API Privacy Addendum

1. How this policy fits

This API Privacy Addendum supplements our Privacy Policy (GDPR Notice). It focuses on data received through social platform APIs, including Meta / Instagram / Facebook, Google / YouTube, TikTok and Twitch. If a topic is not covered here, the main Privacy Policy applies. If this addendum and the main Privacy Policy conflict for platform API data, this addendum controls for that API data.

2. API data we access

• Account identifiers, profile information, connected pages or channels, scopes, permissions and revocable access tokens.
• Social content and metadata such as posts, videos, livestream metadata, captions, thumbnails, URLs, comments, engagement metrics, impressions, reach, demographics and analytics made available by the relevant platform. Audience demographics are processed only in aggregated form where the platform provides them and are not used to identify individual audience members.
• Campaign-related outputs such as tracked content, livestream mentions, transcripts, AI-assisted clip evaluations, review status and reports when those features are enabled.

3. How we use API data

• To authenticate accounts and provide dashboards and reports.
• To track campaign deliverables, links, livestream mentions, clips and creator-approved media.
• To let creators approve, remove or revoke access to shared campaign data.
• To monitor security, troubleshoot errors, maintain API reliability and improve product functionality using service diagnostics and aggregated usage patterns. We do not use platform API data to train general-purpose AI models or to build advertising profiles.

We do not sell API data and do not use Google, YouTube, TikTok, Meta or Twitch user data for advertising.

The legal bases are described in section 3 of our main Privacy Policy. In short, we process API data to perform the requested service (Art. 6(1)(b) GDPR), based on creator or platform authorization where applicable (Art. 6(1)(a) GDPR), for security, fraud prevention, diagnostics and limited B2B communications (Art. 6(1)(f) GDPR), and where needed for legal obligations (Art. 6(1)(c) GDPR).

4. Sharing API data

We share API data only as needed to provide the service: with a team or campaign when a creator authorizes access, with service providers listed on our sub-processors page, with the relevant platform provider, or where required by law. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Platform-specific notices

• YouTube / Google: Features that rely on YouTube API Services are subject to the YouTube Terms of Service and the Google Privacy Policy. You can revoke Shinra Metrics access via Google security settings.
• Meta / Instagram / Facebook:Facebook Login and Graph API access can be revoked in Facebook settings. We also expose Meta's data deletion callback at https://www.shinra-metrics.com/api/meta/data-deletion and a deletion status page at https://www.shinra-metrics.com/data-deletion-status. Meta receives a status URL with a confirmation code when a platform-required deletion request is processed.
• TikTok:TikTok API access is used only for the features you request, such as creator analytics, campaign tracking and content metadata. You can revoke app access in TikTok's app permission settings. TikTok's own processing is described in the TikTok Privacy Policy. For TikTok-specific deletion requests, disconnect the TikTok account in Shinra Metrics or contact us at info@ciberdime.com; we will revoke stored tokens and delete or anonymize related account-level data according to this addendum and the main Privacy Policy.
• Twitch: Twitch API access is used for requested Twitch features such as livestream tracking, channel analytics, campaign mentions and clips. You can disconnect Shinra Metrics in Twitch connection settings. Twitch's own processing is described in the Twitch Privacy Notice.

6. Retention and deletion

Disconnecting an account stops future API access and revokes or deletes stored tokens. Account-level data is deleted or anonymized within 30 days unless retention is required for legal obligations, security, billing, dispute resolution or reporting integrity. Historical campaign reports and aggregated analytics may be retained where needed and, where feasible, anonymized or aggregated. More detailed retention periods for logs, billing records, campaign analytics and website analytics are listed in section 6 of our main Privacy Policy.

7. Contact and rights

To exercise privacy rights or request deletion, contact info@ciberdime.com. More detail on GDPR rights, legal bases, cookies, transfers and security is available in our main Privacy Policy.

8. Updates to this addendum

We update the “Last updated” date when API-related privacy terms change. Material API privacy changes will be communicated through the website, platform or email where appropriate, especially where a platform review or user-facing permission change requires clearer notice.