Privacy Policy

SocialEngine ("SocialEngine," "we," "us," or "our") is a social media and marketing platform built for self-storage operators. This Privacy Policy describes what information we collect, how we use it, who we share it with, and what rights you have over it. By using SocialEngine, you agree to the practices described below.

SocialEngine is operated by Andre Kalkreuter as a California sole proprietorship. Questions about this policy can be sent to support@storagestack.co.

1. What data we collect

Account and profile data

When you sign up for SocialEngine, we collect your name, email address, password hash, company name, and the facilities you manage. We also collect billing information (handled by Stripe — we never see full card numbers).

Content you create

Posts, captions, images, campaign configurations, brand settings, and any other content you create inside SocialEngine is stored on your behalf.

Data you connect from third parties

When you connect a Meta Business Manager, Google account, or other third party, we receive whatever that integration requires — Page IDs, Ad Account IDs, access tokens, performance metrics, and (for Lead Ads) the contact information of prospects who fill out your lead forms.

Usage data

We log standard technical information when you use the product: IP address, browser type, pages visited, and timestamps. This is used to operate the service and diagnose problems.

2. Facebook and Instagram Lead Ads

If you enable the Ads module in SocialEngine, we use your authorization with Meta (Facebook and Instagram) to create and manage Lead Generation campaigns on your behalf and to receive the leads they produce. The data we handle as part of this feature, and how we handle it, is described below.

What we create and manage

When you launch a campaign from the Ads tab, we call the Meta Marketing API to create an Ad Campaign, an Ad Set, and one or more Ads attached to the Facebook Page you previously assigned to that facility. We use the permissions ads_management and pages_manage_ads for this. We do not create any campaigns or ads without an explicit click from an authenticated user inside SocialEngine.

What we read

We read aggregate daily performance metrics (spend, impressions, clicks, leads, cost-per-lead) for the campaigns we created, so we can show you which campaigns are hitting your target cost-per-lead. We use the permission ads_read for this. We do not read any campaigns we did not create.

Leads we receive

When a prospective customer fills out a Lead Form on one of your Facebook or Instagram Lead Ads, Meta sends us a webhook containing the lead's identifier. We use the permission leads_retrieval to fetch the lead's form-submitted fields (typically name, phone number, email address, and the unit size they are interested in) from the Meta Graph API. We store this lead in your tenant's private database with Row-Level Security so that no other SocialEngine customer can read it. We deliver the lead to your Lead Inbox in SocialEngine within 30 seconds of Meta sending it, so your team can contact the prospect while their interest is fresh.

Where this data lives

All Meta-sourced data — access tokens, campaign configurations, leads, and performance insights — is stored in Supabase (PostgreSQL), encrypted at rest. Access tokens never leave the SocialEngine server. We do not sell, rent, or share this data with any third party. We do not use it to train machine-learning models.

How long we keep it

We keep lead records indefinitely so that you can measure long-term conversion (self-storage renters often sign a unit 7–30 days after first submitting a form). You can delete individual leads at any time from your Lead Inbox, or export and wipe all of your data from Settings → Data → Export & Delete.

Deletion on request

You can request full deletion of your Meta-sourced data at any time by visiting the Facebook App settings screen and clicking "Remove SocialEngine," or by emailing support@storagestack.co. Facebook's Remove App flow sends us a signed deletion request, which we confirm via a confirmation page at https://socialengine.pro/api/meta/deletion/status?id=<code>. We complete the cascade delete within 30 days.

Disconnecting Meta

You can disconnect SocialEngine from your Meta Business Manager at any time from Settings → Meta Connection → Disconnect. This revokes our access tokens immediately. Disconnecting does not delete existing lead records — to also delete them, use the export-and-wipe flow in Settings → Data.

3. How we use your data

• To operate the service — create posts, schedule publishing, deliver leads, generate analytics.
• To provide AI-generated content suggestions when you request them (captions, images, hashtags).
• To bill you correctly and send receipts.
• To send service-related email (billing issues, security notices, product updates you opted into).
• To diagnose bugs and improve the product.

We do not sell your data. We do not use your content, leads, or analytics to train machine-learning models. We do not share your data with advertisers.

4. Third-party services we share data with

We use the following third-party processors to operate the service. Each receives only the minimum data needed for its role:

• Supabase — database and storage (all customer data).
• Stripe — billing and subscription management.
• Resend — transactional email delivery.
• Google (Gemini API) — AI content generation at your request.
• Anthropic (Claude API) — fallback AI content generation.
• Meta (Facebook / Instagram) — publishing posts, running ads, and receiving leads when you connect Meta.
• Railway — application hosting.

We send campaign configurations and ad creative to Meta in order to create and run the ads you configure. We do not share our customers' contact data with Meta beyond what the Meta APIs themselves require.

5. International data transfers

SocialEngine is operated from the United States and stores data in US-based infrastructure. If you access the service from outside the US, your data will be transferred to, stored in, and processed in the US. Some third-party processors (e.g., Meta) may transit data through other jurisdictions as part of their own operations.

6. Data security

We encrypt data in transit (TLS) and at rest (Supabase-managed encryption). Access tokens and API keys are stored server-side only and never exposed to the browser. Tenant data is isolated by Row-Level Security policies enforced at the database layer. Webhook payloads from Meta are verified using HMAC-SHA256 signatures before processing.

7. Your rights

You can access, correct, export, or delete your data at any time from Settings → Data in the SocialEngine dashboard, or by emailing support@storagestack.co. California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and the right to request deletion. We honor these requests regardless of your state of residence.

8. Children's data

SocialEngine is a B2B tool for self-storage operators and is not directed to individuals under 18. We do not knowingly collect personal information from anyone under 18. Facebook and Instagram Lead Ads created through SocialEngine target adults only.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, notify active users by email.

10. Contact

SocialEngine
Operated by Andre Kalkreuter (California sole proprietorship)
Email: support@storagestack.co