Privacy Policy

Effective date: 20 May 2026

This Privacy Policy describes how Marshall Matters Ventures Pte Ltd (“we”, “us”, “our”) collects, uses, stores, and discloses personal data when you use Pheme (the “Service”), available at https://pheme.marshallmatters.co. It is intended to comply with the Singapore Personal Data Protection Act 2012 (“PDPA”), the EU General Data Protection Regulation (“GDPR”) where applicable, and the disclosure requirements of third-party social platforms with whom we integrate (including TikTok).

1. Who we are

Pheme is operated by Marshall Matters Ventures Pte Ltd, a private company incorporated in Singapore, with its registered office at Singapore. Contact the data protection officer at privacy@marshallmatters.co.

2. Scope of this policy

This policy covers personal data we collect from two distinct groups:

• Operators — users we have authorised to sign in to the Service to create, schedule, and publish content on behalf of a brand we work with.
• Connected social-platform account holders — the owners of the social-media accounts (e.g. TikTok, Instagram, Publer) that an Operator connects to Pheme so that Pheme can post on the account's behalf.

It does not cover content viewers on third-party platforms; their data is governed by the platform's own privacy policy.

3. Information we collect

3.1 From Operators

• Identity & contact data: email address, display name. Provided when you sign in via magic-link or password.
• Session data: session tokens (HTTP cookies), IP address, user agent — used to authenticate requests and detect abuse.
• Personal Access Tokens (PATs): bearer credentials you generate to call our API programmatically. Stored hashed.
• Content metadata you create: templates, post captions, image prompts, schedule times, picked candidate images.

3.2 From connected social-platform accounts (e.g. TikTok)

When you connect a social-media account to Pheme (for example via TikTok Login Kit), we ask only for the minimum scopes needed to publish on your behalf. With your explicit consent, we collect:

• Account identifiers: the platform's opaque user ID (e.g. TikTok open_id and union_id), display name, avatar URL.
• OAuth credentials: short-lived access token, long-lived refresh token, expiry timestamps, granted scopes. Used solely to call the platform's content-posting API on your behalf.
• Publication results: the platform's post or publish ID returned after a successful schedule, plus any error messages, so you can review what was sent and audit failures.

For TikTok specifically, the OAuth scopes we may request are user.info.basic (display name + avatar) and photo.publish and/or video.publish (to publish content you have prepared). We do not request user.info.profile, user.info.stats, video.list, video.upload, or any other scope unless we describe it in this policy first.

3.3 From your browser

• Server logs: request paths, response codes, IP addresses, user agents. Retained for ≤ 30 days for security and debugging.
• Cookies: a single session cookie set by our authentication system (better-auth). We do not use third-party tracking cookies. We do not run advertising trackers.

4. How we use information

• Operate the Service: authenticate Operators, schedule posts, render images, send content to social platforms, show you the status of past activity.
• Communicate with you: sign-in magic-links and essential service notices. We do not send marketing email.
• Security and abuse prevention: detect suspicious sign-ins, rate-limit abuse, investigate incidents.
• Comply with law: respond to lawful requests, keep records as required by Singapore law and the law of jurisdictions where we operate.

We do not sell personal data, share it with data brokers, or use it to train machine-learning models outside our own Service.

5. Legal bases (GDPR, where applicable)

• Consent — when you connect a social-platform account and grant scopes via OAuth.
• Contract — to provide the Service you have engaged us for.
• Legitimate interests — security, fraud prevention, internal operations.
• Legal obligation — where retention or disclosure is required by law.

6. Sub-processors and disclosures

We share personal data only with the following categories of third parties, and only as needed to operate the Service:

• Hosting infrastructure: the cloud and server providers on which the Service runs. Data is processed in Singapore and other jurisdictions where our infrastructure is located.
• Connected social platforms (TikTok, Instagram, Publer, etc.): we send the content you have authorised us to post and the OAuth tokens you provided. Their use of this data is governed by their own privacy policies.
• Email delivery (for magic-link sign-in): a transactional email provider, when configured.
• Image discovery (Pinterest): when an Operator requests image candidates for a slide, we issue an automated search query against pinterest.com using server-side browser automation. The query text (an “image prompt” you wrote) is transmitted to Pinterest. No personal identifiers about the Operator or any connected social account are sent.
• Legal and regulatory bodies: if compelled by valid legal process.

We do not transfer personal data to a country outside Singapore without ensuring a comparable level of protection (e.g. via standard contractual clauses or equivalent safeguards), as required by PDPA Section 26.

7. Data retention

• Operator accounts: kept while your account is active and for up to 12 months after you ask us to close it (for dispute resolution).
• Connected social-platform OAuth tokens: kept until you disconnect the account, the refresh token expires, or you revoke access on the platform. We refresh access tokens automatically using the refresh token; we delete both promptly on disconnect.
• Published content metadata: retained while the underlying post exists on the social platform, and for up to 24 months thereafter for analytics and audit.
• Server logs: 30 days.
• Backups: encrypted backups overwritten on a 90-day rolling window.

8. Your rights

Subject to applicable law, you can:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Withdraw consent at any time — by disconnecting a social-platform account inside Pheme, or by emailing us.
• Delete your account and the personal data we hold about you, except where we are required to retain it by law.
• Object to or restrict processing on grounds of legitimate interest.
• Port your data to another service.
• Lodge a complaint with the Personal Data Protection Commission of Singapore (pdpc.gov.sg) or your local data-protection authority.

To exercise any of these rights, email privacy@marshallmatters.co. We will respond within 30 days.

9. How to delete your data

To remove your data from Pheme:

1. In Pheme, disconnect every social-platform account you have connected. This revokes our OAuth credentials and asks the platform to invalidate the tokens.
2. Email privacy@marshallmatters.co from the address on file requesting account deletion. We will confirm deletion within 30 days.

You may additionally revoke access to Pheme from each social platform's settings page (e.g. on TikTok: Settings → Privacy → Authorized apps).

10. Security

We protect personal data with technical and organisational measures including: TLS in transit; encryption at rest on disk; least-privilege database access controls; rotating server credentials; logging and alerting; principle of least scope on third-party API integrations; and restricting access to production data to a small named operator group. No system is perfectly secure; we will notify affected users and the relevant authorities promptly if a breach occurs.

11. Children

The Service is not directed to children under 13 (or under 16 where local law sets a higher age of consent). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be flagged in the Service before they take effect, and the effective date above will be updated. Continued use after the effective date constitutes acceptance of the updated policy.

13. Contact us