Rheos.
Features
Content Creation
AI assisted content creation.
Post Scheduling
Plan and schedule your content.
Dedicated Library
Separate business from personal life.
Insights & Analytics
Understand what works and why.
Resources
Articles & ResearchKnowledgebaseRoadmap
Company
Our StoryContact

Privacy Policy

Effective Date: 17 March 2026

1. Introduction

Welcome to RHEOS ("we," "our," or "us"), a service provided by ALDR Ltd. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and related services (the "App").

Data Controller & Processor Status (UK GDPR)

  • Controller: RHEOS acts as the Data Controller for your account registration data, billing details, and service usage logs.
  • Processor: RHEOS acts as the Data Processor for the social media content you upload, schedule, and publish through our platform. You retain full ownership and control (Controller status) over your social media content.

If you do not agree with the terms of this privacy policy, please do not access the application.

2. Information We Collect

We collect personal information that you voluntarily provide to us when you register for the App, connect your social media accounts, or otherwise interact with our services.

A. Personal Data You Provide

  • Account Credentials: Email address and account name for authentication via Google Firebase Authentication.
  • Profile Data: Your name, email address, and profile picture to manage your user profile.
  • User Content: Images, videos, logos, brand guidelines, and business documents you upload for the purpose of generating and publishing marketing content.

B. Information Automatically Collected

  • Device Data: Device information such as your device ID, model, manufacturer, operating system, and version.
  • Log and Usage Data: IP addresses, browser type, pages visited, and error reports.
  • Analytics Data: Session replay and product analytics (via PostHog) to understand user behavior and improve our services.

C. LinkedIn Data (Community Management API)

When you connect your LinkedIn account, we access data strictly in accordance with LinkedIn’s API Terms of Use.

  • Permissions: w_member_social, w_organization_social (for Company Page posting), r_organization_social (for Company Page feeds), r_organization_admin.
  • Data Accessed: User identity (Name, ID), Organization Pages you administer, and "Member Data" (comments and likes on your posts from other LinkedIn members).
  • Purpose: To enable you to draft, schedule, and publish content to your Personal Profile and Company Pages, and to view and reply to comments on your posts.
  • Limited Retention: We generally do not store "Member Data" (names, photos, or content of other LinkedIn members) permanently. This data is fetched in real-time or cached strictly within the limits permitted by LinkedIn (see Section 6).

D. Meta Platforms Data (Facebook & Instagram)

We use Meta's Graph API and Instagram Graph API in compliance with Meta's Platform Terms and Developer Policies.

  • Permissions: pages_manage_posts, pages_show_list, business_management, instagram_business_basic, instagram_business_content_publish.
  • Data Accessed: Facebook name, Instagram username, profile pictures, and list of managed pages.
  • Purpose: To list your Facebook Pages and linked Instagram Business accounts, and to publish content (photos, videos, reels, stories) directly from the RHEOS dashboard.

E. X (Twitter) Data

When you connect your X account, we access data via the X API v2 in accordance with X's Developer Agreement and Policy.

  • Permissions: tweet.read, tweet.write, users.read, offline.access.
  • Data Accessed: Your X username, display name, profile picture, and user ID.
  • Purpose: To publish posts (text, images, and videos) to your X profile on your behalf.
  • Token Storage: We store OAuth 2.0 access and refresh tokens securely. Access tokens are refreshed automatically and previous tokens are overwritten.

F. TikTok Data

When you connect your TikTok account, we access data via the TikTok Content Posting API in accordance with TikTok's Developer Terms of Service.

  • Permissions: user.info.basic, video.publish, video.upload.
  • Data Accessed: Your TikTok display name, avatar, and open ID.
  • Purpose: To publish video content to your TikTok profile on your behalf.
  • Token Storage: We store OAuth 2.0 access and refresh tokens securely. Refresh tokens are valid for approximately one year.

G. Pinterest Data

When you connect your Pinterest account, we access data via the Pinterest API v5 in accordance with Pinterest's Developer Terms.

  • Permissions: boards:read, pins:read, pins:write, user_accounts:read.
  • Data Accessed: Your Pinterest username, profile picture, and list of boards.
  • Purpose: To create Pins (images and videos) on your Pinterest boards on your behalf.

H. YouTube Data

When you connect your YouTube account, we access data via the YouTube Data API v3 in accordance with Google's API Services User Data Policy and YouTube's Terms of Service.

  • Permissions: youtube.upload, youtube.readonly.
  • Data Accessed: Your YouTube channel name, channel ID, and channel thumbnail.
  • Purpose: To upload video content (YouTube Shorts) to your YouTube channel on your behalf.
  • Google API Disclosure: RHEOS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

I. Bluesky Data

When you connect your Bluesky account, we access data via the AT Protocol.

  • Data Accessed: Your Bluesky handle and DID (decentralised identifier).
  • Purpose: To publish posts (text and images) to your Bluesky profile on your behalf.
  • Authentication: We use app passwords (not your main Bluesky password) to authenticate. You can revoke access at any time from your Bluesky settings.

J. Mastodon Data

When you connect your Mastodon account, we register an OAuth application on your chosen Mastodon instance.

  • Permissions: read, write:statuses, write:media.
  • Data Accessed: Your Mastodon username, display name, avatar, and instance URL.
  • Purpose: To publish posts (text, images, and videos) to your Mastodon profile on your behalf.
  • Instance-Specific: Your data is processed via your chosen Mastodon instance. We do not access data from other instances or federated content.

3. How We Use Your Information

We use personal information collected via our App for the following purposes:

  • Account Management: To facilitate account creation, authentication, and billing.
  • Content Creation & Publishing: To allow you to draft, schedule, and publish content directly from the RHEOS dashboard to your personal profiles and organization pages.
  • Community Management: To display comments and engagement on your connected social media accounts and facilitate your responses directly through the RHEOS dashboard.
  • AI-Powered Analysis: To process your uploaded documents and brand assets using AI models (Google Vertex AI) to generate marketing content.
  • Service Improvement: To monitor application performance, troubleshoot issues, and improve user experience.

4. Prohibited Uses (Meta & LinkedIn Compliance)

We strictly adhere to platform policies and do not use your social media data for:

  1. Surveillance: We do not use Platform Data to perform surveillance or tracking of users.
  2. Eligibility: We do not use Platform Data to determine eligibility for employment, credit, housing, or insurance.
  3. AI Training: We do not use your social media data to train public artificial intelligence models (your data is processed solely for your specific content generation requests).
  4. Data Sale: We do not sell, license, or purchase Platform Data.

5. Sharing Your Information

We share your information with the following categories of third-party service providers:

  • Hosting & Infrastructure: Vercel (App hosting), Google Cloud Platform / Firebase (Database & Storage), Google Vertex AI (Generative AI).
  • Analytics: PostHog (Product analytics), Sentry (Error tracking).
  • Payment Processing: Stripe (Subscription management). We do not store raw credit card information.
  • Social Media Platforms: Meta Platforms (Instagram, Facebook, Threads), LinkedIn Corporation, X Corp, TikTok (ByteDance), Pinterest, Google (YouTube), and Mastodon instance operators — for the purpose of publishing content and retrieving analytics as requested by you.

International Transfers

Our servers and third-party providers (e.g., Google Cloud, Stripe) may process data in the United States. We ensure these transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.

6. Data Retention

We retain personal data only as long as necessary to provide the RHEOS services, subject to specific platform requirements:

  • User Content: Content you create (images, drafts) and your account credentials are retained for the duration of your account's existence.
  • LinkedIn Platform Data: In strict compliance with LinkedIn API Terms, we do not permanently store "Member Data" (names, photos, or content of other LinkedIn members).
    • Profile Data: Basic profile data of other members is cached for a maximum of 24 hours.
    • Social Activity: Engagement data (likes, comments) is cached for a maximum of 48 hours.
    • After these periods, data is automatically refreshed from the API or deleted.
  • System Logs: Debugging and error logs are retained for 30 days, after which they are automatically deleted.

7. Disconnection & Data Deletion Instructions

Disconnecting Social Accounts

You may disconnect any linked social media account (LinkedIn, Instagram, Facebook, X, TikTok, Pinterest, YouTube, Bluesky, or Mastodon) at any time via the RHEOS "Identity" settings. Upon disconnection, we programmatically revoke permissions and delete stored access tokens and refresh tokens.

Facebook & Instagram Data Deletion Instructions

RHEOS is compliant with the Facebook Platform Data Deletion Policy. If you wish to remove RHEOS from your Facebook or Instagram account and delete your data:

  1. Go to your Facebook Account's "Settings & Privacy" > "Settings".
  2. Scroll down to "Apps and Websites".
  3. Find "RHEOS" in the list and click "Remove".
  4. To permanently delete your data from our system, click the "View Removed Apps and Websites" link, click on RHEOS, and click "Send Request".
  5. This triggers an automated data deletion callback to our system, removing your associated data.

Account Deletion

If you wish to delete your RHEOS account entirely, you may do so by contacting support or using the "Delete Account" option in Settings. Upon deletion, we will remove your account and associated data from our active databases.

8. Your Privacy Rights (UK & EEA)

If you are a resident of the UK or EEA, you have the right to:

  • Request access to your personal data.
  • Request correction or erasure of your personal data ("Right to be Forgotten").
  • Withdraw consent at any time.
  • Lodge a complaint with a supervisory authority (e.g., the UK Information Commissioner's Office - ICO).

9. Contact Us

If you have questions about this policy, please contact us at:

ALDR Ltd (RHEOS)

Address: 60 Farm Road, Nottingham, UK, NG9 5DA

Email: hello@rheos.app