Privacy Policy

Last updated: April 9, 2026

The Shepherd ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered social media growth platform (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, password, and optionally your profile picture. If you sign up through a third-party authentication provider, we receive basic profile information from that provider.

1.2 Platform Connections

When you connect social media platforms to The Shepherd, we collect OAuth tokens, platform user IDs, profile information, follower counts, engagement metrics, and content performance data from those platforms. We only request the minimum permissions necessary to provide our services.

1.3 Usage Data

We automatically collect information about how you interact with the Service, including pages viewed, features used, content generated, scheduling actions, and time spent on various sections. This includes device information, browser type, IP address, and general location data.

1.4 AI Interactions

When you use our AI coaching and content generation features, we collect the prompts you provide, the content generated, your feedback on suggestions, and any customizations you make. This data helps us improve the quality and relevance of AI-generated recommendations.

1.5 Payment Information

If you subscribe to a paid plan, payment processing is handled by our third-party payment processor. We do not store your full credit card number, but we may retain the last four digits and expiration date for identification purposes.

2. How We Use Your Data

2.1 Personalization

We use your platform data and usage patterns to provide personalized growth strategies, content suggestions, optimal posting times, and audience insights tailored to your specific goals and audience.

2.2 Analytics

Your connected platform data is used to generate analytics dashboards, track growth trends, benchmark performance, and identify opportunities for audience engagement.

2.3 Content Generation

Your brand voice, past content performance, and platform-specific data are used to generate AI-powered content suggestions, captions, scripts, and strategies that align with your style and objectives.

2.4 Service Improvement

We use aggregated, de-identified usage data to improve our algorithms, develop new features, and enhance the overall Service experience.

3. Third-Party Services

We work with the following categories of third-party service providers:

Supabase— Database hosting, authentication, and file storage. Your data is stored in Supabase-managed infrastructure with row-level security (RLS) enabled.
Anthropic— AI model provider powering our content generation and coaching features. Prompts and context are sent to Anthropic's API for processing. Anthropic does not use your data to train their models.
Social Media Platform APIs— We connect to platform APIs (Instagram, TikTok, YouTube, LinkedIn, Twitter/X, and others) using OAuth tokens to retrieve your analytics and post content on your behalf.
Payment Processors— Subscription billing is handled by third-party payment processors that comply with PCI-DSS standards.
Analytics Providers— We may use privacy-focused analytics tools to understand how users interact with our Service.

4. Data Storage and Security

We implement industry-standard security measures to protect your data:

All OAuth tokens and sensitive credentials are encrypted at rest and in transit.
Row-level security (RLS) policies ensure that users can only access their own data.
All data transfers use TLS 1.2 or higher encryption.
We conduct regular security reviews and follow secure development practices.
Access to production data is restricted to authorized personnel only.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Analytics data may be retained in aggregated, de-identified form for longer periods. When you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it.

6. Your Rights

6.1 Access

You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through your account settings.

6.2 Correction

You can update your account information at any time through the Service. If you need to correct other data, please contact us.

6.3 Deletion

You can delete your account at any time. This will remove your personal data, connected platform tokens, and generated content. Some data may persist in backups for a limited period.

6.4 Portability

You have the right to receive your data in a structured, commonly used, machine-readable format. You can export your analytics data and generated content through the Service.

6.5 Objection and Restriction

You can object to certain types of processing or request that we restrict how we use your data. This may limit the functionality of the Service available to you.

7. GDPR Compliance (European Economic Area)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing: We process your data based on (a) your consent, (b) the necessity to perform our contract with you, (c) our legitimate interests in operating and improving the Service, and (d) compliance with legal obligations.
Data Transfers: Your data may be transferred to and processed in countries outside the EEA. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.
Data Protection Officer: For GDPR-related inquiries, please contact us using the information in the Contact section below.

8. CCPA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you.
Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out: We do not sell your personal information. If this changes, we will provide a clear opt-out mechanism.
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, please contact us using the information below.

9. Cookie Policy

We use cookies and similar technologies to operate and improve the Service:

Essential Cookies: Required for authentication, security, and core functionality. These cannot be disabled.
Functional Cookies: Remember your preferences, such as theme settings and dashboard layout.
Analytics Cookies: Help us understand how the Service is used so we can improve it. These can be disabled in your browser settings.

We do not use advertising or tracking cookies. You can manage your cookie preferences through your browser settings.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending you an email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@theshepherd.app
Address: [Your Business Address]