Privacy Policy

Agent CM — Last updated: 30 April 2026

1. Introduction

This Privacy Policy explains how Agent CM (“we”, “us”) collects, uses, stores, and protects personal data when you use our internal content management tool. Agent CM is operated by L'École de Soi and used exclusively by authorized team members. We comply with the EU General Data Protection Regulation (GDPR).

2. Data We Collect

2.1 Account data

  • Email address (used as login identifier)
  • Hashed password (bcrypt, cost factor 12 — we never store plaintext)
  • Display name and role within the workspace

2.2 Third-party platform tokens

When you connect a TikTok, Instagram, YouTube, Facebook, or Canva account, we receive and store:

  • OAuth access_token and refresh_token (encrypted at rest using AES-256-GCM)
  • Token expiration timestamps
  • Public profile information returned by the platform: user ID, display name, avatar URL

We do notstore your platform passwords. Authentication goes through each platform's official OAuth flow.

2.3 Content data

  • Video files you upload (stored on our private server filesystem)
  • Transcripts, captions, hashtags, and metadata generated from your videos
  • Publication history and platform post IDs

2.4 Technical data

  • IP address (for rate limiting and security; ban entries are kept up to 1 hour in memory)
  • Server logs (HTTP requests, errors) — retained for up to 30 days
  • One authentication cookie (JWT) — set after login, no third-party trackers

3. How We Use Your Data

  • Authenticate you and authorize access to the workspace
  • Process your videos through our automation pipeline (transcription, captioning, rendering)
  • Publish content on your behalf to the platforms you have connected, with parameters you control
  • Detect and block automated abuse (rate limiting, IP banning)
  • Maintain operational logs for debugging and security audit

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Third-party platforms you have connected: when you publish a video, the file and metadata are sent to the corresponding platform's API (TikTok, Meta, Google, Canva).
  • LLM providers used for content generation: video transcripts and short text snippets may be sent to OpenAI, Anthropic, Google, or OpenRouter for caption and hashtag generation. No authentication data or platform tokens are ever sent to these providers.
  • Speech-to-text provider (Speechmatics): audio extracted from your videos is sent for transcription only.

5. Data Storage & Security

  • Hosted on a private server in Germany (Hetzner GmbH)
  • PostgreSQL database with restricted local-only access
  • OAuth tokens encrypted at rest (AES-256-GCM) before being stored
  • HTTPS enforced for all external traffic, via Tailscale edge nodes
  • Application-level rate limiting and IP banning to prevent brute-force attacks
  • Authentication via JWT cookies (HTTP-only, signed with a private secret)

6. Data Retention

  • Account data: retained as long as your account is active
  • Platform tokens: deleted immediately when you disconnect the corresponding account
  • Video files and transcripts: retained until you delete them from your library
  • Server logs: rotated and purged after 30 days

7. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request rectification or erasure of your data
  • Withdraw consent for any processing at any time
  • Disconnect any third-party platform (immediately deletes tokens)
  • Export your data in a machine-readable format
  • Lodge a complaint with the CNIL (French data protection authority)

To exercise any of these rights, contact us at contact@ecoledesoi.fr.

8. Cookies

Agent CM uses a single technical cookie (auth_token), strictly necessary to keep you logged in. No analytics, no advertising, no third-party trackers.

9. Children

Agent CM is a B2B tool for internal use and is not directed at or intended to be used by children under 16.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

Data Controller: L'École de Soi.
Email: contact@ecoledesoi.fr