoke access at any time via Instagram → Settings → Apps and Websites.

5.3 TikTok

The Service uses the TikTok Content Posting API. By authorizing the Service, you agree to TikTok's Developer Terms (https://developers.tiktok.com/legal/development-terms-of-service) and Privacy Policy (https://www.tiktok.com/legal/page/global/privacy-policy/en). You may revoke access via TikTok → Settings → Privacy → Apps that can post.

For California residents (CCPA)

Pumpkii does not "sell" personal information as defined under the CCPA. Pumpkii staff using the Service have rights to know, delete, and opt-out as described in Section 8.

For EU/UK residents (GDPR)

The legal basis for processing is legitimate interest (operating an internal business tool) for staff data, and contractual necessity for OAuth tokens used to publish to platforms the user has authorized. You have the rights to access, rectify, erase, restrict, port, and object as described in Section 8. You may also lodge a complaint with your local supervisory authority.

International Data Transfers

Pumpkii is based in China. Some data is processed by international platforms (Google, Meta, TikTok) whose servers may be located in the United States, the European Union, or other regions. The authorizing Pumpkii staff member acknowledges that data may cross national borders as part of normal API operation.