Privacy Policy

Effective Date: 2026-04-27
Last Updated: 2026-04-27

⚠️ Counsel confirmation before signature.

Registered/mailing address: 974 Bennington St, East Boston, MA 02128-1137 is the address selected for these docs. It was selected over the Chamber Saratoga listing because filing/registered-agent records are more authoritative than the chamber listing. Counsel or the registered agent should verify before signature.

State of formation: intentionally omitted. Roads CG is a MA Foreign LLC, but the original state is not confirmed. Do not guess Delaware or Wyoming in this document.

Privacy Contact: Privacy Team is a generic operations placeholder until a named privacy contact is designated.

Meta Platform Terms citations: re-checked 2026-05-04 against live terms last updated Feb 3 2026. Counsel should re-check before publication because Meta revises and renumbers periodically.

Production reachability: legal/data-request, legal/do-not-sell, and api/meta/data-deletion are implemented in the app/API, but their production URLs must be smoke-tested after deployment before signature/App Review submission.

Effective Date: 2026-04-29 Last Updated: 2026-05-04

1. Who We Are

Roads Consulting Group LLC ("Company", "we", "us", "our") operates a business-to-business software-as-a-service platform that helps businesses manage their Instagram and Facebook presence with the help of an AI assistant and a human approval step (the "Service").

If you are a consumer — for example, an Instagram follower whose public comment on one of our business customers' posts flows through the Service — this policy tells you what personal information we handle on behalf of that business, what your rights are, and how to exercise them.

If you are a business customer (or an employee of one) using the Service to manage your own social accounts, this policy also tells you how we handle the information you give us directly. Your own privacy policy, published to your audience, governs what you do with that audience's data; we act as your Service Provider under Cal. Civ. Code §1798.140(ag).

Contact for privacy matters:

Privacy Contact: Privacy Team
Email: privacy@roadscg.com
Mailing Address: 974 Bennington St, East Boston, MA 02128-1137

2. Scope

This policy applies to personal information collected through our website, our web application, our APIs, and any direct communications with us. It does not apply to third-party websites, platforms (Instagram/Facebook), or services that we link to but do not operate.

3. Categories of Personal Information We Collect

We describe personal information using the statutory categories set out in Cal. Civ. Code §1798.140(v)(1). The detailed mapping — what we collect under each category, from what sources, for what purpose, to whom it is disclosed, how long it is kept, and whether it is "sold" or "shared" — is published as a companion document, ccpa-disclosures.md, which is incorporated by reference into this policy. In summary, in the preceding 12 months we have collected the following categories:

(A) Identifiers — e.g., name, email address, account username, IP address.
(B) Customer records information (Cal. Civ. Code §1798.80(e)) — e.g., business contact details of customer personnel.
(F) Internet or other electronic network activity information — e.g., server logs, product-usage telemetry.
(I) Professional or employment-related information — e.g., job title of the customer contact.
(K) Inferences — limited, derived from Service usage to improve content suggestions for the business customer.

We may also collect public user-generated content (e.g., the text of a comment posted publicly on a customer's Instagram post) on behalf of the business customer. That content reaches us because the customer authorized us to read its Instagram Graph API feed.

Categories we do not collect

(C) Protected classifications, (D) Commercial purchase/transaction records beyond subscription billing, (E) Biometric information, (G) Precise geolocation, (H) Audio/visual sensory data collected by us (customers may upload their own media), (J) Education records, (L) Sensitive personal information as defined in Cal. Civ. Code §1798.140(ae).
We do not knowingly collect personal information from children under 16, and the Service is not directed to children under 13.

Sensitive personal information

We do not collect any category of Sensitive Personal Information enumerated at Cal. Civ. Code §1798.140(ae)(1)(A)–(G) or (ae)(2)(A)–(C), and we do not use or disclose sensitive personal information for purposes beyond those permitted under 11 CCR §7027(m). Accordingly, the CCPA "right to limit use or disclosure of sensitive personal information" is not triggered by our current processing.

4. Sources of Personal Information

Directly from you or from the business customer — account registration, support interactions, content you upload.
Automatically, from your device — standard server logs, cookies strictly necessary for authentication and security.
From third-party platforms you connect — Meta's Instagram and Facebook Graph APIs (only after the business customer grants OAuth authorization).
From our online reseller and Merchant of Record — billing details, transaction numbers, subscription metadata, and order confirmation details are sourced from Paddle.com (Paddle.com Market Ltd).
From our sub-processors — limited operational data (e.g., email delivery receipts from Resend).

5. Business and Commercial Purposes

We process personal information for the following business and commercial purposes:

Providing the Service: generating draft social posts, scheduling publishing after human approval, analyzing and suggesting responses to public comments.
Operating human-in-the-loop approval workflows (email notifications to approvers; web UI for review).
Maintaining account security, authentication, and abuse prevention.
Auditing, debugging, and improving the quality of the Service.
Billing and contract administration with our business customers (note that billing, tax compliance, and payment card transactions are administered through our partner and reseller Paddle.com).
Complying with legal obligations and responding to consumer rights requests.

For the full purpose-per-category mapping, see ccpa-disclosures.md.

6. Automated Content Generation (AI Use Disclosure)

We use third-party large language models (currently OpenAI and/or Anthropic, as configured per customer) to generate draft social media content and draft responses to public comments. A human — either our business customer or its designated approver — must review and explicitly approve every draft before any content is published or any comment reply is sent.

We do not use automated decisionmaking technology ("ADMT" under 11 CCR §7200) to make decisions about consumers that produce legal or similarly significant effects. The AI assists content production; the human decides. The CCPA rights to opt out of, or access information about, ADMT for significant decisions are therefore not triggered by our current processing. If this changes, we will update this policy and provide the notices required by 11 CCR §7220 et seq.

7. Disclosure of Personal Information

Categories disclosed for a business purpose

In the preceding 12 months, we have disclosed the categories listed in Section 3 to the following categories of recipients for the business purposes set out in Section 5:

Infrastructure and hosting providers — our VPS provider, which runs our self-hosted Postgres, Redis, and MinIO.
AI processing providers — OpenAI and/or Anthropic, for draft content and draft comment-response generation.
Transactional email provider — Resend, for approval notifications and other transactional email.
Online reseller and payment administrator — Paddle.com (Paddle.com Market Ltd), which acts as our Merchant of Record and an independent data controller for checkouts, payment processing, tax compliance, invoicing, and payment card transactions. You can read how Paddle handles your payment and personal details in Paddle's Privacy Terms.
Meta Platforms — when the business customer publishes content or replies to comments through their connected accounts, we transmit that content to Meta to the extent required to exercise the Instagram/Facebook permissions the customer granted via OAuth.
Professional service providers — auditors, legal counsel, bound by confidentiality.

Meta Platform Data flowing to AI sub-processors

When a business customer connects an Instagram or Facebook account, the Service may transmit the following types of Meta Platform Data to our AI sub-processors solely for the purpose of generating drafts on the customer's behalf (no model training, see § 7.4 of the Terms of Service):

Sub-processor	Type of Meta Platform Data	Purpose
OpenAI	Public comment text on the customer's posts; brand voice samples derived from prior Instagram captions	Drafting reply suggestions; drafting new captions consistent with prior voice
Anthropic	Same as OpenAI (configurable per customer)	Same as OpenAI
fal.ai	Brand asset images imported from the customer's Instagram Business account	Generating new image variants for the customer's review

Each sub-processor is contractually bound under our DPA template (dpa-templates/) to: (i) process Meta Platform Data only on our documented instructions, (ii) not use it for training, retraining, or fine-tuning any general-purpose model, and (iii) delete it on request.

Each of these recipients is contractually bound as a Service Provider, Contractor, or Third Party (as defined by CCPA) to use the personal information only for the purposes we specify. See our DPA template in dpa-templates/README.md.

Under 11 CCR §7011(a), businesses must provide a Notice of Right to Opt-Out of Sale/Sharing or state that no sale or sharing occurs. We do not sell or share personal information as those terms are defined at Cal. Civ. Code §§1798.140(ad) and (ah). We have not done so in the preceding 12 months. This section fulfills our 11 CCR §7011(a) notice obligation. We nevertheless maintain a "Do Not Sell or Share My Personal Information" page at https://marketingai.roadscg.com/legal/do-not-sell so that the explicit statement "We do not sell or share" is also available at a conspicuous link.

Global Privacy Control

Because we do not sell or share personal information, the processing a Global Privacy Control (GPC) signal controls does not occur in the Service. No GPC signal needs to be acted on under our current practices. If our practices change and we begin selling or sharing personal information, we will honor GPC and other legally recognized opt-out preference signals as required by law.

8. Retention

We retain each category of personal information only as long as reasonably necessary for the purposes disclosed in Section 5, or as required by law, whichever is longer. Concrete retention periods per category are listed in ccpa-disclosures.md. In general:

Account and billing records — duration of the business customer relationship plus the applicable tax and contract limitations period. Full payment card data (credit card numbers, verification codes) is never collected or stored on our servers, as all checkouts, card transactions, and payment flows are handled directly by Paddle.
Audit logs and webhook events — 12 months rolling.
Draft content and approval decisions — duration of the customer relationship unless a customer deletes earlier.
Public comment text fetched via the Meta APIs — only as long as the Meta platform itself exposes the comment, or as needed to respond, whichever is shorter.
Meta Platform Data on OAuth revocation — when a business customer revokes OAuth authorization for an Instagram or Facebook account (or when their account is disconnected by Meta), we delete all cached Meta Platform Data for that account within thirty (30) days, independent of the general retention periods above. This is required by Meta Platform Terms § 3.d.i.2 and supersedes any longer customer-relationship retention period for that data category.

9. Your Rights Under US State Privacy Laws

If you are a California resident, the CCPA gives you the following rights:

Right to know (§1798.110) — the categories of personal information we have collected about you, the sources, the business purposes, the categories of recipients, and the specific pieces of personal information we hold.
Right to delete (§1798.105) — subject to statutory exceptions.
Right to correct (§1798.106) — inaccurate personal information we maintain about you.
Right to opt out of sale or sharing (§1798.120) — not applicable because we do not sell or share.
Right to limit use of sensitive personal information (§1798.121) — not applicable because we do not collect sensitive personal information for purposes beyond those permitted by 11 CCR §7027(m).
Right of non-discrimination (§1798.125) — we will not deny you service, charge you different prices, or provide a different level of service because you exercised a CCPA right.

Residents of other US states with comprehensive privacy statutes (including, as they are in effect, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, DPDPA, NH SB 255, NJ SB 332) have analogous rights. We handle requests from those residents on the same operational path as CCPA requests, recognizing state-specific differences in response time, appeal rights, and opt-out scope.

For residents of states that require a data protection assessment for certain processing activities (e.g., Colorado, Virginia, Connecticut, Texas, Minnesota), we are developing internal data-protection-assessment documentation as part of our privacy program and will complete those assessments before expanding processing of residents of those states at scale.

10. How to Submit a Request

You have two methods:

Web form — https://marketingai.roadscg.com/legal/data-request.
Email — privacy@roadscg.com with the subject line "Privacy Rights Request" and the type of request you are making (Know, Delete, Correct, Opt-Out, or Limit).

Meta Platform data deletion (Instagram / Facebook)

If you connected your Instagram or Facebook account to the Service via OAuth and want all Meta-sourced data we hold for your account permanently deleted, you have three options:

Revoke our app's access through your Instagram or Facebook account settings. We will delete cached Meta Platform Data for your account within thirty (30) days of revocation.
Submit a Data Deletion Request at our automated endpoint: https://marketingai.roadscg.com/api/meta/data-deletion. This endpoint conforms to Meta Platform Terms § 3.d.i.2 and accepts the signed request flow described in Meta's Data Deletion Callback documentation.
Email us at privacy@roadscg.com with subject "Meta Data Deletion Request" and the connected handle.

Upon any of the above we will: (i) delete all cached posts, comments, brand assets, and engagement metrics sourced via the Meta Graph API for that account; (ii) instruct our sub-processors (OpenAI, Anthropic, fal.ai) to delete any in-flight copies; (iii) retain only the audit-log entry of the deletion request itself, as required for compliance demonstration.

You do not need to have an account with us to submit a request.

Authorized agents

You may designate an authorized agent to make a request on your behalf. The agent must provide (i) a written authorization signed by you, or a valid power of attorney under Cal. Prob. Code §§4000–4465, and (ii) verification of the agent's own identity. We may also ask you to verify your identity directly with us, or to confirm to us that you have given the agent permission.

Verification

We verify requests by matching identifiers you provide (e.g., the email address associated with account activity, or for a non-account consumer, the identifiers reasonably necessary to associate the request with information we hold). We will not ask for more information than reasonably necessary to verify your identity. Where we cannot verify the request at the level of confidence required by 11 CCR §7060 et seq., we will tell you and explain why.

Response times

We will confirm receipt within 10 business days and respond substantively within 45 calendar days. If we need more time, we may extend by an additional 45 calendar days, with notice to you explaining the reason.

Appeals

If we decline your request in whole or in part, you may appeal by replying to our response or emailing privacy@roadscg.com with "Privacy Rights Appeal" in the subject line. You may submit an appeal within the window provided by your state (typically 30–45 days from our decision). We will respond to appeals within 60 days of receipt, with a written explanation and notice of how to contact the relevant state Attorney General if you disagree. California residents may also contact the California Privacy Protection Agency at https://cppa.ca.gov or the California Attorney General at https://oag.ca.gov/privacy.

We do not sell or share personal information as defined by the CCPA. A page titled "Do Not Sell or Share My Personal Information" is available at https://marketingai.roadscg.com/legal/do-not-sell and contains this statement in plain form.

12. Minors

The Service is a B2B SaaS that is not directed to consumers under 13, and our business customers do not direct children under 13 to comment on their accounts. We do not operate a direct consumer sign-up flow open to children. Our business customers (and their employees) using the Service are adult representatives of those businesses.

Personal information of minors may, however, be incidentally included in user-generated content (public comments, mentions, and direct messages sent to our customers' business accounts) that the Service processes on behalf of our business customers. Any such incidental personal information is handled as Service Provider personal information under each customer's own agreement with its audience and that customer's own privacy notices; it is not personal information we collect directly from minors.

If we acquire actual knowledge that a specific piece of user-generated content originates from a child under 13, we will cease processing that content, remove it from our systems, and coordinate with the relevant business customer to honor any parental-deletion request under the Children's Online Privacy Protection Act (COPPA) or other applicable law.

For consumers we have actual knowledge are aged 13–15, the CCPA opt-in requirement at Cal. Civ. Code §1798.120(c) applies only to selling or sharing personal information for cross-context behavioral advertising. Because we do not sell or share personal information in our current operation, that opt-in requirement is not triggered. If our practices change, we will update this policy and implement the opt-in flow before any sale or sharing occurs.

13. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information, including encryption of OAuth tokens at rest, scoped internal service tokens between front-end BFF and backend API, cryptographic verification of Meta webhook signatures, and auditing of sensitive actions (approvals, publishes, replies). No system is perfectly secure.

14. International Users

The Service is designed for use in the United States. If you access the Service from outside the United States, you understand that your personal information will be transferred to and processed in the United States.

15. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last Updated" date at the top. Material changes will be announced to business customers by email and highlighted at the top of this page for at least 30 days.

16. How to Contact Us

Email: privacy@roadscg.com
Mail: Roads Consulting Group LLC, 974 Bennington St, East Boston, MA 02128-1137
Privacy contact: Privacy Team

For the detailed category-level disclosures required by 11 CCR §7011(e)(1), see ccpa-disclosures.md.

Privacy Policy

Effective Date: 2026-04-27
Last Updated: 2026-04-27

⚠️ Counsel confirmation before signature.

Registered/mailing address: 974 Bennington St, East Boston, MA 02128-1137 is the address selected for these docs. It was selected over the Chamber Saratoga listing because filing/registered-agent records are more authoritative than the chamber listing. Counsel or the registered agent should verify before signature.

State of formation: intentionally omitted. Roads CG is a MA Foreign LLC, but the original state is not confirmed. Do not guess Delaware or Wyoming in this document.

Privacy Contact: Privacy Team is a generic operations placeholder until a named privacy contact is designated.

Meta Platform Terms citations: re-checked 2026-05-04 against live terms last updated Feb 3 2026. Counsel should re-check before publication because Meta revises and renumbers periodically.

Production reachability: legal/data-request, legal/do-not-sell, and api/meta/data-deletion are implemented in the app/API, but their production URLs must be smoke-tested after deployment before signature/App Review submission.

Effective Date: 2026-04-29 Last Updated: 2026-05-04

1. Who We Are

Contact for privacy matters:

Privacy Contact: Privacy Team
Email: privacy@roadscg.com
Mailing Address: 974 Bennington St, East Boston, MA 02128-1137

2. Scope

3. Categories of Personal Information We Collect

(A) Identifiers — e.g., name, email address, account username, IP address.
(B) Customer records information (Cal. Civ. Code §1798.80(e)) — e.g., business contact details of customer personnel.
(F) Internet or other electronic network activity information — e.g., server logs, product-usage telemetry.
(I) Professional or employment-related information — e.g., job title of the customer contact.
(K) Inferences — limited, derived from Service usage to improve content suggestions for the business customer.

Categories we do not collect

(C) Protected classifications, (D) Commercial purchase/transaction records beyond subscription billing, (E) Biometric information, (G) Precise geolocation, (H) Audio/visual sensory data collected by us (customers may upload their own media), (J) Education records, (L) Sensitive personal information as defined in Cal. Civ. Code §1798.140(ae).
We do not knowingly collect personal information from children under 16, and the Service is not directed to children under 13.

Sensitive personal information

4. Sources of Personal Information

Directly from you or from the business customer — account registration, support interactions, content you upload.
Automatically, from your device — standard server logs, cookies strictly necessary for authentication and security.
From third-party platforms you connect — Meta's Instagram and Facebook Graph APIs (only after the business customer grants OAuth authorization).
From our online reseller and Merchant of Record — billing details, transaction numbers, subscription metadata, and order confirmation details are sourced from Paddle.com (Paddle.com Market Ltd).
From our sub-processors — limited operational data (e.g., email delivery receipts from Resend).

5. Business and Commercial Purposes

We process personal information for the following business and commercial purposes:

Providing the Service: generating draft social posts, scheduling publishing after human approval, analyzing and suggesting responses to public comments.
Operating human-in-the-loop approval workflows (email notifications to approvers; web UI for review).
Maintaining account security, authentication, and abuse prevention.
Auditing, debugging, and improving the quality of the Service.
Billing and contract administration with our business customers (note that billing, tax compliance, and payment card transactions are administered through our partner and reseller Paddle.com).
Complying with legal obligations and responding to consumer rights requests.

For the full purpose-per-category mapping, see ccpa-disclosures.md.

6. Automated Content Generation (AI Use Disclosure)

7. Disclosure of Personal Information

Categories disclosed for a business purpose

In the preceding 12 months, we have disclosed the categories listed in Section 3 to the following categories of recipients for the business purposes set out in Section 5:

Infrastructure and hosting providers — our VPS provider, which runs our self-hosted Postgres, Redis, and MinIO.
AI processing providers — OpenAI and/or Anthropic, for draft content and draft comment-response generation.
Transactional email provider — Resend, for approval notifications and other transactional email.
Online reseller and payment administrator — Paddle.com (Paddle.com Market Ltd), which acts as our Merchant of Record and an independent data controller for checkouts, payment processing, tax compliance, invoicing, and payment card transactions. You can read how Paddle handles your payment and personal details in Paddle's Privacy Terms.
Meta Platforms — when the business customer publishes content or replies to comments through their connected accounts, we transmit that content to Meta to the extent required to exercise the Instagram/Facebook permissions the customer granted via OAuth.
Professional service providers — auditors, legal counsel, bound by confidentiality.

Meta Platform Data flowing to AI sub-processors

Sub-processor	Type of Meta Platform Data	Purpose
OpenAI	Public comment text on the customer's posts; brand voice samples derived from prior Instagram captions	Drafting reply suggestions; drafting new captions consistent with prior voice
Anthropic	Same as OpenAI (configurable per customer)	Same as OpenAI
fal.ai	Brand asset images imported from the customer's Instagram Business account	Generating new image variants for the customer's review

Global Privacy Control

8. Retention

Account and billing records — duration of the business customer relationship plus the applicable tax and contract limitations period. Full payment card data (credit card numbers, verification codes) is never collected or stored on our servers, as all checkouts, card transactions, and payment flows are handled directly by Paddle.
Audit logs and webhook events — 12 months rolling.
Draft content and approval decisions — duration of the customer relationship unless a customer deletes earlier.
Public comment text fetched via the Meta APIs — only as long as the Meta platform itself exposes the comment, or as needed to respond, whichever is shorter.
Meta Platform Data on OAuth revocation — when a business customer revokes OAuth authorization for an Instagram or Facebook account (or when their account is disconnected by Meta), we delete all cached Meta Platform Data for that account within thirty (30) days, independent of the general retention periods above. This is required by Meta Platform Terms § 3.d.i.2 and supersedes any longer customer-relationship retention period for that data category.

9. Your Rights Under US State Privacy Laws

If you are a California resident, the CCPA gives you the following rights:

Right to know (§1798.110) — the categories of personal information we have collected about you, the sources, the business purposes, the categories of recipients, and the specific pieces of personal information we hold.
Right to delete (§1798.105) — subject to statutory exceptions.
Right to correct (§1798.106) — inaccurate personal information we maintain about you.
Right to opt out of sale or sharing (§1798.120) — not applicable because we do not sell or share.
Right to limit use of sensitive personal information (§1798.121) — not applicable because we do not collect sensitive personal information for purposes beyond those permitted by 11 CCR §7027(m).
Right of non-discrimination (§1798.125) — we will not deny you service, charge you different prices, or provide a different level of service because you exercised a CCPA right.

10. How to Submit a Request

You have two methods:

Web form — https://marketingai.roadscg.com/legal/data-request.
Email — privacy@roadscg.com with the subject line "Privacy Rights Request" and the type of request you are making (Know, Delete, Correct, Opt-Out, or Limit).

Meta Platform data deletion (Instagram / Facebook)

If you connected your Instagram or Facebook account to the Service via OAuth and want all Meta-sourced data we hold for your account permanently deleted, you have three options:

Revoke our app's access through your Instagram or Facebook account settings. We will delete cached Meta Platform Data for your account within thirty (30) days of revocation.
Submit a Data Deletion Request at our automated endpoint: https://marketingai.roadscg.com/api/meta/data-deletion. This endpoint conforms to Meta Platform Terms § 3.d.i.2 and accepts the signed request flow described in Meta's Data Deletion Callback documentation.
Email us at privacy@roadscg.com with subject "Meta Data Deletion Request" and the connected handle.

You do not need to have an account with us to submit a request.

Authorized agents

Verification

Response times

Appeals

12. Minors

13. Security

14. International Users

15. Changes to This Policy

16. How to Contact Us

Email: privacy@roadscg.com
Mail: Roads Consulting Group LLC, 974 Bennington St, East Boston, MA 02128-1137
Privacy contact: Privacy Team

For the detailed category-level disclosures required by 11 CCR §7011(e)(1), see ccpa-disclosures.md.

Privacy Policy

1. Who We Are

2. Scope

3. Categories of Personal Information We Collect

Categories we do not collect

Sensitive personal information

4. Sources of Personal Information

5. Business and Commercial Purposes

6. Automated Content Generation (AI Use Disclosure)

7. Disclosure of Personal Information

Categories disclosed for a business purpose

Meta Platform Data flowing to AI sub-processors

Sale and sharing

Global Privacy Control

8. Retention

9. Your Rights Under US State Privacy Laws

10. How to Submit a Request

Meta Platform data deletion (Instagram / Facebook)

Authorized agents

Verification

Response times

Appeals

11. "Do Not Sell or Share My Personal Information"

12. Minors

13. Security

14. International Users

15. Changes to This Policy

16. How to Contact Us

Privacy Policy

1. Who We Are

2. Scope

3. Categories of Personal Information We Collect

Categories we do not collect

Sensitive personal information

4. Sources of Personal Information

5. Business and Commercial Purposes

6. Automated Content Generation (AI Use Disclosure)

7. Disclosure of Personal Information

Categories disclosed for a business purpose

Meta Platform Data flowing to AI sub-processors

Sale and sharing

Global Privacy Control

8. Retention

9. Your Rights Under US State Privacy Laws

10. How to Submit a Request

Meta Platform data deletion (Instagram / Facebook)

Authorized agents

Verification

Response times

Appeals

11. "Do Not Sell or Share My Personal Information"

12. Minors

13. Security

14. International Users

15. Changes to This Policy

16. How to Contact Us