Privacy Policy
Last updated: May 2, 2026
This Privacy Policy applies to the Epic Saaz platform and the Epic Saaz application (“Epic Saaz”, “we”, “us”, or “our”), operated by Epic Saaz. Epic Saaz is a social media automation application that integrates with third-party platforms including Google, TikTok, and Meta (Facebook, Instagram, WhatsApp Business), LinkedIn, and others to help users publish and manage content.
1. Information we collect
We collect information you provide directly, including your name, email address, and any other details you submit through our forms or account registration. We also collect usage data automatically (pages visited, features used, execution counts). When you connect third-party accounts to Epic Saaz we collect OAuth access tokens, refresh tokens, and the profile data returned by the connection flow (such as account IDs, usernames, and display names) solely to enable automation features on your behalf. The full list of OAuth permissions we request, per service, is enumerated in Section 3 — Third-party integrations and OAuth scopes.
2. How we use your information
We use your information to provide and improve the Epic Saaz platform and the Epic Saaz application, send transactional emails, respond to support requests, and send marketing communications (only with your consent). Third-party account data (for example, TikTok or Meta tokens) is used exclusively to perform the automation actions you configure — we do not use it for advertising, train AI models on it, or share it with other parties. For the per-service breakdown of what data each scope permits and how we use it, see Section 3 below.
3. Third-party integrations and OAuth scopes
When you connect a third-party account, Epic Saaz requests only the OAuth permission scopes strictly required for the automation features the integration supports. We practice scope minimisation — for example, in April 2026 we deprecated the Google gmail.readonly scope because no shipped blueprint used it. The lists below are authoritative and kept in sync with the code that performs the actual authorization requests.
3.1 Primary integrations (review-sensitive providers)
The following integrations undergo formal review by the provider (Google OAuth verification, Meta App Review, TikTok Content Posting API review). Each is documented in full.
Google Workspace (Gmail, Drive, Sheets, Calendar)
Send email, read and write user-granted spreadsheets, create app-owned Drive files, and manage calendar events on the user's behalf when the user's workflow requires it.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
openid / email / profile | Identify the signed-in Google account (email, display name, avatar). | Display the connected account in the dashboard. |
https://www.googleapis.com/auth/gmail.send | Send email messages from the user's Gmail account. | Deliver outbound email that the user's automation produces (for example, approval notifications or templated messages). We do not read, list, or access inbox content. |
https://www.googleapis.com/auth/spreadsheets | Read and write Google Sheets. | Read configuration tables referenced by the user's automation, and write automation output rows to sheets the user has designated as destinations. |
https://www.googleapis.com/auth/drive.file | Create, read, and modify only the Drive files that the application itself creates or that the user explicitly opens with the application. | Store generated media, documents, or logs in Drive when a workflow outputs to Drive. We cannot enumerate or access any file in the user's Drive that was not created by Epic Saaz. |
https://www.googleapis.com/auth/calendar | Read and write events on the user's Google Calendar. | Create events, read availability, or update events when a workflow integrates with Calendar (for example, a booking-driven automation). |
What we do not do with your Google Workspace (Gmail, Drive, Sheets, Calendar) data:
- We do not request and have never requested the restricted gmail.readonly scope. Inbox message bodies, attachments, and metadata remain inaccessible to Epic Saaz.
- The drive.file scope is intentionally chosen over the broader drive scope so that files not created by Epic Saaz are never visible to the application.
- We do not use Google account data to build advertising profiles or resell it to third parties.
YouTube (separate Google OAuth consent)
Upload and manage videos on the user's YouTube channel when a workflow includes YouTube publishing.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
https://www.googleapis.com/auth/youtube.upload | Upload videos to the user's YouTube channel. | Publish video content that the user's automation produces (for example, the Social Media Queue Publisher blueprint). |
https://www.googleapis.com/auth/youtube.readonly | Read channel metadata, upload status, and video information. | Confirm uploads have completed, surface upload status back to the dashboard, and display the connected channel name. |
openid / email | Identify the YouTube channel owner. | Display the connected channel in the dashboard. |
What we do not do with your YouTube (separate Google OAuth consent) data:
- We do not access other videos on the channel beyond what is required to confirm the status of an upload initiated by Epic Saaz.
- We do not manipulate comments, subscribers, or monetisation settings.
TikTok (Content Posting API)
Publish or upload videos on the creator's behalf when a workflow includes TikTok publishing.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
user.info.basic | Read the creator's public profile (open_id, display name, avatar). | Display the connected creator in the dashboard. |
video.upload | Upload videos to the creator's Inbox (drafts) on TikTok. | Demo Mode "Inbox Upload" path — the creator reviews the video on the TikTok mobile app before publishing manually. |
video.publish | Publish videos directly to the creator's profile. | Direct Post path for fully automated scheduled publishing, with privacy, comment, duet, and stitch settings as configured by the creator. |
What we do not do with your TikTok (Content Posting API) data:
- We do not read, download, or otherwise access videos that exist on the creator's account outside of the videos we publish.
- We do not access direct messages, followers, analytics, or any surface beyond the upload and publish endpoints.
Facebook (Meta)
Publish posts, schedule posts, and read basic engagement data on Facebook Pages the user administers.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
public_profile | Identify the Facebook user account. | Basic login identity for the connection. |
pages_show_list | List the Facebook Pages the user administers. | Let the user pick which Page a given automation will post to. We store only the Page IDs the user selects. |
pages_read_engagement | Read engagement metrics on posts published to selected Pages. | Pull analytics (likes, comments, reach) into the dashboard reporting view for Pages the user has connected. |
pages_manage_posts | Create, schedule, edit, and delete posts on selected Pages. | The "post to Facebook" action in automations (Queue Publisher, approval-driven publishers, etc.). |
What we do not do with your Facebook (Meta) data:
- We do not request access to user personal timelines, friends lists, messages, or photos outside of Pages the user has explicitly connected.
- We do not access ads accounts, audience data, or any audience-building surface.
- We do not post to Pages the user has not explicitly connected to a specific automation.
Instagram Business (Meta Business Login)
Publish Feed posts, Reels, and carousels to Instagram Business accounts the user has connected.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
instagram_business_basic | Read account metadata (Instagram Business Account ID, username, account type). | Identify the connected account in the dashboard. |
instagram_business_content_publish | Publish Feed posts, Reels, and carousels on the connected account. | The "post to Instagram" action in automations (Reels Generator, Queue Publisher, scheduled posters). |
What we do not do with your Instagram Business (Meta Business Login) data:
- We do not access personal (non-Business) Instagram accounts via this connection.
- We do not read or moderate comments on the user's posts.
- We do not send or read Instagram Direct Messages.
- We do not use account data for audience profiling, lookalike audiences, or advertising.
WhatsApp Business (Meta Embedded Signup)
Send and receive WhatsApp messages via the Cloud API on the user's WhatsApp Business Account (WABA) for connected phone numbers.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
whatsapp_business_management | Manage the user's WhatsApp Business Account, including registering and reading phone numbers. | Register the phone number with Cloud API, associate the WABA with Epic Saaz, and read phone number status. |
whatsapp_business_messaging | Send and receive WhatsApp messages via the Cloud API on the WABA. | The "send WhatsApp message" action in workflows, inbound-message-triggered automations, and approval-flow message delivery. |
business_management | Read the user's Meta Business Portfolio to surface available WABAs during the Embedded Signup flow. | Required by Meta's Embedded Signup so the user can pick which WABA to connect. We do not use it to read or modify other Business Portfolio objects. |
What we do not do with your WhatsApp Business (Meta Embedded Signup) data:
- We do not access business assets other than the WABAs and phone numbers the user connects.
- We do not export contact lists, and we do not use message content to train AI models.
- Inbound message bodies are forwarded to the user-configured workflow and are not retained for analytics, advertising, or profiling.
3.2 Other supported integrations
The integrations below follow the same principles (scope minimisation, no AI-training use, no advertising use, encryption at rest) but are grouped in a condensed format because their scope lists are smaller and their provider review processes are less onerous.
Publish posts to the connected member profile.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
openid | Basic OpenID identity. | Identify the connected LinkedIn member. |
profile | Read basic member profile (name, headline). | Display the connected member in the dashboard. |
email | Read the member's email address. | Display the connected member in the dashboard. |
w_member_social | Create posts on the member's behalf. | Publish posts that the user's automation produces (for example, LinkedIn Blogger). |
X (formerly Twitter)
Read and publish posts on the connected account.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
tweet.read | Read tweets accessible to the authenticated user. | Pull tweet references or quote content into a workflow when the workflow requires it. |
tweet.write | Publish tweets on the user's behalf. | The "post to X" action in automations. |
users.read | Read the authenticated user's profile. | Display the connected handle in the dashboard. |
offline.access | Refresh access tokens silently. | Keep the connection alive between scheduled automation runs without forcing re-authorization. |
Slack
Post messages, read channel lists and history, and manage files in the workspace the user has installed the app to.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
chat:write | Post messages to channels the app is added to. | Send messages generated by the user's automation (approval requests, notifications, output). |
channels:read | List public channels in the workspace. | Let the user pick which channel a workflow will post to. |
channels:history | Read message history in channels the app is in. | Workflows triggered by incoming Slack messages (inbound-message-triggered automations). |
users:read | List workspace members. | Resolve user mentions in approval and notification messages. |
files:write | Upload files to channels. | Deliver generated documents, images, or exports into Slack channels when a workflow outputs a file. |
HubSpot
Sync contacts and deals between Epic Saaz workflows and the user's HubSpot portal.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
crm.objects.contacts.read | Read contact records. | Pull contact data into workflows that reference HubSpot contacts. |
crm.objects.contacts.write | Create and update contact records. | Write new leads or update contact fields when a workflow outputs to HubSpot. |
crm.objects.deals.read | Read deal records. | Pull deal data into workflows that reference HubSpot deals. |
crm.objects.deals.write | Create and update deal records. | Create or advance deals when a workflow outputs to HubSpot. |
Publish pins to the connected account's boards.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
boards:read | List the user's boards. | Let the user pick which board a pin will be published to. |
pins:read | Read the user's pins. | Confirm pin publishing status and avoid duplicates. |
pins:write | Create pins on the user's boards. | The "publish to Pinterest" action in automations. |
user_accounts:read | Read the connected account's profile. | Display the connected account in the dashboard. |
Read subreddits and submit posts from the connected account.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
identity | Read the connected account's username. | Display the connected account in the dashboard. |
submit | Submit posts to subreddits the user has permission to post in. | The "post to Reddit" action in automations. |
read | Read public posts and comments. | Pull reference content into workflows that operate on Reddit posts. |
ClickUp
Create and update tasks in the user's ClickUp workspaces.
| Scope | What it authorizes | How Epic Saaz uses it |
|---|---|---|
(application-level permissions granted at connect time) | ClickUp's OAuth issues an access token with permissions defined at the app level in ClickUp's developer portal, not per-authorization scopes. | Read lists, spaces, and tasks referenced by the user's workflow; create or update tasks when a workflow outputs to ClickUp. |
3.3 Common commitments across all integrations
- OAuth access and refresh tokens are encrypted at rest with AES-256-GCM before being written to our database. The encryption key is held in environment configuration and is not accessible to other tenants.
- No OAuth-granted data (message content, calendar events, contacts, media, analytics, etc.) is used to train artificial-intelligence models, either ours or third-party models.
- No OAuth-granted data is shared with advertising networks, data brokers, or any third party outside the sub-processors strictly required to operate the platform (payment processing, transactional email delivery, cloud infrastructure). Sub-processors are bound by data-processing agreements and do not receive third-party access tokens.
- Tokens are refreshed automatically only while an automation that uses them is active. When a user disconnects a credential in the dashboard, or deletes their account, the associated encrypted tokens are irreversibly destroyed.
- Users may revoke authorization at any time from Dashboard → Credentials → Disconnect, or from the third-party provider's own account settings (for example, myaccount.google.com/permissions, facebook.com/settings?tab=business_tools, tiktok.com/setting/connected-apps).
4. Data sharing
We do not sell your personal data. We share data only with service providers strictly necessary to operate the platform (payment processing, transactional email delivery, cloud infrastructure). All providers are bound by data processing agreements. Third-party OAuth tokens are never shared with any sub-processor — they are used exclusively by Epic Saaz to execute the automation actions you configure.
5. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies for advertising purposes.
6. Data retention and token handling
We retain your account data for as long as your account is active. OAuth access and refresh tokens issued to Epic Saaz are encrypted at rest (AES-256-GCM) and are refreshed automatically only while an automation that uses them is active. When you disconnect a credential from Dashboard → Credentials, the associated encrypted tokens are irreversibly destroyed. You can request deletion of all your data at any time by contacting support@epicsaaz.ai. Upon verified request, account data is deleted within 30 days except where retention is required by law.
7. Your rights
You have the right to access, correct, or delete your personal data. To exercise these rights, contact us at support@epicsaaz.ai. Depending on your jurisdiction, you may also have the right to data portability and the right to restrict or object to certain processing.
8. Data deletion
You may request deletion of your personal data at any time. You can submit a deletion request in one of the following ways:
- From within the platform: go to Dashboard → Settings → Account and select Delete Account.
- By email: send a request to support@epicsaaz.ai with the subject line “Data Deletion Request” and include the email address associated with your account.
We will verify your identity and process the request within 30 days. Upon deletion:
- Your account, profile, and all associated personal data will be permanently deleted.
- All automation workflows, credentials (including encrypted third-party OAuth tokens), and files stored under your account will be removed.
- Active subscriptions will be cancelled immediately with no further charges.
Certain data may be retained beyond this period where required by law (e.g. billing records for tax compliance, fraud prevention records). Retained data is isolated and not used for any other purpose.
For full step-by-step instructions, see our Data Deletion Instructions page.
Meta user data deletion callback
If you revoke Epic Saaz from Facebook or Instagram via Meta's Privacy Settings → Apps and Websites, Meta sends an automated deletion request to our platform. We process it at POST /api/meta/data-deletion-callback, which:
- Verifies Meta's signed request using our per-app HMAC secret.
- Deallocates every stored Meta OAuth credential matching your Meta user ID (access and refresh tokens are marked invalid and are no longer used by any automation on the platform).
- Returns a confirmation URL and alphanumeric code to Meta, which is shown back to you so you can verify the deletion outcome.
- Completes within seconds, not days — there is no background queue.
Your confirmation URL is /data-deletion/status/<code>, which shows the timestamp of deletion, the number of credentials removed, and the status. This page is publicly viewable without an Epic Saaz account — the confirmation code itself is the access token.
The deletion is scoped to your Meta OAuth credentials. It does not cascade to other automations, files, or tenant-workspace data you may have on Epic Saaz beyond the Meta credential record itself. If you want a fuller Epic Saaz account deletion, use the primary path described above.
9. Contact
For privacy questions, contact us at support@epicsaaz.ai.