Privacy Policy

Effective Date: 2026-04-27
Last Updated: 2026-04-27

1. Who We Are

[Company Legal Name] ("Company", "we", "us", "our") operates a business-to-business software-as-a-service platform that helps businesses manage their Instagram and Facebook presence with the help of an AI assistant and a human approval step (the "Service").

If you are a consumer — for example, an Instagram follower whose public comment on one of our business customers' posts flows through the Service — this policy tells you what personal information we handle on behalf of that business, what your rights are, and how to exercise them.

If you are a business customer (or an employee of one) using the Service to manage your own social accounts, this policy also tells you how we handle the information you give us directly. Your own privacy policy, published to your audience, governs what you do with that audience's data; we act as your Service Provider under Cal. Civ. Code §1798.140(ag).

Contact for privacy matters:

Privacy Contact: [DPO / Privacy Contact Name]
Email: privacy@roadscg.com
Mailing Address: [Registered Address]

2. Scope

This policy applies to personal information collected through our website, our web application, our APIs, and any direct communications with us. It does not apply to third-party websites, platforms (Instagram/Facebook), or services that we link to but do not operate.

3. Categories of Personal Information We Collect

We describe personal information using the statutory categories set out in Cal. Civ. Code §1798.140(v)(1). The detailed mapping — what we collect under each category, from what sources, for what purpose, to whom it is disclosed, how long it is kept, and whether it is "sold" or "shared" — is published as a companion document, ccpa-disclosures, which is incorporated by reference into this policy. In summary, in the preceding 12 months we have collected the following categories:

(A) Identifiers — e.g., name, email address, account username, IP address.
(B) Customer records information (Cal. Civ. Code §1798.80(e)) — e.g., business contact details of customer personnel.
(F) Internet or other electronic network activity information — e.g., server logs, product-usage telemetry.
(I) Professional or employment-related information — e.g., job title of the customer contact.
(K) Inferences — limited, derived from Service usage to improve content suggestions for the business customer.

We may also collect public user-generated content (e.g., the text of a comment posted publicly on a customer's Instagram post) on behalf of the business customer. That content reaches us because the customer authorized us to read its Instagram Graph API feed.

Categories we do not collect

(C) Protected classifications, (D) Commercial purchase/transaction records beyond subscription billing, (E) Biometric information, (G) Precise geolocation, (H) Audio/visual sensory data collected by us (customers may upload their own media), (J) Education records, (L) Sensitive personal information as defined in Cal. Civ. Code §1798.140(ae).

We do not knowingly collect personal information from children under 16, and the Service is not directed to children under 13.

Sensitive personal information

We do not collect any category of Sensitive Personal Information enumerated at Cal. Civ. Code §1798.140(ae)(1)(A)–(G) or (ae)(2)(A)–(C), and we do not use or disclose sensitive personal information for purposes beyond those permitted under 11 CCR §7027(m). Accordingly, the CCPA "right to limit use or disclosure of sensitive personal information" is not triggered by our current processing.

4. Sources of Personal Information

Directly from you or from the business customer — account registration, support interactions, content you upload.
Automatically, from your device — standard server logs, cookies strictly necessary for authentication and security.
From third-party platforms you connect — Meta's Instagram and Facebook Graph APIs (only after the business customer grants OAuth authorization).
From our sub-processors — limited operational data (e.g., email delivery receipts from Resend).

5. Business and Commercial Purposes

We process personal information for the following business and commercial purposes:

Providing the Service: generating draft social posts, scheduling publishing after human approval, analyzing and suggesting responses to public comments.
Operating human-in-the-loop approval workflows (email notifications to approvers; web UI for review).
Maintaining account security, authentication, and abuse prevention.
Auditing, debugging, and improving the quality of the Service.
Billing and contract administration with our business customers.
Complying with legal obligations and responding to consumer rights requests.

For the full purpose-per-category mapping, see ccpa-disclosures.

6. Automated Content Generation (AI Use Disclosure)

We use third-party large language models (currently OpenAI and/or Anthropic, as configured per customer) to generate draft social media content and draft responses to public comments. A human — either our business customer or its designated approver — must review and explicitly approve every draft before any content is published or any comment reply is sent.

We do not use automated decisionmaking technology ("ADMT" under 11 CCR §7200) to make decisions about consumers that produce legal or similarly significant effects. The AI assists content production; the human decides. The CCPA rights to opt out of, or access information about, ADMT for significant decisions are therefore not triggered by our current processing. If this changes, we will update this policy and provide the notices required by 11 CCR §7220 et seq.

7. Disclosure of Personal Information

Categories disclosed for a business purpose

In the preceding 12 months, we have disclosed the categories listed in Section 3 to the following categories of recipients for the business purposes set out in Section 5:

Infrastructure and hosting providers — our VPS provider, which runs our self-hosted Postgres, Redis, and MinIO.
AI processing providers — OpenAI and/or Anthropic, for draft content and draft comment-response generation.
Transactional email provider — Resend, for approval notifications and other transactional email.
Meta Platforms — to the extent required to exercise the Instagram/Facebook permissions the customer granted via OAuth.
Professional service providers — auditors, legal counsel, bound by confidentiality.

Each of these recipients is contractually bound as a Service Provider, Contractor, or Third Party (as defined by CCPA) to use the personal information only for the purposes we specify. See our DPA template in dpa-templates/README.

Sale and sharing

Under 11 CCR §7011(a), businesses must provide a Notice of Right to Opt-Out of Sale/Sharing or state that no sale or sharing occurs. We do not sell or share personal information as those terms are defined at Cal. Civ. Code §§1798.140(ad) and (ah). We have not done so in the preceding 12 months. This section fulfills our 11 CCR §7011(a) notice obligation. We nevertheless maintain a "Do Not Sell or Share My Personal Information" page at [TODO verify citation — insert marketing-site URL] so that the explicit statement "We do not sell or share" is also available at a conspicuous link.

Global Privacy Control

Global Privacy Control (GPC). Cadence does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioral advertising as defined in Cal. Civ. Code §1798.140(ah). Because of this, no GPC opt-out signal needs to be acted upon — the underlying behavior the GPC signal is intended to control does not occur in our Service. We will update this section if our practices ever change.

8. Retention

We retain each category of personal information only as long as reasonably necessary for the purposes disclosed in Section 5, or as required by law, whichever is longer. Concrete retention periods per category are listed in ccpa-disclosures. In general:

Account and billing records — duration of the business customer relationship plus the applicable tax and contract limitations period.
Audit logs and webhook events — 12 months rolling.
Draft content and approval decisions — duration of the customer relationship unless a customer deletes earlier.
Public comment text fetched via the Meta APIs — only as long as the Meta platform itself exposes the comment, or as needed to respond, whichever is shorter.

9. Your Rights Under US State Privacy Laws

If you are a California resident, the CCPA gives you the following rights:

Right to know (§1798.110) — the categories of personal information we have collected about you, the sources, the business purposes, the categories of recipients, and the specific pieces of personal information we hold.
Right to delete (§1798.105) — subject to statutory exceptions.
Right to correct (§1798.106) — inaccurate personal information we maintain about you.
Right to opt out of sale or sharing (§1798.120) — not applicable because we do not sell or share.
Right to limit use of sensitive personal information (§1798.121) — not applicable because we do not collect sensitive personal information for purposes beyond those permitted by 11 CCR §7027(m).
Right of non-discrimination (§1798.125) — we will not deny you service, charge you different prices, or provide a different level of service because you exercised a CCPA right.

Residents of other US states with comprehensive privacy statutes (including, as they are in effect, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, DPDPA, NH SB 255, NJ SB 332) have analogous rights. We handle requests from those residents on the same operational path as CCPA requests, recognizing state-specific differences in response time, appeal rights, and opt-out scope.

For residents of states that require a data protection assessment for certain processing activities (e.g., Colorado, Virginia, Connecticut, Texas, Minnesota), we are developing internal data-protection-assessment documentation as part of our privacy program and will complete those assessments before expanding processing of residents of those states at scale.

10. How to Submit a Request

You have two methods:

Web form — [TODO verify citation — insert DSR form URL].
Email — [Privacy Email] with the subject line "Privacy Rights Request" and the type of request you are making (Know, Delete, Correct, Opt-Out, or Limit).

You do not need to have an account with us to submit a request.

Authorized agents

You may designate an authorized agent to make a request on your behalf. The agent must provide (i) a written authorization signed by you, or a valid power of attorney under Cal. Prob. Code §§4000–4465, and (ii) verification of the agent's own identity. We may also ask you to verify your identity directly with us, or to confirm to us that you have given the agent permission.

Verification

We verify requests by matching identifiers you provide (e.g., the email address associated with account activity, or for a non-account consumer, the identifiers reasonably necessary to associate the request with information we hold). We will not ask for more information than reasonably necessary to verify your identity. Where we cannot verify the request at the level of confidence required by 11 CCR §7060 et seq., we will tell you and explain why.

Response times

We will confirm receipt within 10 business days and respond substantively within 45 calendar days. If we need more time, we may extend by an additional 45 calendar days, with notice to you explaining the reason.

Appeals

If we decline your request in whole or in part, you may appeal by replying to our response or emailing [Privacy Email] with "Privacy Rights Appeal" in the subject line. You may submit an appeal within the window provided by your state (typically 30–45 days from our decision). We will respond to appeals within 60 days of receipt, with a written explanation and notice of how to contact the relevant state Attorney General if you disagree. California residents may also contact the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.

11. "Do Not Sell or Share My Personal Information"

We do not sell or share personal information as defined by the CCPA. A page titled "Do Not Sell or Share My Personal Information" is available at [TODO verify citation — insert marketing-site URL] and contains this statement in plain form.

12. Minors

The Service is a B2B SaaS that is not directed to consumers under 13, and our business customers do not direct children under 13 to comment on their accounts. We do not operate a direct consumer sign-up flow open to children. Our business customers (and their employees) using the Service are adult representatives of those businesses.

Personal information of minors may, however, be incidentally included in user-generated content (public comments, mentions, and direct messages sent to our customers' business accounts) that the Service processes on behalf of our business customers. Any such incidental personal information is handled as Service Provider personal information under each customer's own agreement with its audience and that customer's own privacy notices; it is not personal information we collect directly from minors.

If we acquire actual knowledge that a specific piece of user-generated content originates from a child under 13, we will cease processing that content, remove it from our systems, and coordinate with the relevant business customer to honor any parental-deletion request under the Children's Online Privacy Protection Act (COPPA) or other applicable law.

For consumers we have actual knowledge are aged 13–15, the CCPA opt-in requirement at Cal. Civ. Code §1798.120(c) applies only to selling or sharing personal information for cross-context behavioral advertising. Because we do not sell or share personal information in our current operation, that opt-in requirement is not triggered. If our practices change, we will update this policy and implement the opt-in flow before any sale or sharing occurs.

13. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information, including encryption of OAuth tokens at rest, scoped internal service tokens between front-end BFF and backend API, cryptographic verification of Meta webhook signatures, and auditing of sensitive actions (approvals, publishes, replies). No system is perfectly secure.

14. International Users

The Service is designed for use in the United States. If you access the Service from outside the United States, you understand that your personal information will be transferred to and processed in the United States.

15. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last Updated" date at the top. Material changes will be announced to business customers by email and highlighted at the top of this page for at least 30 days.

16. How to Contact Us

Email: privacy@roadscg.com
Mail: [Company Legal Name], [Registered Address]
Privacy contact: [DPO / Privacy Contact Name]

For the detailed category-level disclosures required by 11 CCR §7011(e)(1), see ccpa-disclosures.

Privacy Policy

Effective Date: 2026-04-27
Last Updated: 2026-04-27

1. Who We Are

Contact for privacy matters:

Privacy Contact: [DPO / Privacy Contact Name]
Email: privacy@roadscg.com
Mailing Address: [Registered Address]

2. Scope

3. Categories of Personal Information We Collect

(A) Identifiers — e.g., name, email address, account username, IP address.
(B) Customer records information (Cal. Civ. Code §1798.80(e)) — e.g., business contact details of customer personnel.
(F) Internet or other electronic network activity information — e.g., server logs, product-usage telemetry.
(I) Professional or employment-related information — e.g., job title of the customer contact.
(K) Inferences — limited, derived from Service usage to improve content suggestions for the business customer.

Categories we do not collect

We do not knowingly collect personal information from children under 16, and the Service is not directed to children under 13.

Sensitive personal information

4. Sources of Personal Information

Directly from you or from the business customer — account registration, support interactions, content you upload.
Automatically, from your device — standard server logs, cookies strictly necessary for authentication and security.
From third-party platforms you connect — Meta's Instagram and Facebook Graph APIs (only after the business customer grants OAuth authorization).
From our sub-processors — limited operational data (e.g., email delivery receipts from Resend).

5. Business and Commercial Purposes

We process personal information for the following business and commercial purposes:

Providing the Service: generating draft social posts, scheduling publishing after human approval, analyzing and suggesting responses to public comments.
Operating human-in-the-loop approval workflows (email notifications to approvers; web UI for review).
Maintaining account security, authentication, and abuse prevention.
Auditing, debugging, and improving the quality of the Service.
Billing and contract administration with our business customers.
Complying with legal obligations and responding to consumer rights requests.

For the full purpose-per-category mapping, see ccpa-disclosures.

6. Automated Content Generation (AI Use Disclosure)

7. Disclosure of Personal Information

Categories disclosed for a business purpose

In the preceding 12 months, we have disclosed the categories listed in Section 3 to the following categories of recipients for the business purposes set out in Section 5:

Infrastructure and hosting providers — our VPS provider, which runs our self-hosted Postgres, Redis, and MinIO.
AI processing providers — OpenAI and/or Anthropic, for draft content and draft comment-response generation.
Transactional email provider — Resend, for approval notifications and other transactional email.
Meta Platforms — to the extent required to exercise the Instagram/Facebook permissions the customer granted via OAuth.
Professional service providers — auditors, legal counsel, bound by confidentiality.

Sale and sharing

Global Privacy Control

8. Retention

Account and billing records — duration of the business customer relationship plus the applicable tax and contract limitations period.
Audit logs and webhook events — 12 months rolling.
Draft content and approval decisions — duration of the customer relationship unless a customer deletes earlier.
Public comment text fetched via the Meta APIs — only as long as the Meta platform itself exposes the comment, or as needed to respond, whichever is shorter.

9. Your Rights Under US State Privacy Laws

If you are a California resident, the CCPA gives you the following rights:

Right to know (§1798.110) — the categories of personal information we have collected about you, the sources, the business purposes, the categories of recipients, and the specific pieces of personal information we hold.
Right to delete (§1798.105) — subject to statutory exceptions.
Right to correct (§1798.106) — inaccurate personal information we maintain about you.
Right to opt out of sale or sharing (§1798.120) — not applicable because we do not sell or share.
Right to limit use of sensitive personal information (§1798.121) — not applicable because we do not collect sensitive personal information for purposes beyond those permitted by 11 CCR §7027(m).
Right of non-discrimination (§1798.125) — we will not deny you service, charge you different prices, or provide a different level of service because you exercised a CCPA right.

10. How to Submit a Request

You have two methods:

Web form — [TODO verify citation — insert DSR form URL].
Email — [Privacy Email] with the subject line "Privacy Rights Request" and the type of request you are making (Know, Delete, Correct, Opt-Out, or Limit).

You do not need to have an account with us to submit a request.

Authorized agents

Verification

Response times

Appeals

11. "Do Not Sell or Share My Personal Information"

12. Minors

13. Security

14. International Users

15. Changes to This Policy

16. How to Contact Us

Email: privacy@roadscg.com
Mail: [Company Legal Name], [Registered Address]
Privacy contact: [DPO / Privacy Contact Name]

For the detailed category-level disclosures required by 11 CCR §7011(e)(1), see ccpa-disclosures.