MPSSby Yarify

Privacy Policy

Last updated:

1. Who We Are

MPSS (Media Publishing & Scheduling System) is a software service operated by Yarify s.r.o., a limited-liability company registered in the Czech Republic.

Yarify s.r.o.
Raisova 916/15, Mariánské Hory
709 00 Ostrava, Czech Republic
Company ID (IČO): 23050403

Yarify s.r.o. is the data controller for all personal data processed through the MPSS platform. If you have any questions about this Policy, please contact us at sales@yarify.tech.

2. What This Policy Covers

This Policy explains what data MPSS collects when you use the platform, why we collect it, who we share it with, how long we keep it, and what rights you have. It applies to all users accessing MPSS, including the web application and any API integrations.

3. Data We Collect and How We Use It

3.1 Account Identity

MPSS uses Google Sign-In via Firebase Authentication. When you sign in, Firebase issues a JSON Web Token (JWT) that includes your Firebase User ID (UID). We use this UID to:

  • Identify you within a single request lifecycle (held transiently in memory, never persisted in application logs).
  • Stamp an audit field (createdBy) on every document you create, stored in our MongoDB database.

We do not receive, store, or process your Google email address, name, or profile photo through the application layer. Firebase may retain such information according to its own privacy policy.

3.2 Social Platform Connections (OAuth)

MPSS allows you to connect social media accounts — YouTube, Instagram, and TikTok — so the platform can publish content on your behalf. When you connect an account:

  • OAuth flow: MPSS initiates the platform's standard OAuth 2.0 authorisation flow. A signed, HMAC-SHA256 state token with a 10-minute TTL is used to prevent CSRF attacks. MPSS does not handle your platform password at any stage.
  • Access and refresh tokens issued by the platform are stored in our MongoDB database encrypted with AES-256-GCM. Each token has its own randomly generated initialisation vector (IV). Encryption keys are stored exclusively in GCP Secret Manager and are never written to environment variables, logs, or the database.
  • Decryption occurs only in memory, immediately before an API call to the platform. Token values are never written to logs.
  • Account metadata (display name, platform identifier, connection status) is stored in plaintext and is visible only to users within your project.

Scopes we request:

PlatformScopePurpose
YouTubehttps://www.googleapis.com/auth/youtube.uploadUpload videos to your connected YouTube channel
Instagraminstagram_basic, instagram_content_publishRead account info; publish Reels to your Instagram account
TikTokvideo.uploadUpload videos to your connected TikTok account

You can revoke platform access at any time from each platform's connected-apps settings, or by disconnecting the account within MPSS.

3.3 Instagram / Meta — Additional Note

During the Instagram connection flow, the Meta Graph API provides MPSS with a list of your Facebook Pages and a long-lived user token. This token is stored in MongoDB for up to 10 minutes in plaintext while you select the target page. It is automatically deleted — either when you complete the selection or when a MongoDB TTL index expires — whichever comes first. Page access tokens are subsequently stored in GCP Secret Manager (only the secret path is recorded in MongoDB).

3.4 Uploaded Media

When you upload images, videos, or audio files to MPSS Media Collections:

  • File metadata (name, type, size, GCS path) is stored in MongoDB under your project.
  • Binary file content is uploaded directly from your browser to Google Cloud Storage (GCS) via a pre-signed PUT URL. The file content never passes through MPSS backend servers.
  • Files in an unfinished upload state are automatically deleted after 30 minutes via a MongoDB TTL index.
  • Preview access uses 15-minute signed GCS URLs that expire automatically.
  • At publish time, a temporary public-read URL may be generated so that Instagram's CDN can fetch the video. This URL is time-limited and removed after publishing.

3.5 Generated Content

MPSS uses FFmpeg (running locally on the application server) to compose videos from your templates and uploaded media. No media is sent to external AI providers or third-party rendering services. Generated videos are:

  • Stored temporarily on the server's local disk during rendering.
  • Uploaded to GCS at path projects/{projectId}/runs/{runId}/output.mp4.
  • Deleted from local disk immediately after upload.
  • Sent to the target social media platform during the publishing step.

Post IDs and public post URLs returned by platforms after a successful publish are stored in MongoDB as an audit trail.

3.6 Campaign and Content Configuration

Campaign names, schedules, templates, and content pool data (captions, titles, tags, descriptions) that you enter are stored in MongoDB. This data is transmitted to social media platform APIs only at the time of publishing a campaign run.

3.7 Logs and Technical Data

MPSS uses structured logging via Google Cloud Logging. The following identifiers may appear in logs for operational and debugging purposes:

  • Firebase User ID, Project ID, Account ID, Campaign ID, Execution ID
  • Platform names (YouTube / Instagram / TikTok)
  • GCP Cloud Trace request trace IDs
  • External post IDs and URLs on successful publishes
  • Failure reason strings on publish errors

Not logged: access tokens, refresh tokens, any token values, user email addresses, or raw content text.

GCP Cloud Run infrastructure logs include client IP addresses at the infrastructure level. This is outside application code control and is standard GCP behaviour.

4. Legal Basis for Processing (GDPR)

MPSS is operated from the Czech Republic, which is an EU member state. We rely on the following legal bases under the GDPR:

  • Contract performance (Art. 6(1)(b)): Processing your Firebase UID, project data, campaign configuration, and media to deliver the service you have signed up for.
  • Legitimate interests (Art. 6(1)(f)): Operational logging and monitoring necessary to maintain service stability, debug errors, and prevent abuse.
  • Consent (Art. 6(1)(a)): Connecting social media accounts and authorising MPSS to publish on your behalf. You can withdraw consent by disconnecting accounts at any time.

5. Third-Party Services

The following third-party services receive data when you use MPSS:

ServiceData SharedPurpose
Firebase / GoogleFirebase UID (JWT verification)User authentication on every request
GCP Cloud StorageUploaded media and generated videosBinary file storage
GCP Secret ManagerEncryption key reads; OAuth client secret reads; platform token pathsSecrets management
GCP Cloud Logging / Cloud RunStructured operational logs including user and account IDsMonitoring and debugging
YouTube Data API v3Access token; video binary; title, description, tags, privacy settingsPublishing campaign videos to YouTube
Instagram Graph APIAccess token; public video URL; caption, locationPublishing campaign Reels to Instagram
Meta Graph APILong-lived user token (during OAuth setup); Facebook Page listInstagram account connection flow
TikTok Open APIAccess token; video binaryPublishing campaign videos to TikTok

All external API calls use HTTPS. OAuth client secrets for all platforms are stored exclusively in GCP Secret Manager and are never transmitted to the browser or written to logs.

6. Data Retention

  • OAuth tokens: Retained until you disconnect the account within MPSS or revoke access via the platform. Tokens are deleted from MongoDB when an account is removed.
  • Pending Meta connections: Auto-deleted after 10 minutes by a MongoDB TTL index.
  • Incomplete media uploads: Auto-deleted after 30 minutes by a MongoDB TTL index.
  • Media files in GCS: Retained until you delete the media item or the containing collection. Deleting an item removes both the metadata record and the GCS object.
  • Generated videos in GCS: Retained until the associated campaign run record is deleted, or you request deletion.
  • Campaign and content data: Retained while your project exists. Deleting a project removes all associated data.
  • Operational logs: Retained according to GCP Cloud Logging default retention policies (typically 30 days for log buckets, configurable by the operator).

You may request deletion of your account data at any time by contacting sales@yarify.tech. We will process deletion requests within 30 days.

7. Security

We apply the following technical measures to protect your data:

  • Token encryption: All OAuth access and refresh tokens are encrypted with AES-256-GCM and per-token IVs before storage in MongoDB.
  • Key management: Encryption keys and platform client secrets are stored only in GCP Secret Manager, never in environment variables or the database.
  • Authentication: Every API request (except public OAuth callback endpoints) requires a valid Firebase JWT verified server-side.
  • Multi-tenancy isolation: All database queries are scoped by project ID. A server-side access guard verifies your project membership on every operation.
  • No binary in transit through backend: Media files are uploaded directly from your browser to GCS via pre-signed URLs; the application server never handles binary content.
  • CSRF protection: OAuth state parameters are HMAC-SHA256 signed JWTs with 10-minute TTL and a nonce.
  • HTTPS everywhere: All communications with external APIs use TLS/HTTPS.

Despite these measures, no system is completely immune to security incidents. If you suspect unauthorised access to your account or data, please contact us immediately at sales@yarify.tech.

8. Your Rights (GDPR)

As a resident of the EU/EEA, or where applicable law provides, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten").
  • Restrict processing in certain circumstances.
  • Port your data to another service.
  • Object to processing based on legitimate interests.
  • Withdraw consent for social platform connections at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email sales@yarify.tech with the subject line "Data Rights Request". We will respond within 30 days.

If you believe we have not handled your data lawfully, you may lodge a complaint with the Office for Personal Data Protection of the Czech Republic (Úřad pro ochranu osobních údajů, www.uoou.cz).

9. Cookies and Tracking

MPSS is a web application, not a marketing website. We do not use advertising cookies, analytics pixels, or third-party tracking scripts. Firebase Authentication uses localStorage and session storage to persist your authentication state between browser sessions. No other cookies or persistent identifiers are set by the application.

10. Children's Privacy

MPSS is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, please contact us at sales@yarify.tech.

11. Changes to This Policy

We may update this Policy from time to time to reflect changes in our data practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of MPSS after changes become effective constitutes your acceptance of the revised Policy.

12. Contact

Yarify s.r.o.
Raisova 916/15, Mariánské Hory
709 00 Ostrava, Czech Republic
Company ID (IČO): 23050403

Email: sales@yarify.tech

See also: Terms of Service