Legal
Privacy Policy
Last updated: May 24, 2026
1. Who We Are
Sikorae (“Sikorae”, “we”, “us”, or “our”) operates the marketing command center available at sikorae.com. We are the data controller for the personal data we collect in connection with the Service.
This Privacy Policy explains what information we collect when you use Sikorae, why we collect it, how we use and protect it, with whom we share it, and what rights and choices you have regarding your data. Please read it carefully. If you have questions, contact us at privacy@sikorae.com.
2. Scope of This Policy
This policy applies to all users of Sikorae, including workspace administrators, team members, and visitors to our public marketing site. It covers data processed through:
- The Sikorae web application at sikorae.com
- Our public marketing and legal pages
- Any Sikorae APIs, integrations, or services you interact with
This policy does not cover data practices of third-party platforms you connect to Sikorae (such as Instagram, TikTok, YouTube, or LinkedIn). Those platforms have their own privacy policies and practices, which we encourage you to review.
3. Information We Collect
3.1 Account and Identity Data
When you sign in with your Google account, we receive from Google:
- Your name and email address
- Your Google profile photo URL
- A unique Firebase user ID (UID) assigned to your account
This data is stored in Firebase Authentication and linked to your Firestore workspace profile. We use it to identify you, secure your workspace, and provide personalized features.
3.2 Workspace and Brand Profile Data
During onboarding and use, you provide information that defines your workspace. This includes:
- Business or brand name, niche or industry, and timezone
- Target audience description, brand voice, and content strategy
- Content pillars, competitor handles, and weekly posting cadence
- AI context files — documents you upload to ground AI responses in your brand voice and strategy
- Campaign names, descriptions, and goals
This data is stored in Firestore under your workspace and is used to operate and personalize the Service — including grounding AI content generation in your brand context.
3.3 Content and Draft Data
Content you create within Sikorae, including:
- Post drafts, captions, scripts, and hashtags
- Scheduled and published post records
- Templates and reusable content patterns
- Inspiration items you save
- AI chat sessions and message history in the AI Assistant
3.4 Media and Asset Data
Assets you upload to the Sikorae media library or associate via Google Drive, including images, videos, and other creative files. We store file metadata (name, type, size, Drive reference IDs) and, where necessary to deliver features, the files themselves or references to their locations.
3.5 OAuth Tokens and Connected Platform Data
When you connect a third-party account (Instagram via Meta, TikTok, YouTube via Google, LinkedIn, Google Drive), we receive and store:
- OAuth access tokens and refresh tokens for those accounts, encrypted at rest in server-side storage
- Platform-level identifiers (e.g. Instagram user ID, YouTube channel ID, LinkedIn person/organization URN) returned during the OAuth flow
- Analytics data fetched from platform APIs, including metrics such as reach, impressions, engagement, follower counts, and geographic audience distribution (where permitted by the platform)
- Publishing acknowledgments and platform-assigned post IDs returned after content is submitted
OAuth tokens are used exclusively to operate the features you authorize (scheduling, publishing, analytics sync). Tokens for a platform are deleted from our systems when you disconnect that integration from your workspace.
3.6 Public Profile Monitoring Data (Competitor Scraping)
If you use the competitor monitoring or inspiration features, we collect publicly accessible data from social media profiles you designate, including:
- Profile bios, profile photos, and public follower counts
- Publicly visible posts, captions, hashtags, and estimated engagement data
- Publishing frequency and content patterns
This data is collected without logging into the monitored accounts and reflects only what is publicly visible on those platforms. It is stored in your workspace and used to generate competitive intelligence and content inspiration within Sikorae. You are responsible for ensuring that your use of this feature complies with the terms of the relevant platforms and applicable law.
3.7 AI Interaction Data
When you use AI features (the AI Assistant, the Composer AI, content briefs, review rubrics, etc.), we transmit to our AI infrastructure providers:
- Your messages, prompts, and conversation history within a session
- Relevant workspace context we include to ground the response (brand voice, analytics summaries, competitor data, AI context files you have uploaded)
- Content drafts or posts you submit for review or adaptation
AI session data is stored in Firestore under your workspace for session continuity and is not used to train AI models unless you explicitly opt into such a program. See Section 5 for details on our AI providers.
3.8 Team and Collaboration Data
If your workspace includes team members, we store:
- Invited member email addresses, names, and assigned roles
- Collaboration activity logs within the workspace (e.g. who created or modified content)
3.9 Monetization and Deal Tracking Data
If you use the Monetization module, we store deal records, brand contact information, campaign deliverables, and revenue figures that you enter. This data remains private to your workspace and is not shared with third parties.
3.10 Usage and Technical Data
We may collect technical and usage data to operate and improve the Service, including:
- Browser type, operating system, device identifiers, and IP address
- Pages visited, features used, and interaction events (where analytics tools are enabled in your deployment)
- Error logs and performance diagnostics
- Timestamps of logins, publishes, and other key actions
3.11 Communications Data
If you contact us for support or with a legal inquiry, we collect your name, email address, and the content of your communication.
4. How We Use Your Information
We use the information described above for the following purposes:
- Providing the Service: Authenticating you, maintaining your workspace, enabling content creation, scheduling, and publishing, syncing analytics, generating AI responses grounded in your workspace context, and delivering all other core features.
- Personalization: Tailoring AI outputs, content recommendations, and growth suggestions to your brand voice, strategy, and performance data.
- Scheduled reporting: Sending analytics reports in PDF or CSV format to the email addresses you specify, at frequencies you configure.
- Service communications: Sending transactional messages related to your account (e.g. connection status alerts, publish confirmations, error notifications). We do not send marketing emails without your explicit opt-in.
- Security and integrity: Detecting, investigating, and preventing fraud, abuse, unauthorized access, and violations of our Terms of Service.
- Service improvement: Analyzing aggregated, de-identified usage patterns to improve features, fix bugs, and develop new capabilities.
- Legal compliance: Responding to lawful requests from courts, regulators, or law enforcement; asserting or defending legal claims; and complying with applicable law.
- Customer support: Responding to your inquiries and resolving issues.
5. Legal Bases for Processing (EEA and UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:
- Contract performance: Processing necessary to provide the Service you have requested (account management, publishing, analytics sync, AI features).
- Legitimate interests: Processing necessary for our legitimate interests, including improving the Service, ensuring security, and preventing abuse — provided those interests are not overridden by your rights and interests.
- Consent: Where we rely on your consent (e.g. to send optional email reports or to access specific OAuth scopes), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
- Legal obligation: Processing necessary to comply with a legal obligation to which we are subject.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
- Service providers: We share data with trusted third-party vendors who help us operate the Service. These providers act under our instructions and are contractually prohibited from using your data for their own purposes. Key providers include:
- Google (Firebase): Authentication (Firebase Auth), database (Firestore), and cloud hosting.
- OpenRouter and AI model providers: Processing of AI prompts and context to generate responses.
- Resend: Email delivery for scheduled reports and transactional notifications.
- Scrape infrastructure providers: Retrieval of publicly visible competitor and inspiration profile data.
- Social platform APIs: When you publish content or sync analytics, your content and credentials are transmitted to the relevant platform APIs (Meta, TikTok, YouTube, LinkedIn). This transmission is at your direction and is necessary to deliver the features you have requested.
- Google Drive: When you access or select assets via the Google Drive integration, data is exchanged with the Google Drive API under your authorized scopes.
- Legal requirements: We may disclose your data if required to do so by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of Sikorae, our users, or the public.
- Business transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and your rights in that event.
- With your consent: We may share your data in other ways with your explicit consent.
7. AI Infrastructure and Model Providers
Our AI features are powered by large language models accessed via OpenRouter, which routes requests to underlying model providers (such as Anthropic, OpenAI, Google, and others depending on the task). When you use AI features:
- Prompts, messages, and the workspace context we include (brand voice, analytics summaries, AI context files) are transmitted to OpenRouter and the relevant model provider to generate a response.
- We select AI task configurations designed to minimize unnecessary data exposure (task-specific models, constrained context windows).
- We do not train AI models on your workspace data without your explicit opt-in consent.
- AI providers have their own data handling practices. We use providers whose API terms include data privacy protections, but you should be aware that prompts are processed by third-party model infrastructure.
- Avoid including highly sensitive personal data (such as financial account numbers, health information, or government ID numbers) in AI prompts or context files, as this data may be processed by external model providers.
8. Cookies and Local Storage
Sikorae uses cookies and browser local storage to maintain your authenticated session and preferences. Specifically:
- Session cookies: Firebase Authentication uses session-scoped tokens to keep you signed in.
- Local storage:UI preferences (such as theme selection, sidebar state, and timezone) may be stored in your browser's local storage.
- Analytics cookies: If Firebase Analytics or similar tools are enabled in your deployment, they may use cookies to collect usage data.
We do not use third-party advertising cookies or tracking pixels. You can control or clear cookies through your browser settings, but doing so may affect your ability to stay signed in.
9. Data Retention
We retain your data for as long as your account and workspace are active, and for a reasonable period thereafter as necessary to comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention practices:
- Active workspace data (posts, drafts, analytics, AI sessions, team data): Retained while your workspace is active.
- OAuth tokens: Deleted immediately when you disconnect an integration.
- Analytics data: Retained in your workspace until you delete it or request account deletion.
- AI context files:Retained until you delete them from the Settings → AI Context Files section or request account deletion.
- Account deletion: When you request deletion of your account, we will delete or anonymize your personal data within a reasonable time, subject to any legal hold obligations.
- Support communications: Retained for up to 3 years after your last interaction with us, unless a longer retention period is required by law.
You may delete specific content items within the product at any time. To request full account deletion, contact us at privacy@sikorae.com.
10. Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure. These measures include:
- Encrypted data transmission over HTTPS/TLS for all connections between your browser and Sikorae's servers
- Firebase Security Rules controlling access to Firestore data at the document level, ensuring workspace isolation
- Server-side encrypted storage for OAuth tokens — tokens are never exposed to the browser
- Google Firebase Authentication for identity management, which supports Google's own security infrastructure including 2FA
- Access controls limiting which personnel and services can access production data
No system is completely secure. We cannot guarantee the absolute security of your data. You are responsible for securing access to your Google account, which controls access to Sikorae. We recommend enabling two-factor authentication on your Google account.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
11. International Data Transfers
Sikorae is built on Google Firebase infrastructure, which may process your data in data centers located in the United States and other countries. When you connect social platform APIs, data is also processed by those platforms' infrastructure, which may be located globally.
If you are located in the EEA, UK, or Switzerland, we rely on appropriate transfer mechanisms (such as the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or the equivalents required under UK and Swiss law) to transfer your personal data to countries outside the EEA/UK that may not provide an equivalent level of data protection. Contact us if you wish to obtain further details about the safeguards in place.
12. Your Rights and Choices
Depending on your location, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate or incomplete data. You can update most workspace data directly within the app.
- Deletion: Request that we delete your personal data. We will comply subject to any legal obligations to retain certain information.
- Portability: Request a machine-readable copy of data you have provided to us so you can transfer it to another service.
- Restriction: Request that we restrict the processing of your data in certain circumstances.
- Objection: Object to our processing of your data where we rely on legitimate interests as a legal basis.
- Withdraw consent: Where we process data based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. To disconnect OAuth integrations, use the Connections settings page in Sikorae.
California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: The right to know what personal information we collect, use, disclose, and sell about you.
- Right to Delete: The right to request deletion of personal information we have collected from you.
- Right to Correct: The right to correct inaccurate personal information.
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your rights, contact us at privacy@sikorae.com. We will respond to verifiable requests within the timeframes required by applicable law. We do not charge a fee for reasonable requests.
13. EEA and UK Supervisory Authority
If you are located in the EEA or UK and believe we have not handled your data in accordance with applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In Ireland, it is the Data Protection Commission (DPC). Other EEA countries have their own authorities.
We ask that you contact us first at privacy@sikorae.com so we have the opportunity to address your concern directly.
14. Children's Privacy
Sikorae is not directed to or intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, do not use Sikorae or provide us with any personal information.
If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take prompt steps to delete that data. If you believe we may have collected data from a child under 16, please contact us at privacy@sikorae.com.
15. Do Not Track
Some browsers transmit “Do Not Track” signals. Because there is currently no industry-wide standard for responding to such signals, we do not alter our data collection practices in response to Do Not Track signals. We will revisit this policy if a standard is established.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate or required by law, notify you by email or via an in-app notice.
Your continued use of Sikorae after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using Sikorae and may request deletion of your data.
17. Contact Us
If you have questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: privacy@sikorae.com
- Legal inquiries: legal@sikorae.com
- Website: sikorae.com
We will respond to your inquiry as promptly as possible and no later than required by applicable law.
See also our Terms of Service.