Privacy Policy
VideoBot Privacy Policy
Effective date: July 12, 2026. Last updated: July 12, 2026.
Operator/contact: VideoBot is operated by the site owner. Support contact: support@videobotapp.com
Information users provide
VideoBot may process story ideas, scripts, captions, publishing metadata, account labels, approval decisions, and support messages provided by authorized users.
TikTok OAuth information and scopes
When a TikTok account is connected, VideoBot requests the scopes needed for approved content upload or publishing, currently video.upload and video.publish. OAuth callbacks may include authorization codes, state values, or platform error details.
Google sign-in
VideoBot may use Google OpenID Connect for account sign-in. Google verifies identity and VideoBot stores the minimum identity fields needed for access control, such as verified email, display name, provider subject, linked provider, account role, account status, login timestamps, and session records. VideoBot does not receive or store Google passwords and does not need Google Drive, YouTube, Gmail, contacts, offline access, or refresh tokens for identity-only sign-in.
Email and password sign-in
VideoBot may also allow email and password accounts. Plaintext passwords are never stored. Passwords are transformed into Argon2id password hashes, and reset links use one-time random tokens where only a server-side token hash is stored.
Password reset and verification records
Password-reset and email-verification records may include token hashes, creation time, expiration time, consumption time, and limited sanitized request metadata such as an IP-derived hash for security and abuse prevention.
Provider subject storage
For Google sign-in, VideoBot uses the verified provider subject as the permanent identity key. Email is stored for account display and support, but email alone does not grant owner access.
Access and refresh tokens
Access tokens, refresh tokens, expiration times, and account identifiers are stored locally with restricted permissions. They are not displayed on public pages or included in public reports.
Video files and publishing metadata
VideoBot stores reviewed video candidates, captions, hashtags, visibility choices, disclosure settings, publishing status, and error states needed to operate the creator workflow.
Technical logs and security events
The service may keep application logs, route status, error records, approval history, login attempts, password reset requests, rate-limit events, and other security-relevant events for troubleshooting, abuse prevention, and auditability. Logs must not include plaintext passwords or reset tokens.
Purposes for processing data
Data is used to plan videos, assemble review candidates, operate approval gates, connect authorized accounts, prepare approved platform delivery, diagnose failures, and respond to support or deletion requests.
Third-party platform APIs
VideoBot uses official third-party platform APIs for account authorization and content delivery when configured. It does not sell personal data.
Data sharing
Data is shared with connected platforms only as needed to perform actions authorized by the user or owner. Service operators may access local records for operation, support, security, and debugging.
Retention
Project files, logs, OAuth records, password credential records, reset-token hashes, session records, and publishing metadata are retained while needed for the production workflow, account access, audit trail, troubleshooting, security, or legal obligations. Expired or consumed reset-token records may be removed after they are no longer needed. Records can be removed on verified request when retention is no longer required.
Deletion and account disconnection
Users can request account disconnection or data deletion by contacting support. Deletion may revoke sessions and disable credentials where appropriate. Do not send passwords or tokens in support requests.
Security practices
VideoBot limits public pages, protects internal studio routes, hashes passwords with Argon2id, stores reset tokens only as hashes, avoids public token display, and keeps posting blocked unless configured, authorized, and explicitly approved.
Cookies and session storage
The public website uses ordinary browser requests. Account and internal studio areas may use secure HttpOnly session cookies, CSRF tokens, and browser cache storage for installed-app shell assets. Session cookies do not store roles, Google tokens, provider subjects, password hashes, or plaintext passwords.
Children's privacy
VideoBot is not intended for children. Users must meet the eligibility requirements of the connected platforms they use.
User rights
Depending on location, users may have rights to access, correct, delete, restrict, or object to processing. Contact support to make a request.
International processing
Data may be processed where the operator, hosting systems, connected platforms, or service infrastructure are located.
Policy changes
This policy may be updated as VideoBot changes. The updated date will identify the current version.