Data Controller
Emblue Africa, operating as Social Emblue AI, is the data controller for the Platform. We determine the purposes and means of processing personal data collected through Social Emblue AI.
This includes data from connected social media platforms such as Meta, X, TikTok, and other sources you authorize through the Platform.
What We Collect
Account Information
- Name and email address.
- Company, brand, and role information.
- Login credentials stored as hashed values, never in plaintext.
Social Media Account Data
- Connected account username, profile picture, and platform IDs.
- OAuth access tokens encrypted with AES-256-GCM before storage.
- Account, content, and performance metrics available through approved APIs.
Social Media Content Data
- Comments, replies, messages, mentions, and engagement metrics.
- Public conversations matching configured listening keywords.
- Commenter profile information used for audience intelligence and campaign eligibility.
Usage Data
- IP address, browser, device, and page activity.
- Actions taken inside the Platform.
- Error logs and security events.
How We Use Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Platform service | Account info and connected account data | Contract performance |
| AI-powered reply generation | Comment text, DM content, and brand tone settings | Contract performance |
| Social listening and keyword monitoring | Public social media posts matching configured keywords | Legitimate interest |
| Performance reporting | Engagement metrics and account insights | Contract performance |
| Audience intelligence | Public commenter profile data | Legitimate interest |
| Security and fraud prevention | Usage logs and IP addresses | Legitimate interest |
| Service communications | Email address | Contract performance |
| Legal compliance | Information required by law | Legal obligation |
Data Processors
We use trusted service providers to operate the Platform. They process data only for our instructions.
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic, PBC | AI processing using Claude models | Comment text, DM content, captions | United States |
| OpenAI, LLC | AI processing using GPT models | Comment text and sentiment classification | United States |
| Supabase, Inc. | Database hosting and authentication | Platform data, user accounts, encrypted tokens | United States |
| Railway Corp. | Backend infrastructure hosting | Application server traffic | United States |
| Resend, Inc. | Email delivery | Email address and report content | United States |
| Cloudinary Ltd. | Media storage | Creative images uploaded by brand clients | United States / Israel |
Data Retention
| Data Type | Retention Period |
|---|---|
| Account credentials | Until account deletion plus 30 days |
| OAuth access tokens | Until account disconnection; deleted immediately on disconnect |
| Social media engagement data | 12 months from collection |
| Performance reports | 24 months |
| Usage and access logs | 90 days |
| Billing records | 7 years where legally required |
Security
- OAuth tokens and sensitive credentials are encrypted at rest using AES-256-GCM.
- All production traffic uses HTTPS/TLS.
- Role-based access controls limit access by user role, brand, and tool permissions.
- Authentication uses Supabase Auth with JWT verification.
- Meta webhooks are verified with HMAC-SHA256 signatures where required.
- Production infrastructure is hosted with HTTPS-enabled providers.
No system can be guaranteed completely secure. If a breach affecting your personal data occurs, we will notify you and the relevant authorities as required by law.
Your Rights
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete data.
Right to Erasure
Ask us to delete your data unless a legal obligation requires retention.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Restriction
Ask us to restrict processing in certain circumstances.
To exercise your rights, contact privacy@emblue.africa. We aim to respond within 30 days.
International Transfers
Social Emblue AI is operated from Nigeria. Some service providers, including Anthropic, OpenAI, Supabase, Railway, and Resend, may process data in the United States or other countries.
Where data is transferred from the EEA, UK, or another jurisdiction with transfer requirements, we rely on appropriate safeguards such as standard contractual clauses or other approved mechanisms.
Children
Social Emblue AI is a business platform and is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us at privacy@emblue.africa.
NDPR Compliance
We comply with the Nigeria Data Protection Regulation 2019 and the Nigeria Data Protection Act 2023.
- We collect the minimum data necessary for the Platform.
- We process personal data lawfully, fairly, and transparently.
- We store data securely and restrict access.
- We use safeguards for transfers outside Nigeria.
- We maintain processing records and privacy contacts.
Nigerian users may contact the Nigeria Data Protection Commission at ndpc.gov.ng.
Changes
We may update this Privacy Policy from time to time. If material changes are made, we will notify users by email or through the Platform and update the date at the top of this page.
Contact
Data Protection Officer - Emblue Africa
Operating as Social Emblue AI
Privacy enquiries: privacy@emblue.africa
General contact: hello@emblue.africa
Lagos, Federal Republic of Nigeria
We aim to respond to privacy requests within 30 days.
Social Media Platform Data
Social Emblue AI accesses data from Meta, X Corp, and TikTok through official APIs and OAuth authorization. Data from those services is also governed by each platform's own privacy policy and developer terms.
Meta: Instagram and Facebook
X / Twitter
TikTok