Privacy Policy for Grapjes Maker

1. Who We Are

Grapjes Maker ("we", "us", or "our") is a personal, locally-run AI-powered web application that generates short comedy videos and allows users to publish them directly to TikTok, YouTube, and Instagram. The application runs locally on the user's own machine for personal use.

Video generation runs locally on the device; OAuth authentication and video publishing require secure server communication with platform APIs. The App is operated under Dutch law. If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact our Privacy Team at contacts@grapjesmaker.com (subject line: Privacy Request).

This application uses TikTok API services. When you connect your TikTok account, your data is transmitted to and processed by TikTok in accordance with TikTok's own privacy policy.

2. Scope of This Policy

This Privacy Policy applies to all users of the Grapjes Maker application ("the App"). The App is designed for personal use by the individual who runs it on their own machine.

This Policy describes what personal data the Grapjes Maker App collects, how we use it, and your rights regarding that data. The App allows users to generate AI comedy videos and optionally publish them to their TikTok accounts.

3. Third-Party Platform Integrations & API Scopes

Grapjes Maker integrates with third-party social media platforms using their official developer APIs. Currently, the Service integrates with TikTok, YouTube (Google), and Instagram (Meta), and may integrate with additional platforms in the future. To use platform-related features you must authenticate with the respective platform account.

3.1 TikTok API

The Grapjes Maker App uses TikTok API services to allow users to publish generated comedy videos to their TikTok accounts. When you connect your TikTok account, your browser communicates directly with TikTok's API servers. We request the following OAuth permissions (scopes):

Data collected from TikTok: We may collect TikTok user ID, username, profile picture, and access tokens to authenticate you and enable video publishing features.

• user.info.basic — Login with TikTok: Used to authenticate you and retrieve your TikTok display name, profile picture URL, and unique Open ID. This lets us personalise your experience and associate published content with your account.
• video.upload — Upload Videos: Used to upload joke videos you create via the App to your TikTok account. Video data and metadata are transmitted directly to TikTok's upload API endpoint.
• video.publish — Publish Videos: Allows the App to make uploaded videos publicly visible on your TikTok profile. TikTok separates video upload (creating a private draft) from video publish (making it visible to your audience). Both scopes are required for direct posting to TikTok. No video is ever posted without your direct action.

Data flow: When you log in via TikTok or publish a video, your credentials and content are sent directly to TikTok's API infrastructure. TikTok processes this data according to its own Privacy Policy. We do not control TikTok's subsequent use of data transmitted to their servers.

Data received from TikTok: In response to the scopes granted, TikTok returns to us: your TikTok Open ID (a pseudonymous identifier), your display name, and your profile picture URL. We do not receive your TikTok password, private messages, or financial information.

3.2 YouTube API (Google)

When you connect your YouTube account, your browser communicates directly with Google's OAuth and YouTube API servers. We request the following OAuth permissions (scopes):

• https://www.googleapis.com/auth/userinfo.profile — Basic profile: Used to retrieve your Google display name and profile picture URL so we can personalise your experience and associate published content with your account.
• https://www.googleapis.com/auth/youtube.upload — Upload videos: Used to publish joke videos you create via the Service directly to your YouTube channel on your behalf. Video data and metadata are transmitted directly to YouTube's upload API endpoint. No video is ever posted without your direct action.
• Additional future YouTube scopes: Should we integrate further YouTube features, we may request additional scopes and will update this policy before those features become active.

Data flow: When you log in via Google or publish a video to YouTube, your credentials and content are sent directly to Google's API infrastructure. Google and YouTube process this data according to their own Google Privacy Policy and YouTube Terms of Service. We do not control Google's or YouTube's subsequent use of data transmitted to their servers.

Data received from Google / YouTube: In response to the scopes granted, Google returns to us: your Google account ID (a pseudonymous identifier), your display name, and your profile picture URL. We do not receive your Google password, private messages, financial information, or any YouTube channel data beyond what is necessary to publish videos you explicitly initiate.

Google API Services User Data Policy: Grapjes Maker's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.3 Instagram API (Meta)

When you connect your Instagram account, your browser communicates directly with Meta's OAuth and Instagram Graph API servers. We request the following OAuth permissions (scopes):

• instagram_basic — Basic profile: Used to retrieve your Instagram username, profile picture URL, and account ID so we can personalise your experience and associate published content with your account.
• instagram_content_publish — Publish content: Used to publish joke images or videos you create via the Service directly to your Instagram profile on your behalf. Content data and metadata are transmitted directly to Meta's content publishing API endpoint. No content is ever posted without your direct action.
• Additional future Instagram scopes: Should we integrate further Instagram features, we may request additional scopes and will update this policy before those features become active.

Data flow: When you log in via Instagram or publish content, your credentials and content are sent directly to Meta's API infrastructure. Meta processes this data according to its own Meta Privacy Policy. We do not control Meta's subsequent use of data transmitted to their servers.

Data received from Instagram / Meta: In response to the scopes granted, Meta returns to us: your Instagram account ID (a pseudonymous identifier), your username, and your profile picture URL. We do not receive your Instagram password, private messages, direct messages, or financial information.

3.4 Future Platform Integrations

For any additional platforms we integrate with in the future, we will list the relevant permissions, data received, and applicable third-party privacy policies in an updated version of this document before those integrations become active.

We access third-party platform data strictly to deliver the functionality described above. We do not use platform API data for advertising profiling or sell it to third parties.

4. Data We Collect

4.1 Data from Third-Party Platforms

Depending on which platform integrations you enable, we may collect the following categories of data from those platforms:

• Display name / username — your public profile name on the platform
• Profile picture URL — your avatar as provided by the platform
• Platform user ID — a pseudonymous identifier for your account on that platform
• Content metadata — title, description, and publish status of content posted via the Service

We only collect data that the platform makes available for the scopes you have authorised.

4.2 Data You Provide

• Joke content or text you create or customise within the Service
• Preferences and settings you configure

4.3 Automatically Collected Data

• Browser type and operating system (for compatibility and error diagnosis)
• Anonymised usage statistics (e.g., feature interaction counts)
• IP address (processed transiently for service delivery; not persistently stored or logged)

5. How We Use Your Data

We use the data we collect for the following purposes:

• To authenticate you and maintain your session
• To display your platform profile information within the Service
• To publish content to connected platform accounts when you request it
• To remember your preferences and settings
• To diagnose and fix errors and improve Service stability
• To comply with our legal obligations

We do not use your data for automated profiling, targeted advertising, or any purpose unrelated to operating the Service.

5.1 AI Training & Content Use

Your content is NOT used to train or improve our AI models. The jokes and videos you create are processed solely to generate and publish your content. We do not retain your content beyond what is necessary to provide the publishing functionality, and we do not use it for machine learning training, model improvement, or any secondary purposes.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area (including the Netherlands), we process personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you requested (authentication, content publishing).
• Legitimate interests (Art. 6(1)(f) GDPR): Anonymised usage analytics to maintain Service stability, where these interests are not overridden by your rights. We maintain a Legitimate Interests Assessment (LIA) documenting this balancing test, available on request.
• Compliance with legal obligations (Art. 6(1)(c) GDPR): Where processing is required by Dutch or EU law.
• Consent (Art. 6(1)(a) GDPR): Where we specifically request consent for optional features; you may withdraw consent at any time.

7. Data Sharing & Third Parties

We do not sell your personal data. We may share data with:

• TikTok (data recipient & independent controller): When you log in or upload a video, your authentication token and content are transmitted directly to TikTok's API servers located outside the EEA. TikTok processes this data as an independent data controller under its own Privacy Policy. We are not responsible for TikTok's subsequent processing of your data.
• Google LLC / YouTube (data recipient & independent controller): When you log in via Google or upload a video to YouTube, your authentication token and content are transmitted directly to Google's API servers, which may be located outside the EEA. Google processes this data as an independent data controller under its own Google Privacy Policy. We are not responsible for Google's or YouTube's subsequent processing of your data. Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Meta Platforms, Inc. / Instagram (data recipient & independent controller): When you log in via Instagram or publish content, your authentication token and content are transmitted directly to Meta's API servers, which may be located outside the EEA. Meta processes this data as an independent data controller under its own Meta Privacy Policy. We are not responsible for Meta's subsequent processing of your data.
• Cloud hosting & infrastructure providers: Trusted data processors (e.g., web hosting and CDN providers) who store and serve the Service on our behalf. These providers are contractually bound via Data Processing Agreements (DPAs) to process your data only on our documented instructions and in compliance with GDPR.
• Error monitoring / analytics providers (if used): If we use third-party tools to monitor service stability, they receive only anonymised or pseudonymised technical data and are bound by DPAs.
• Legal authorities: Where required by Dutch or EU law, court order, or to protect the rights and safety of our users or others.

8. Data Storage & Retention

We retain each category of personal data only as long as necessary for its purpose:

How to request deletion: Send an email to contacts@grapjesmaker.com with the subject line "Data Deletion Request" and include your TikTok display name or Open ID, your YouTube / Google display name or account ID, or your Instagram username or account ID, so we can locate your records. We will confirm deletion within 30 days of receipt, except where retention is required by law (e.g., statutory accounting records).

You may revoke the Service's TikTok authorization at any time from your TikTok account settings under Privacy → Apps and websites. Revoking authorization immediately stops the Service from accessing your TikTok account; we will delete the associated data within 30 days.

You may revoke the Service's YouTube / Google authorization at any time from your Google account permissions page. Revoking authorization immediately stops the Service from accessing your YouTube account; we will delete the associated data within 30 days.

You may revoke the Service's Instagram authorization at any time from your Instagram account settings under Settings → Apps and Websites. Revoking authorization immediately stops the Service from accessing your Instagram account; we will delete the associated data within 30 days.

9. International Data Transfers

The Service may use cloud infrastructure located outside the Netherlands or the European Economic Area. Where such transfers occur, we rely on European Commission-approved transfer mechanisms (such as Standard Contractual Clauses) to ensure an adequate level of protection.

10. Your Rights (GDPR Articles 15–22)

As an EU/EEA resident you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Ask us to correct inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Ask us to restrict processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right not to be subject to automated decision-making (Art. 22): We do not carry out solely automated decision-making with legal effects.

Additionally, you may revoke a platform authorisation at any time from that platform's own account settings. Revoking authorisation stops the Service from accessing your account on that platform going forward.

To exercise any of these rights, contact us at contacts@grapjesmaker.com. We will respond within one month as required by GDPR. Where consent is the legal basis for processing, you may withdraw it at any time by contacting us at the same address; withdrawal is as straightforward as the original grant of consent and does not affect the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

11. Children's Privacy

Grapjes Maker is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at contacts@grapjesmaker.com and we will promptly delete it.

12. Security & Breach Notification

We implement the following technical and organisational measures to protect your personal data:

• Encryption in transit: All communication between your browser and our servers uses TLS 1.2 or higher (HTTPS). Data transmitted to TikTok's, YouTube's, and Instagram's APIs is likewise protected by TLS.
• Encryption at rest: Any personal data stored on our infrastructure is encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
• Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, protected by strong authentication.
• Minimal data collection: We collect only the data strictly necessary to operate the Service, reducing risk by design.
• Regular reviews: We periodically review our security practices and update them in response to emerging threats.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities.

Breach notification: In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens without undue delay and within 72 hours of becoming aware, as required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Art. 34), using contact details associated with your account or, where unavailable, a prominent notice on the Service.

13. Cookies & Tracking

Grapjes Maker uses only strictly necessary cookies and browser storage. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that identify you personally.

How to manage cookies: You can control, block, or delete cookies at any time through your browser settings. Disabling session cookies will prevent you from logging in to the Service. Common browser guides:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact our Privacy Team:

• Privacy / Data Rights requests: contacts@grapjesmaker.com — subject line: "Privacy Request"
• Data Deletion requests: contacts@grapjesmaker.com — subject line: "Data Deletion Request"
• General support: contacts@grapjesmaker.com

We will acknowledge your request within 5 business days and respond in full within 30 days as required by GDPR.