Privacy Policy

Effective Date: 19 April 2026 · Last updated: 19 April 2026

Plain-language summary (EN/VN):
EN: Digital Media 24h operates internal tools that publish content to social media Pages and channels owned by us or explicitly authorised by their owners. We encrypt every access token at rest, never sell user data, and delete data immediately when a connection is revoked.
VN: Digital Media 24h vận hành các công cụ nội bộ để đăng nội dung lên Trang/Kênh do chính chúng tôi sở hữu hoặc được chủ sở hữu uỷ quyền rõ ràng. Mọi token được mã hoá khi lưu trữ. Chúng tôi không bán dữ liệu và xoá ngay khi ngắt kết nối.

1. Who we are

In this policy, "Digital Media 24h", "we", "us" or "our" refers to the operator of digitalmedia24h.xyz and the internal social-media management tooling reachable at api.digitalmedia24h.xyz. Our registered point of contact is listed in section 13.

2. Scope

This policy covers data we collect when you (a) browse this website, (b) grant our application access to your Facebook, Instagram, TikTok or YouTube accounts through the platform's standard OAuth flow, or (c) use any dashboard we provide to schedule posts, review comments, or manage rules.

3. Data we collect

3.1 From Meta platforms (Facebook & Instagram)

When you connect a Facebook account using our tool we receive, via Meta's Graph API:

Your Facebook user ID and display name (used only to associate your consent with your subsequent actions).
For each Page you administer and choose to connect: Page ID, Page name, Page picture, category, and the list of tasks your role permits (e.g. CREATE_CONTENT, MODERATE).
A Page Access Token per connected Page, which our server uses to publish content and read comments on that Page on your behalf.
For Instagram Business accounts linked to a connected Page: IG Business ID, display name, and derived access token.
Comments and replies made on posts we publish on your behalf, so we can apply the reply rules you configure.

3.2 From TikTok

Your TikTok open_id, display name, and avatar URL.
An access token (24-hour lifetime) and refresh token (365-day lifetime).
The IDs and metadata of videos we publish on your behalf.
Comments on those videos when you enable comment moderation.

3.3 From YouTube (Google)

Your YouTube channel ID, channel title, and thumbnail.
OAuth access and refresh tokens issued by Google.
Video IDs and metadata for videos we upload on your behalf.
Comments on those videos when you enable comment moderation.

3.4 Directly from you

An administrator email and password hash (we never store passwords in plain text; we use scrypt with a per-user salt and a pepper stored only in our server configuration).
The text, media (images, video), captions, hashtags, and scheduling metadata of posts you create in our dashboard.
Auto-reply rules you configure, including keyword lists, reply templates, and blacklists.

3.5 Technical data

Server request logs (IP address, user agent, path, response code) retained for up to 30 days for debugging and abuse prevention.
Application error reports via Sentry, which may contain stack traces and request IDs but are configured to redact all tokens and personal identifiers.

4. How we use data

To publish the content you schedule on the accounts you connect.
To execute the auto-reply rules you define on the comments we observe.
To display status, health, and analytics (success/failure counts) back to you in the dashboard.
To refresh access tokens before they expire, so your scheduled jobs don't silently fail.
To debug failures when you contact us for support.

We do not use your data to train machine-learning models, sell to advertisers, share with data brokers, or build user profiles for marketing purposes.

5. Storage and security

All platform access tokens and refresh tokens are encrypted using AES-256-GCM with a per-ciphertext random IV before being written to persistent storage.
The master encryption key is held in the operating system's secure keystore (Windows Credential Manager via DPAPI on the developer pilot machine; a managed KMS in production) and never written to disk unencrypted, never logged, and never transmitted.
Transport to our servers is TLS 1.2+ only. Certificates are managed by Cloudflare and Caddy.
Access tokens are redacted from application logs by explicit field-name allowlist in our logger configuration.
Our production database is reachable only through the application server; it is not publicly routable.

6. Data retention and deletion

We retain an account's data for exactly as long as the connection is active in our system.
Disconnecting an account in our dashboard deletes every record associated with it — tokens, metadata, published post records, captured comments, reply history — within 15 minutes.
Server logs are retained for 30 days, then deleted.
Backups are encrypted and retained for 30 days; they are purged on a rolling basis.

7. Your rights

You can, at any time:

Access the data we hold about a connected account from the dashboard.
Correct profile information by reconnecting the account (fresh data overwrites stale data).
Delete all data by disconnecting the account or by emailing us; deletion completes within 15 minutes.
Revoke our application's access directly from the platform (Facebook Settings → Apps and Websites; Google Account → Third-party access; TikTok Privacy → App Permissions). After revocation our stored tokens become non-functional; we recommend also disconnecting on our side so that the associated metadata is purged.

8. Data sharing

We do not sell or rent personal data. We share data only with the platform APIs strictly required to perform the actions you request (posting a video to your TikTok account, for example, requires calling TikTok's Content Posting API). We also use the following service providers:

Cloudflare — CDN, DNS, TLS termination.
Sentry — error monitoring with redacted payloads.
Neon — managed Postgres in production.
Upstash — managed Redis for job queues.
Cloudflare R2 — media storage.

Each provider processes data under their own privacy terms.

9. Third-party platforms

When you connect an account, you are also bound by the terms and privacy policies of that platform. We do not control their data practices. Their policies are available here:

10. Children

Our service is intended for operators managing their own business accounts and is not directed at children under 16. We do not knowingly collect data from children. If you believe a minor has submitted data through our service, contact us and we will delete it.

11. International transfers

Our infrastructure is hosted in the European Union (Hetzner, Germany) and the United States (Cloudflare, Neon). By using our service you consent to transfer of data to these jurisdictions. We rely on standard contractual clauses with our processors where applicable.

12. Changes to this policy

We will update this page whenever our practices materially change and will bump the "Last updated" date at the top. Significant changes will also be announced to operators with active connections via email.

13. Contact

Questions, access requests, or deletion requests:
Email: thuathoang.yt123@gmail.com
Web: digitalmedia24h.xyz/contact

This policy is available in English (this page) and summarised in Vietnamese at the top for convenience. In case of conflict, the English version prevails for the purposes of legal compliance and platform review.