Privacy Policy

01 Overview

Crag Studio LLC ("we," "us," or "our") operates Reel Stack, a web application for TikTok and YouTube content management that runs in your browser. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

02 Information We Collect

Stored Locally on Your Device

The following data stays in the folders on your device that you grant the App access to, and is never uploaded to our servers:

• Video files in the folders you select
• Captions, hashtags, titles, and other content metadata (written to local .md files alongside your videos)
• Draft and scheduled post data

Stored in Your Account Workspace

When you sign in and connect a TikTok or YouTube account, the following is stored in our managed cloud database (Google Firebase Firestore), encrypted in transit and at rest and scoped to your authenticated account so that no other user can access it:

• Your Reel Stack account identifier and sign-in details, managed by Firebase Authentication
• TikTok and YouTube account profile information (display name, username or channel name, avatar) fetched at login
• TikTok and YouTube (Google) access tokens and refresh tokens

Transmitted Through Our Services

When you connect a TikTok account or a YouTube channel, the App sends the OAuth authorization code to our Firebase Cloud Function, which exchanges it for access tokens using our TikTok or Google app credentials. Those tokens are then stored in your account workspace as described above so the App can publish on your behalf and refresh access without requiring you to sign in to TikTok or Google again.

Collected Automatically

If you have opted in to analytics, we may collect anonymous usage data such as feature usage frequency and crash reports. This data does not include your content, account credentials, or personally identifiable information. You can opt out at any time in App settings.

Subscription and Payment

Payment processing is handled by a third-party payment processor. We do not store your credit card or payment details. We retain records of your subscription status and associated email address for account management purposes.

03 How We Use Your Information

We use the limited information we collect to:

• Facilitate the TikTok and YouTube OAuth account connection process
• Manage your subscription and provide customer support
• Improve the App through anonymous analytics (if opted in)
• Send important service notifications (security updates, Terms changes, billing issues)

04 TikTok & YouTube Integrations

When you connect a TikTok account, the App uses TikTok's official Login Kit (OAuth 2.0 PKCE) to authenticate. When you connect a YouTube channel, the App uses Google's OAuth 2.0 and the YouTube Data API. For both platforms, the following applies:

• We request only the permissions necessary for the App's functionality: profile/channel information, video upload, and video list
• Your TikTok or Google credentials (username and password) are never seen or stored by us — authentication happens directly on TikTok's or Google's servers
• Access and refresh tokens are stored in our managed database (Google Firebase Firestore), encrypted in transit and at rest and protected by security rules that restrict access to your authenticated account alone — they are never exposed to other users
• You can revoke the App's access at any time by disconnecting the account in the App (which deletes the stored tokens), through TikTok's connected apps settings, or — for YouTube — through your Google Account permissions and security settings

Our use of TikTok APIs is subject to TikTok's API Terms of Service; for information on how TikTok handles your data, refer to TikTok's Privacy Policy. The App's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Your use of the YouTube features is also governed by the YouTube Terms of Service and the Google Privacy Policy.

05 Data Storage and Security

Your videos, captions, and drafts remain in folders on your device and are never uploaded to us. Your TikTok and YouTube connection tokens, the associated profile information, and your account details are stored in our Firebase infrastructure, encrypted in transit (TLS) and at rest, and access-controlled to your authenticated account. Firebase secrets are managed through Google Cloud Secret Manager.

You are responsible for the security of your devices and your Reel Stack account. We recommend:

• Keeping your browser and operating system updated
• Using a strong, unique password for your Reel Stack account and keeping it confidential
• Signing out on shared or public computers

06 Data Retention

Your videos and drafts remain in your local folders until you delete them — retention of that content is entirely under your control. Connected-account data (TikTok and YouTube tokens and profile information) is retained in your account workspace until you disconnect the account or delete your Reel Stack account, at which point it is deleted. Your subscription account data is retained while your account is active and for up to 90 days after cancellation for support and billing purposes.

07 Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your account and associated data
• Portability: request your data in a machine-readable format
• Objection: object to certain types of processing

To exercise any of these rights, contact us at support@crag.studio. We will respond within 30 days. For users in the European Economic Area (EEA) or UK, we process your data on the basis of contract performance and legitimate interests.

08 Children's Privacy

Reel Stack is not intended for use by individuals under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

09 International Data Transfers

Our Firebase infrastructure is hosted in the United States. If you are located outside the United States, the account data we store and process on your behalf (authentication, TikTok and YouTube OAuth token exchange and storage, and subscription management) is transferred to and processed in the United States. By using the App, you consent to this transfer.

10 Third-Party Services

The App integrates with the following third-party services:

• TikTok API (ByteDance Ltd.) — for account authentication and content publishing
• YouTube Data API and Google OAuth (Google LLC) — for YouTube channel authentication and video publishing
• Firebase (Google LLC) — for authentication, secure token exchange and storage, and subscription management

Each of these services has its own privacy policy. We are not responsible for the privacy practices of third-party services.

11 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email. The effective date at the top of this document reflects the most recent update.

12 Contact

For privacy questions, requests, or concerns, contact us at: