Last updated: April 14, 2026
This Privacy Policy explains how kraftsociAI ("kraftsociAI", "we", "Service") collects, uses, protects, and shares personal data of our users. By using the Service, you agree to the practices and terms described in this Policy.
kraftsociAI is a software service based in Turkey. Under Turkish Personal Data Protection Law (KVKK) No. 6698 and the EU General Data Protection Regulation (GDPR), we act as a data controller.
Contact: admin@kraftsociai.com
Domain: kraftsociai.com
We collect the following categories of data:
• Account information: Name, email address, password (stored as encrypted hash), business name, sector.
• Business profile: Business description, target audience, communication tone, sector (used for AI content generation).
• Social media connection data: OAuth access tokens obtained via Meta Graph API to access your Instagram Business account, token expiry dates, connected Instagram user ID and page name.
• Generated content: AI-generated images, text, captions, hashtags, and their creation/publication timestamps.
• Payment information: Managed through Stripe. kraftsociAI DOES NOT store card numbers — only Stripe customer ID and subscription status.
• Usage data: Browser type, IP address (for logging), page visit records, in-app actions.
We use the data we collect only for the following purposes:
• To provide and improve the Service
• To personalize AI content generation
• To automatically publish content to your Instagram account — only with your explicit consent
• To process payments
• Account management, password reset, and support
• Fraud detection and security
• Compliance with legal obligations
Important: We never share your data with third parties for advertising targeting.
kraftsociAI uses the Meta (Facebook/Instagram) Graph API. We request and use the following permissions only with your consent:
• instagram_basic — To read basic information from your Instagram Business profile
• instagram_content_publish — To publish posts to your Instagram account on your behalf, after your approval
• pages_show_list — To detect the Facebook Page connected to your Instagram
• pages_read_engagement — To read Page metadata
• business_management — To manage your business account
Our most important promise: No content is published without your consent. Every post is shown to you before it goes live, and it is only published when you click the "Publish" button. kraftsociAI never shares anything automatically in the background without your approval.
Meta access tokens are stored securely on our servers, used in accordance with Meta's Platform Terms, and never shared with third parties.
To provide the Service we use the following service providers:
• OpenAI (USA): Text and image generation with GPT-4o-mini and gpt-image-1 models. During content generation your business profile and topic text are sent to OpenAI. Per OpenAI API Data Usage Policy, this data is not used for model training.
• Meta Platforms Inc (USA): To publish to your Instagram account via the Instagram Graph API.
• Stripe (USA/Ireland): For payment processing. Card details are managed entirely by Stripe.
• Railway (USA): Infrastructure provider hosting our backend server. Our PostgreSQL database is hosted on Railway.
• Vercel (USA): Infrastructure provider hosting our frontend application.
• Zoho (India/EU): Corporate email service.
These third-party providers process your data under their own privacy policies.
• Account data: Retained as long as your account is active.
• OAuth access tokens: Until the connection is removed or revoked by Meta.
• Generated content: Until you delete it or close your account.
• Payment records: 10 years (Turkish Commercial Code requirement).
• Server logs: 30 days.
When you close your account, all your data is permanently deleted within 30 days (except payment records — retained due to legal obligations).
To protect your data we take the following measures:
• All data communication is encrypted with HTTPS/TLS
• Passwords are stored as bcrypt hashes (plain text is never stored)
• OAuth access tokens are encrypted in production
• Database access is restricted via IP whitelist
• JWT-based authentication (short-lived tokens)
• Regular security updates and open-source dependency scanning
Despite these measures, no communication over the internet is 100% secure. If you notice anything suspicious, please report it immediately to admin@kraftsociai.com.
Under applicable law you have the following rights:
• Right of access: To access all data we hold about you
• Right to rectification: To correct inaccurate or incomplete data
• Right to erasure: To request deletion of your data ("right to be forgotten")
• Right to restriction of processing: To stop processing for certain purposes
• Right to data portability: To receive your data in a machine-readable format
• Right to object: To object to certain data processing activities
• Right not to be subject to automated decision-making
To exercise these rights, write to admin@kraftsociai.com — we will respond within 30 days.
You can also request account deletion directly at /data-deletion.
kraftsociAI is not intended for users under 18. If you believe you are under 18, please do not use the Service and request account closure together with your parent.
The Service uses the following cookie types:
• Necessary cookies: Authentication JWT token (stored in localStorage)
• Functional cookies: Language preference, theme settings
We DO NOT use analytics or advertising cookies. There are NO third-party tracking scripts.
Our servers are hosted on Railway (USA) and Vercel (USA). For EU users, this data transfer is performed under Standard Contractual Clauses (SCC). Appropriate security measures per GDPR Article 46 are in place.
We may update this policy from time to time. For significant changes we will send a notification to your registered email and show an in-app notice. Continued use of the Service after changes means you accept the updated policy.
For any privacy-related questions, requests, or complaints:
• Email: admin@kraftsociai.com
• Web: https://kraftsociai.com
You retain the right to file complaints regarding KVKK with the Turkish Personal Data Protection Authority: https://www.kvkk.gov.tr