Privacy Policy

Privacy Policy — 車査定ラボ SNS Auto Posting Service

Effective date: 2026-04-28
Last updated: 2026-04-28
Operator: 株式会社エメラルドオーシャン(以下「当方」)
Service: 車査定ラボ SNS Auto Posting Service(以下「本サービス」)

1. Scope of This Policy

This Privacy Policy describes how the Operator collects, uses, stores, and discloses information in connection with the operation of the Service. The Service performs automated posting of short-form video content to multiple social media platforms on behalf of authorized Brand Account holders (hereafter “Clients”).

The Service operates in a multi-tenant authorization-delegation model: Clients grant the Operator the necessary platform permissions, and the Operator publishes content on their behalf. The Operator is the data processor; each Client remains the data controller for their own brand account data.

This Policy applies to all Clients, end users of the Service, and any individuals whose personal data is processed via the Service.

2. Information We Process

2.1 Information from Clients (Brand Account Holders)

When a Client engages the Service, we process:

  • Client’s legal/business name, contact email, billing address (for service contracts)
  • Brand identity assets supplied by the Client (logo, brand name, target hashtags, content guidelines)
  • OAuth access/refresh tokens for the Client’s connected platform accounts:
  • Meta (Facebook Page Token, Instagram Business Account ID) via instagram_content_publish, pages_manage_posts, pages_read_engagement, business_management, instagram_basic
  • TikTok (Access/Refresh Token) via user.info.basic, video.upload, video.publish
  • YouTube (OAuth Refresh Token) via YouTube Data API v3 scopes youtube.upload, youtube
  • X / Twitter (OAuth tokens) via v2 API write scopes
  • Posting schedule configuration provided by the Client

2.2 Information Created by the Service

For each Client account, the Service generates:

  • Short-form video files (MP4, 1080×1920, 30fps)
  • Captions, titles, and hashtag sets
  • Voice-over audio files
  • Subtitle files (SRT/PNG)
  • Posting metadata (post ID, URL, timestamp, success/failure status)
  • Platform-returned post insights (impressions, reach, engagement) — limited to the Client’s own account

2.3 Information We Do NOT Collect

The Service does not collect or process:

  • Personal data of viewers, followers, or any other end users of the platforms
  • Comments, direct messages, or follower lists from the Client’s accounts (insights are aggregate-level only)
  • Watch-time data of identified individuals
  • Cookies, advertising identifiers, or cross-site tracking pixels
  • Biometric, health, financial, or government-issued identification data
  • Children’s personal data (Service is for content creators 18+ targeting general audiences)

3. Purpose of Processing

We process the information described in Section 2 solely for:

  • Generating and publishing content to the Client’s authorized platform accounts
  • Maintaining the technical operation of the Service (token refresh, scheduling, error reporting)
  • Producing aggregated performance reports to the Client
  • Complying with platform Terms of Service and applicable laws (景品表示法, GDPR principles, CCPA opt-out)

We do not sell, rent, or share the data with third parties for marketing or advertising purposes.

4. Data Storage and Security

Data typeStorage locationEncryptionRetention
OAuth tokensOperator’s local Mac, file mode 0600At-rest via macOS FileVault (full-disk encryption); in-transit TLS 1.2+Until Client revokes or platform expires
Generated videos & captionsOperator’s local Mac, project subdirectorymacOS FileVault90 days, then archived offline; or earlier upon Client request
Post metadata (insights)Operator’s local Mac CSV/JSON; optionally Google Sheets per ClientTLS in transit; Sheets at-rest by Google24 months or per Client agreement
Service logs (no PII)Operator’s local Mac log filesmacOS FileVault30 days rolling

The Operator does not transmit Client tokens or generated content to any cloud service except the official APIs of the target platforms (Meta Graph API, TikTok Content Posting API, YouTube Data API, X API).

5. Data Transmission and Third Parties

5.1 Platform APIs (necessary for the Service)

The Service communicates only with the following endpoints, all over HTTPS:

  • graph.facebook.com, rupload.facebook.com (Meta / Instagram)
  • open.tiktokapis.com (TikTok)
  • googleapis.com (YouTube)
  • api.twitter.com, api.x.com (X)
  • api.fish.audio (voice synthesis)
  • pixabay.com, mixkit.co, pexels.com (royalty-free stock footage retrieval)
  • api.anthropic.com (Claude API for caption generation, only generic prompts and Service-generated content — no Client OAuth tokens or end-user PII)

5.2 No advertising or analytics SDKs

The Service does not use any third-party advertising network, analytics SDK, retargeting service, or fingerprinting library.

6. Sharing with the Platforms

When the Service publishes content, the videos, captions, hashtags, and Client-account-level metadata are transmitted to the destination platform (Meta/TikTok/YouTube/X). After publication, that data is governed by each platform’s own Privacy Policy. The Operator does not retain end-user engagement data beyond the aggregated insights returned by the platform’s API for the Client’s own account.

7. Client and User Rights

7.1 Right to revoke authorization

A Client may revoke the Service’s access to their platform account at any time:

  • Meta: Settings → Business Integrations → Remove access for “car-satei-lab-i”
  • TikTok: Settings → Manage Apps → Revoke “車査定ラボ”
  • YouTube/Google: myaccount.google.com → Security → Third-party apps with account access → Remove
  • X: Settings → Security and account access → Apps and sessions → Revoke

Upon revocation, the Service will stop posting to that account on the next scheduled run.

7.2 Right to data deletion

A Client may request deletion of all stored data via the procedure documented in data_deletion.md. The Operator will delete:

  • All OAuth tokens for the Client
  • All generated videos, captions, and metadata associated with the Client
  • All log entries identifying the Client

within seven (7) business days of a verified deletion request, and confirm in writing.

7.3 Right to access and correction

Clients may request a copy of all data we hold about them and request correction of inaccurate data, by emailing the contact below.

7.4 Right to lodge a complaint

Clients in jurisdictions where applicable (e.g., EEA, UK, California) may lodge a complaint with their local data-protection authority.

8. International Transfers

Data may be transferred to and processed in jurisdictions where the Operator’s local environment or the platforms’ servers are located, including the United States, the European Union, and Japan. Where required by law, appropriate safeguards (Standard Contractual Clauses or equivalent) are in place.

9. Children’s Privacy

The Service is operated for and by adults. Content does not target children under 16, and the Service does not knowingly process the personal data of children. If we learn that we have processed such data, we will delete it promptly.

10. Compliance with Platform Policies

The Operator commits to:

  • Meta Platform Terms (Developer Policies, Platform Terms)
  • TikTok Developer Terms of Service and Community Guidelines
  • YouTube API Services Terms of Service and YouTube Community Guidelines
  • X Developer Agreement and Policy
  • Japanese Act on the Improper Use of Premiums and Misleading Representation (景品表示法)
  • Japanese Act on Specified Commercial Transactions (特定商取引法), where applicable

Content posted via the Service includes mandatory disclaimers (e.g., “※個人の事例。時期・車種・業者により変動”) and excludes prohibited claim language (「絶対」「100%」「最高額保証」 etc.) per automated validation in post_validator.py.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated to active Clients by email at least 14 days before taking effect. The “Last updated” date at the top of this document indicates the current version.

12. Contact

For privacy or data protection questions, including data access, correction, or deletion requests:

  • Email: ikeda.naoya.1220@gmail.com
  • Postal address: 大阪府堺市西区鳳中町9丁目344-57
  • Operator: 株式会社エメラルドオーシャン

Response target: within 7 business days.