Privacy Policy
Last updated: July 2, 2026
This policy explains what Vega collects, how we use it, and the choices you have. We write it in plain language because that's how trust works.
1. Who we are
Vega ("we", "us") operates the product available at vega.social. You can reach us at hello@vega.social.
2. What we collect
2.1 Account you create
- Email address, name, hashed password (scrypt, never in plain text).
- Preferences you set (locale, theme, workspace name).
2.2 Social accounts you connect
When you connect Instagram, Facebook, LinkedIn, X, or another platform:
- OAuth tokens (encrypted at rest with AES-256-GCM).
- Public profile data the platform returns: handle, display name, avatar URL.
- Aggregate metrics we snapshot: followers, reach, impressions, engagement rate, post counts.
- Posts you compose and send through Vega.
2.3 What we do NOT collect
- Private messages / DMs.
- Follower personal data beyond public handles.
- Political, religious, ethnic, health, or sexual-orientation attributes about you or anyone else.
- Payment information — Vega does not sell you AI credits.
2.4 AI provider keys
If you use AI features, your provider API key (for example, Anthropic) is encrypted at rest with AES-256-GCM. When you send a request, we decrypt in memory, call the provider, and forget the plain-text key. The model provider — not Vega — sees your prompts.
2.5 Technical logs
Standard web-server logs (IP, user agent, timestamp) for security and debugging. Kept 30 days.
3. How we use it
- Authenticate you and keep your session.
- Fetch metrics and publish content on your behalf, only to the accounts you connected.
- Generate AI insights using your own model key.
- Send transactional emails (account, security).
We do not sell your data. We do not use it to train models.
4. Signals, not verdicts
Every AI-produced insight in Vega is framed as a signal with a confidence level. We never present model output as fact, and we explicitly refuse requests that ask the model to infer sensitive attributes about people. See our principles page for the details.
5. Sharing with third parties
Vega uses these processors on your behalf:
- Social platforms (Instagram, Facebook, LinkedIn, X, TikTok, YouTube, etc.) — only when you connect them, and only within the permissions you granted.
- Your AI provider (Anthropic by default) — when you invoke AI features, using the key you provided.
- Hosting (our infrastructure) — for running the service.
We do not sell data, and we do not share it for advertising.
6. Retention
- Account data: kept while your account exists; deleted within 30 days of account deletion.
- OAuth tokens: kept until you disconnect the account or your account is deleted.
- Metric snapshots: kept as history for as long as your account exists (you can request deletion).
- Server logs: 30 days.
7. Your rights
Under GDPR/KVKK and similar frameworks you have the right to:
- Access — request a copy of the data we hold about you.
- Correct — fix anything inaccurate.
- Delete — ask us to erase your account and its data.
- Export — download your data in JSON.
- Withdraw consent — disconnect a social account or revoke AI at any time.
Email hello@vega.social and we'll act on any of these within 30 days.
8. Security
Passwords are hashed with scrypt. OAuth tokens and AI keys are encrypted at rest with AES-256-GCM using a key you generate at deploy time. Sessions are stored server-side with httpOnly cookies. HTTPS is required everywhere.
9. Children
Vega is not directed at children under 16. If you believe a child has provided data to us, contact us and we'll delete it.
10. Changes
We may update this policy. Material changes will be announced in-app and via email. The date at the top always reflects the current version.
11. Contact
Questions or requests: hello@vega.social.