← Back to SM Connector

Privacy Policy

Product: SM Connector
Company: Naton Lab Limited
Effective Date: 2025-10-03
Contact: lab@naton.io">lab@naton.io

This Privacy Policy explains how Naton Lab Limited (“we”, “us”, “our”) collects, uses, and protects information when you use SM Connector and when you connect your Facebook Page or other social media accounts to our service. By using SM Connector, you agree to the practices described here.

1) What We Collect

1.1 Account & Authentication Data

- Facebook App App ID (on our side only), Page IDs, Page names, connected Facebook user IDs.
- Access tokens / long-lived tokens issued by Facebook to enable posting and comment management (encrypted at rest).
- OAuth metadata (scopes, expiry, refresh/rotation details).

1.2 Content & Operational Data

- Post data you create via SM Connector (text, links, referenced media IDs in our storage).
- Comment/mention snapshots and related event payloads received from Facebook webhooks (e.g., comment text, author name/id, timestamps, post/comment IDs, action verbs such as add/remove).
- Job & audit logs for reliability and security (publish status, errors, timestamps, performing user/tenant ID).

1.3 Technical Data

- IP address, user-agent, device/browser metadata, and application logs for security, debugging, and abuse prevention.
- Minimal cookies for session management and settings (see §8).

We do not collect your Facebook password. We do not access private messages unless you explicitly enable scopes that allow it.

2) How We Use Information

- Core features: Publish and schedule posts; fetch, display, and moderate comments; process Facebook webhook updates.
- Security & integrity: Authenticate users, encrypt tokens, enforce least privilege, detect abuse, prevent spam/fraud.
- Reliability: Queue jobs, perform retries/backoff, maintain audit logs, and measure system performance.
- Support & improvement: Troubleshoot issues, analyze aggregated usage to improve functionality.

We do not sell personal information. We do not use Facebook data for advertising outside of delivering SM Connector’s features.

3) Legal Bases (where applicable)

- Contractual necessity: To provide the service you requested (posting, comment management).
- Legitimate interests: Security, fraud prevention, service reliability, and product improvement (balanced against your rights).
- Consent: Where required for optional features or specific jurisdictions.

4) Data Sharing & Subprocessors

We share data only as needed to operate SM Connector, comply with law, or protect rights.

- Service providers (subprocessors): cloud infrastructure, logging/monitoring, database, object storage (e.g., S3-compatible storage), job queues, and email delivery. These providers process data under contract and only on our instructions.
- Legal compliance: If required by law, regulation, or legal process.
- Business transfers: If we undergo a merger, acquisition, or asset sale, we will continue to protect personal data and notify you of changes where required.

A current list of core infrastructure categories:

- Compute & hosting; Database (MongoDB or equivalent); In-memory queue (Redis/BullMQ); Object storage (S3-compatible); Log processing.
(If you need a named list for vendor due diligence, contact lab@naton.io">lab@naton.io.)

5) Retention

- Operational data & caches: Kept only as long as necessary to deliver the service or as requested by your tenant administrators.
- Backups & logs: Rotated on a rolling basis; personal data within backups is purged within 90 days after a confirmed deletion event (see §7).
- Legal holds: We may retain minimal records where required by law or to establish/defend legal claims.

6) Your Choices & Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your data, and to object to or restrict certain processing.

- Facebook data deletion / deauthorization: You can remove the app or send a data deletion request via Facebook (see §7).
- In-app controls: Tenant admins can disconnect Pages or delete the entire tenant’s data.
- Contact us: Email lab@naton.io">lab@naton.io to exercise rights or ask questions. We may need to verify your identity and authority (especially for Page/tenant-level requests).

We will respond consistent with applicable laws (e.g., GDPR/UK GDPR, CCPA/CPRA, etc.).

7) Facebook Data Deletion & Deauthorization

We comply with Meta’s data-deletion requirements:

- Via Facebook: Go to Facebook → Settings & Privacy → Settings → Apps and Websites, find “SM Connector”, then Remove or Send Data Deletion Request. Facebook will call our deletion/deauthorize endpoints, and we will begin deletion tied to your Facebook user/page authorization. We provide a confirmation code and status URL as required.
- Via SM Connector: Tenant admins can disconnect Pages or delete the tenant, which removes tokens, mappings, and cached Facebook data within our systems.
- What we delete: App authorization records, tokens, page mappings, cached comment/post snapshots, and related operational data—subject to minimal security/legal logs.
- On-Facebook content: Posts/comments that live on Facebook must be deleted using Facebook’s tools; our system will reflect those changes via webhooks and purge caches.

For detailed steps, see our User Data Deletion Policy.

8) Cookies & Similar Technologies

- Essential cookies: For authentication and session continuity.
- Preference/functional cookies: To remember UI settings.
- No third-party advertising cookies are used by SM Connector.
Browser controls may allow you to block cookies; essential cookies are required for login-protected areas.

9) Children’s Privacy

SM Connector is intended for business use and is not directed to children under 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect information from children. If you believe a child has provided data, contact lab@naton.io">lab@naton.io.

10) Security

We implement reasonable technical and organizational measures to protect information, including:

- Encryption: Access tokens and sensitive fields encrypted at rest; TLS in transit.
- Least privilege & access control: Role-based access; credentials rotation; audit logging.
- Webhook integrity: Signature verification and constant-time comparison; idempotent processing; rate-limit/backoff handling.
- Monitoring: Job/queue metrics, anomaly detection, and incident response procedures.

No system can be 100% secure; we will notify you of material incidents as required by law.

11) International Transfers

Information may be processed and stored in data centers outside your country. Where required, we implement appropriate safeguards (e.g., standard contractual clauses) to protect personal data during cross-border transfers.

12) Controller/Processor Roles

- For tenant workspace data (your organization’s content and configuration), we generally act as a processor; your organization is the controller and determines what data to connect/store.
- For account, billing, and site operations data, we act as a controller.

13) Do Not Track

Some browsers offer “Do Not Track” (DNT). SM Connector does not currently respond to DNT signals. We limit tracking to what’s necessary for core functionality and security as described above.

14) Third-Party Links

SM Connector and our documentation may link to third-party sites. Their privacy practices are governed by their own policies. Please review those policies before sharing data with them.

15) Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, or legal requirements. We will update the Effective Date and, where appropriate, notify tenant admins in-app or by email.

16) Contact

If you have questions or requests about privacy, data protection, or this Policy, contact:

Naton Lab Limited
Email: lab@naton.io">lab@naton.io

Appendix A — Facebook-Specific Notes

- Permissions & scope: We request only the permissions required to provide posting and comment-management features (e.g., pages_manage_metadata, pages_read_engagement, pages_manage_posts, pages_manage_engagement).
- Development vs. Live mode: In Development mode, only app roles (admin/developer/tester) can trigger events; Live mode may require Meta App Review for certain permissions.
- Revocation: Removing the app or revoking permissions on Facebook will prevent further access and triggers deletion workflows in our systems.

© 2025 Naton Lab Limited. All rights reserved.

© 2025 Naton Lab Limited. All rights reserved.

For questions about this policy, contact lab@naton.io