AMBR

AMBR

Privacy Policy

This policy explains what AMBR collects, how we use and protect it, the data we read from the social accounts you connect, and how to delete your data.

Last updated May 31, 2026

Who we are

AMBR is a social content operating system that turns your brand's raw media into platform-native posts for Instagram, Facebook, TikTok, and YouTube Shorts. This policy applies to the AMBR web application and related services.

Information you provide

  • Account details — your email address and the workspace/brand information you enter (business name, website, tone preferences).
  • Media you upload — the photos and videos you add to your Vault, stored so AMBR can generate posts from them.

Data we read from connected social accounts

When you connect an Instagram, Facebook, TikTok, or YouTube account, you grant AMBR access through the platform's official OAuth flow. We read only what is needed to publish on your behalf and report back results:

  • Profile basics

    The connected account, page, or channel's ID, handle/username, display name, and avatar — so you can confirm you've connected the right account.

  • Content-publish permission

    Permission to publish posts, Reels, Stories, and Shorts on your behalf. AMBR only publishes content you have explicitly approved.

  • Post insights

    Aggregate performance metrics for posts AMBR published — views, reach, impressions, likes, comments, shares, saves, and watch time — used to score which of your source media performs best.

  • Access & refresh tokens

    OAuth tokens granted during connection, used only to publish approved content and fetch the insights above. Tokens are encrypted at rest in Supabase Vault and never exposed to the browser.

We do not read your direct messages, and we do not post anything you have not explicitly approved.

How we use your data

  • To generate, preview, and publish posts you approve.
  • To retrieve post insights and score which of your source media performs best.
  • To operate, secure, and improve the service.

We do not sell your personal data, and we do not use your private content to train third-party foundation models.

How your data is stored & secured

OAuth access and refresh tokens are encrypted at rest in Supabase Vault. Tokens are referenced only by an opaque identifier, are never stored in plaintext, and are never exposed to the browser — they are decrypted server-side only at the moment a publish or insights call is made. Your uploaded media and rendered outputs are stored in Cloudflare R2. All data is hosted in the United States, and access between accounts is isolated at the database level.

Sub-processors

We rely on the following service providers to operate AMBR. Each receives only the data needed for its function:

  • Supabase

    United States

    Database, authentication, and encrypted token storage (Vault).

  • Cloudflare R2

    United States

    Object storage for your uploaded media and rendered outputs.

  • Anthropic (Claude)

    United States

    AI generation of captions and editorial edit plans from your media and prompts.

  • Meta Platforms (Graph API)

    United States

    Publishing to Instagram & Facebook and retrieving post insights.

  • TikTok (Content Posting & Display APIs)

    United States

    Publishing to TikTok and retrieving post analytics.

  • Google (YouTube Data & Analytics APIs)

    United States

    Publishing YouTube Shorts and retrieving channel analytics.

Data retention

  • OAuth tokens: Deleted immediately when you disconnect an account, and within 30 days of an account-deletion request.
  • Uploaded media & generated posts: Retained while your workspace is active; deleted within 30 days of account deletion.
  • Analytics snapshots: Retained while your workspace is active; deleted within 30 days of account deletion.
  • Operational logs: Retained up to 90 days, then automatically purged.

Your rights

You can, at any time:

  • Access and export the data associated with your account.
  • Correct your brand and account information in-app.
  • Disconnect any social account — this immediately deletes its stored tokens.
  • Request deletion of your account and all associated data (see Data Deletion).

Deleting your data

You can delete your data yourself in-app, request deletion by email, or — for Instagram/Facebook — trigger deletion from your Facebook settings. Full instructions and timelines are on the Data Deletion page.

Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected here with an updated “last updated” date.

Contact

Questions about privacy or your data? Email privacy@ambr.media.