Privacy policy

This Privacy Policy explains how itoms Ltd collects, uses, and protects your personal information when you use our website at ito.ms and our platform at app.ito.ms.

Last updated: April 2026

itoms Ltd (“we”, “our”, or “us”) is registered in England and Wales with a registered office at 86-90 Paul Street, London, EC2A 4NE. We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, full name, and password (stored securely using industry-standard hashing — never in plaintext). A profile photo and company name are optional.

1.2 Content You Create

We store content you upload or create through the platform, including videos, images, audio files, articles, and associated metadata such as titles, descriptions, and tags.

1.3 Subscriber Data

When end users subscribe to a project’s email digest, we collect their email address and subscription preferences. This data belongs to the project owner and is used solely for email delivery.

1.4 Third-Party Social Media Data

If you connect an Instagram or TikTok account for publishing, we store account identifiers and encrypted OAuth tokens required to publish on your behalf. We do not store your social media passwords. All tokens are encrypted using AES-256-GCM and stored server-side only. We do not access your followers, messages, or any data beyond what is strictly necessary for publishing.

1.5 Billing Information

Payment details are processed and stored by Stripe. itoms does not store your card number, expiry date, or CVV. We retain records of subscription transactions for 6 years as required by UK law.

1.6 Automatically Collected Information

We collect your IP address (for rate limiting and security), user agent (for device compatibility), and anonymised usage analytics via Plausible Analytics — a privacy-focused tool that uses no cookies and does not track individual users.

2. How We Use Your Information

We use your information to:

  • Provide the service — authenticate you, manage your projects, store and deliver your content
  • Process payments — manage subscriptions and billing via Stripe
  • Publish content — use your stored tokens to publish to Instagram or TikTok only when you explicitly initiate a publish action
  • Deliver email digests — send newsletters to your subscribers on your behalf
  • Provide security — detect and prevent fraud, abuse, and unauthorised access
  • Improve the platform — understand usage patterns using aggregated, anonymised data only

3. Legal Basis for Processing

We process your data under the following lawful bases under UK GDPR:

  • Performance of a contract — to provide the service you have signed up for, including processing account information and billing
  • Consent — for connecting third-party social media accounts and for any optional marketing communications
  • Legitimate interests — for security, fraud prevention, and anonymised analytics to improve the platform

4. How We Store and Protect Your Data

Your data is protected using the following infrastructure:

  • Application hosting: Vercel (encrypted in transit via TLS)
  • Database: Supabase (PostgreSQL with Row Level Security, encrypted at rest)
  • Media storage: Cloudflare (Stream for video, Images for photos, R2 for audio)
  • Email delivery: Resend
  • Payments: Stripe (PCI DSS compliant)

All database queries are scoped to the authenticated user’s projects using Row Level Security. Cross-project data access is not possible.

5. Sub-Processors

We share your data with the following third-party service providers who process it on our behalf:

  • Supabase — database and authentication (all user and content data)
  • Vercel — application hosting (request logs, server-side processing)
  • Cloudflare — media storage (uploaded media files)
  • Resend — email delivery (recipient email addresses, email content)
  • Stripe — payment processing (billing information)
  • Anthropic — AI caption generation (content metadata only — no personal data)
  • Plausible — privacy-friendly analytics (anonymised page views — no personal data, no cookies)

6. International Data Transfers

Some of our sub-processors are based outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards including International Data Transfer Agreements (IDTAs) or equivalent mechanisms as required by UK GDPR.

7. Your Rights

Under UK GDPR, you have the right to access your personal data, correct inaccurate data, request deletion of your data, object to processing, and request a portable copy of your data. EU users may also lodge complaints with their local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@ito.ms. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

8. Data Retention

  • Active accounts: data retained for as long as your account is active
  • Deleted accounts: data permanently deleted within 30 days of account deletion
  • Billing records: retained for 6 years as required by UK law
  • Server logs: purged after 90 days
  • Analytics data: aggregated and anonymised; raw events purged after 12 months

9. Cookies

itoms uses minimal cookies. We use only one essential cookie (the Supabase authentication session cookie) required for login. We do not use advertising, tracking, or third-party marketing cookies. See our Cookie Policy for full details.

10. Children’s Privacy

itoms is not intended for children under 16. We do not knowingly collect personal information from anyone under 16. If we learn we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last updated” date at the top of this page reflects the most recent revision. By continuing to use ito.ms or app.ito.ms after changes take effect, you accept the updated policy.

12. Contact

For privacy-related questions, data requests, or concerns:

  • Email: privacy@ito.ms
  • Post: itoms Ltd, 86-90 Paul Street, London, EC2A 4NE