Privacy Policy

Last updated: March 17, 2026

1. What We Collect

On Special collects the following categories of data when you use the service:

  • Account data: Email address, name, and authentication tokens from Google OAuth.
  • Venue data: Venue name, type, timezone, and social media handles you provide during onboarding.
  • Social access tokens: OAuth access tokens from Meta (Instagram/Facebook) to post on your behalf. These are encrypted at rest using AES-256 and never shared with third parties.
  • Specials data: The specials you enter (text, price, timing) to generate captions.
  • Post data: The captions generated, post schedules, and performance data returned by Meta's API (likes, reach).
  • Payment data: Billing is handled entirely by Stripe. We store only your Stripe Customer ID — never card numbers.

2. How We Use Your Data

  • To generate AI captions using OpenAI GPT-4o (your special text is sent to OpenAI for processing)
  • To post content to your social media accounts via Meta Graph API
  • To display analytics from your posts
  • To send product updates and account notifications (you can opt out)
  • We do NOT sell your data, train AI models on your content, or share your information with third parties outside of OpenAI (processing) and Stripe (billing)

3. Meta API Compliance

On Special connects to Meta's Graph API to post on Instagram and Facebook. By connecting your Meta accounts, you authorize On Special to post content on your behalf. We comply with Meta's Platform Terms and Developer Policies. You can revoke access at any time from your Meta account settings or from your On Special Settings page.

4. Data Retention

We retain your account data for as long as your account is active. Post history and analytics are retained for 12 months. Upon account deletion, your data is purged within 30 days except where required by law.

5. Security

OAuth tokens are encrypted at rest using AES-256. All data is transmitted over HTTPS. We conduct regular security reviews and promptly address vulnerabilities.

6. Your Rights

Under GDPR and CCPA, you have the right to access, correct, or delete your personal data. Contact us at privacy@onspecial.co to exercise these rights. We respond within 30 days.

7. Contact

ChimeStream B.V. · Rotterdam, Netherlands · privacy@onspecial.co