Back to Home

Privacy Policy

ReachXpand · Operated by Nextoria Information Technology LLC

Last Updated: June 2, 2026
Contents
  1. 1. Introduction
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. AI Processing
  5. 5. Google APIs & YouTube
  6. 6. TikTok Platform Data
  7. 7. Data Deletion
  8. 8. Third-Party Services
  9. 9. Security & Incident Response
  10. 10. Retention
  11. 11. Your Rights
  12. 12. Children
  13. 13. International Transfers
  14. 14. Changes
  15. 15. Contact

1. Introduction

Nextoria Information Technology LLC (“Nextoria,” “we,” “us,” or “our”) operates the ReachXpand application (“the App”). This Privacy Policy explains what data we collect, why we collect it, how we protect it, and your rights over it.

By using the App, you agree to the practices described in this Policy. If you do not agree, please discontinue use and contact us at info@nextoria.ae to request deletion of your data.

2. Data We Collect

2.1 Account Information

When you register, we collect your name, email address, and any profile information you provide.

2.2 Connected Social Media Accounts

When you connect a social platform via OAuth, we store:

  • Platform-specific access tokens and refresh tokens (encrypted at rest with AES-256)
  • Platform user ID, page names, page IDs, and ad account identifiers
  • Token expiry dates and last-successful-call timestamps
  • The OAuth scopes you granted

Supported platforms: Google (YouTube), Facebook, Instagram, LinkedIn, X (Twitter), TikTok, Snapchat, and Telegram.

2.3 Content You Create
  • Posts, captions, images, and videos you draft or publish through the App
  • Scheduled post data and publishing history
  • Content planner entries, brand voice profiles, and user goals
  • Strategy clone configurations
2.4 Data Processed by AI Features

When you use AI-powered features (content optimization, onboarding, reply suggestions, Strategy Clone), the following data is transmitted to Google Gemini for processing:

  • Your post text and media type
  • Your brand voice settings (tone, industry, target audience)
  • Your user goals and content style preferences
  • For reply suggestions: The text of incoming messages received on your connected social accounts.
  • For YouTube specifically: incoming viewer comment text is sent to Gemini only when you have explicitly enabled AI reply suggestions for YouTube. Suggested replies are presented as drafts and are only submitted to YouTube after you, the channel owner, review and approve them. The app does not post YouTube comments autonomously.

This data is sent to Google’s Gemini API solely to generate a real-time response for you. We do not store these API requests beyond what is needed to display the result.

2.5 Analytics Data (Background)

We periodically fetch the following from your connected platforms on your behalf:

  • Follower counts and growth metrics
  • Post impressions, reach, engagement rates, and video views
  • YouTube channel statistics
2.6 Google Calendar Sync

If you connect Google Calendar, we sync event titles and dates to schedule social posts. Deleting a calendar event automatically deletes the corresponding scheduled post.

2.7 Technical & Log Data
  • Last API call timestamps per platform connection
  • Error messages from failed API calls (stored per connection)
  • AutoReply log entries (incoming message metadata and AI-generated reply text)

3. How We Use Your Data

Data Purpose Feature
Account credentialsAuthentication & account managementAll
OAuth tokensMaking API calls to social platforms on your behalfAll posting & analytics features
Post contentPublishing, scheduling, AI-assisted optimizationPost, ContentPlanner, Schedule
Brand voice & goalsPersonalizing AI-generated content suggestionsPost, AutoReply, StrategyClone
Incoming messagesGenerating reply drafts via Google Gemini — drafts are submitted only after user review and approvalAutoReply
Analytics metricsDisplaying performance data in your dashboardAnalytics, Dashboard
Calendar eventsCoordinating scheduled social media postsSchedule, Calendar Sync

We do not use your data for advertising, sell it to third parties, or use it to train any AI or machine learning model. This applies to all data — including data received from TikTok, Meta (Facebook/Instagram), Google, X, LinkedIn, and Snapchat platforms.

4. AI Processing Disclosure

The App uses Google Gemini (operated by Google LLC) to power content suggestions, onboarding guidance, AutoReply generation, and strategy analysis.

  • Content you write, and messages received on your social accounts (including TikTok, Instagram, Facebook, X, and LinkedIn), may be transmitted to Google Gemini for real-time processing.
  • Google processes this data under its own Privacy Policy and Generative AI Additional Terms.
  • We do not use your data, or data received from any social platform, to train AI models. We use Google’s Gemini API under terms that do not permit Google to use API inputs for model training.

Per-platform commitments: We do not use TikTok, X (Twitter), Meta, Google, LinkedIn, or Snapchat account data, message content, or media for AI training, advertising profiling, or any model training pipeline. Platform data is accessed solely to perform the action you requested (publish, fetch analytics, generate a reply for you).

5. Google API Services — Data Access, Use & Disclosures

Our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

This section describes, in detail, the Google APIs we access (YouTube Data API v3, YouTube Analytics API, Google Calendar API, and Google OAuth), the specific data each OAuth scope authorizes us to read or write, how we use it, and how you can revoke our access at any time.

5.1 Google Data We Access

When you sign in with Google or connect your YouTube channel to ReachXpand via OAuth, we may access the following Google data, depending on the scopes you grant:

  • Identity (openid, profile, email): your Google account ID, name, profile picture URL, and email address — used to create and identify your ReachXpand account.
  • Google Calendar (calendar, calendar.events): event title, time, and event ID for events that ReachXpand creates on your calendar to mirror posts you schedule inside the app. We only write events the app itself created; we do not read any other events on your calendar.
  • YouTube channel info (youtube.readonly): your channel ID, channel title, channel statistics (subscriber count, view count), and the list of your uploaded videos — used to confirm the correct channel is connected and to associate analytics. Endpoints: channels?mine=true, videos.list.
  • YouTube uploads (youtube, youtube.upload): used solely to upload videos you explicitly compose and submit through the ReachXpand post composer, and to set their title, description, tags, and privacy. Endpoints: videos.insert, videos.update.
  • YouTube comment replies (youtube.force-ssl): required by the YouTube Data API for the comments.insert endpoint, used solely to post replies that you, the channel owner, author within ReachXpand to viewer comments on your videos. The app does not post YouTube comments autonomously, and does not modify or delete any comments authored by other users.
  • YouTube analytics (yt-analytics.readonly): read-only access to aggregated channel performance metrics (views, watch time, subscribers gained/lost) used to populate the YouTube analytics dashboard inside ReachXpand.
5.2 How We Use Google Data
  • To display your YouTube channel, scheduled posts, calendar events, and analytics inside ReachXpand.
  • To publish videos and post comment replies on YouTube only after you initiate the action inside the app.
  • To mirror posts you schedule onto your Google Calendar so you can see your content pipeline alongside other commitments.
  • To generate optional reply drafts via Google Gemini, when you have explicitly enabled AI reply suggestions. Suggested replies are presented as drafts; only replies you review and approve are submitted to the YouTube API.
5.3 What We Do NOT Do With Google Data
  • We do not use Google user data for advertising, audience profiling, or marketing analytics directed at any party.
  • We do not use Google user data, including YouTube comment text, video metadata, or channel statistics, to train AI or machine learning models — either our own or any third party’s.
  • We do not sell, rent, or otherwise transfer Google user data to any third party, except as strictly necessary to provide a feature you requested.
  • We do not modify or delete videos or comments that were not authored by the connected channel owner.
  • We do not post videos, comment replies, or calendar events without an explicit action by you inside the app.
  • We do not read any Google Calendar events that ReachXpand did not create.
  • We do not retain Google user data longer than necessary to deliver the feature for which it was collected (see Section 10 for retention windows).
5.4 Sub-Processor for Google Data

The only sub-processor that may receive Google-derived data is Google LLC (Gemini API), used solely to generate optional AI-assisted reply drafts when you have explicitly enabled this feature for a relevant YouTube comment. Because Gemini is operated by Google, Google user data sent to Gemini remains within the Google ecosystem and is processed under Google’s own privacy terms. Google does not use Gemini API inputs to train its models under the API terms applicable to our account. No Google user data is shared with any third party outside of Google.

5.5 Required YouTube Disclosures

By using the YouTube features of ReachXpand, you also agree to and acknowledge the following:

You may review and manage all third-party app permissions for your Google account at any time at https://myaccount.google.com/permissions, and your Google security settings at https://myaccount.google.com/security.

5.6 Revoking Google & YouTube Access

You can revoke our app’s access to your Google account, YouTube channel, and Calendar, and delete all Google-derived data we hold about you, in two ways:

  1. From within ReachXpand: Social Media → YouTube → Disconnect, and Account Settings → Disable Google Calendar Sync. This immediately revokes our stored tokens, deletes locally cached YouTube comment data and analytics, and stops all background calendar sync.
  2. From Google: visit https://myaccount.google.com/permissions, find ReachXpand, and click Remove access. Google will invalidate our tokens immediately. Any Google-derived data we hold will then be purged from our active systems within 24 hours and from backup snapshots within 7 days.

For deletion requests by email, contact info@nextoria.ae with the subject line “Google Data Deletion Request — ReachXpand”, and we will confirm completion within 30 days.

6. TikTok Platform Data — Business Messaging & Content APIs

Our access to and use of data received from TikTok APIs (including the TikTok for Developers Content Posting API and the TikTok Business Messaging API) adheres to TikTok’s Developer Terms of Service, Content Sharing Guidelines, and the TikTok Privacy Policy.
6.1 TikTok Data We Access

When you connect your TikTok account (Personal, Creator, or Business) to ReachXpand via OAuth, we may access the following TikTok platform data, depending on the scopes you grant:

  • Profile basics (user.info.basic): your TikTok open_id, union_id, display name, and avatar URL — used to identify which connected account is acting.
  • Video upload & publish (video.upload, video.publish): the videos and captions you choose to publish through ReachXpand are uploaded to TikTok using the Content Posting API.
  • Business Messaging (biz.message.read, biz.message.write — only if you connect a TikTok Business account): incoming direct messages sent to your Business inbox by TikTok users, including the message text, sender’s TikTok identifier (open_id), display name, attachments, and timestamps. Used solely to display your inbox and enable manual or AI-assisted replies that you have explicitly configured.
6.2 How We Use TikTok Data
  • To display your TikTok content, scheduled posts, and (for Business accounts) message inbox inside ReachXpand.
  • To publish posts and send replies on your behalf only after you initiate the action or enable an auto-reply rule.
  • To generate AI-assisted reply suggestions via Google Gemini, when you have enabled this feature for the relevant TikTok rule.
6.3 What We Do NOT Do With TikTok Data
  • We do not sell or rent TikTok user data to any third party.
  • We do not use TikTok user data, message content, sender identifiers, or media to train AI or machine learning models — either our own or any third party’s.
  • We do not use TikTok data for advertising, audience profiling, or marketing analytics directed at any party other than the connected account owner.
  • We do not share TikTok data with sub-processors except as strictly necessary to deliver the feature you requested (Google Gemini for reply generation; our database hosting provider for storage).
  • We do not aggregate, anonymize, or combine TikTok data with data from other users or other platforms to build profiles.
  • We do not retain TikTok message data longer than required to deliver the inbox experience (see retention policy in Section 6.5 below).
6.4 Sub-Processor for TikTok Data

The only sub-processor that may receive TikTok-derived data is Google LLC (Gemini API), used solely to generate AI-assisted reply text when you have enabled auto-reply rules for a TikTok conversation. Gemini operates under its own privacy terms and Google does not use API inputs to train its models. No TikTok data is shared with any other third party for any purpose.

6.5 TikTok-Specific Retention
  • TikTok OAuth tokens: retained until you disconnect TikTok or delete your account.
  • TikTok Business Messaging conversations & message content: retained for a rolling 90 days from the date the message was received, then automatically purged. You may delete individual conversations earlier from the AutoReply Activity Log at any time.
  • TikTok publishing history (post text, references to media you uploaded): retained until you delete the post or your account.
  • TikTok analytics (impressions, views, engagement counts) fetched via API: cached up to 30 days for dashboard display, then refreshed.
6.6 Revoking TikTok Access & Deleting TikTok Data

You can revoke our app’s access to your TikTok account and delete all TikTok-derived data we hold about you in two ways:

  1. From within ReachXpand: Social Media → TikTok → Disconnect. This immediately revokes our token, deletes locally cached message data and analytics, and unsubscribes from TikTok webhooks.
  2. From TikTok: open the TikTok app → Settings and privacy → Security and permissions → Manage app permissions → ReachXpand → Revoke access. TikTok will notify our system, which will then purge all related data within 24 hours.

For deletion requests by email, contact info@nextoria.ae with the subject line “TikTok Data Deletion Request” and we will confirm completion within 30 days.

7. Data Deletion Instructions

7.1 Self-Service In-App Deletion

You may delete your account and all associated data at any time, directly within the App, by visiting Account Settings → Delete My Account. After confirming your password, we immediately and permanently delete:

  • Your account and profile information
  • All connected social media account tokens (and we revoke app permissions at each platform)
  • All posts, drafts, schedules, and content planner data
  • All analytics data, brand voice profiles, and AutoReply configurations
  • All uploaded media files stored on our servers

If you are unable to access your account, you may alternatively email info@nextoria.ae with the subject line “Data Deletion Request — ReachXpand” and we will process your request within 30 days.

7.2 Facebook / Meta — Revoking App Access

If you connected your Facebook or Instagram account and wish to remove our access and delete data we received via the Facebook Platform:

  1. Go to your Facebook Account Settings → Security and Login → Apps and Websites
  2. Find ReachXpand and click Remove
  3. Facebook will automatically notify our system via a Data Deletion Callback, which triggers immediate deletion of all data associated with your Facebook account

You will receive a confirmation code and a status URL at /facebook/deletion-status where you can verify completion.

7.3 TikTok — Revoking App Access

See Section 6.6 above for the dedicated TikTok revocation process.

7.4 Google & YouTube — Revoking App Access

See Section 5.6 above for the dedicated Google & YouTube revocation process.

8. Third-Party Services & Data Sharing

We share data with the following services only to the extent necessary to operate the App:

ServicePurposeData SharedData Region
Google Gemini APIAI content generation & reply suggestionsPost content, brand voice, incoming message textUnited States
Google APIs (YouTube, Calendar)Publishing & calendar syncVideo content, calendar events, channel analyticsUnited States
Facebook / Instagram Graph APIPost publishing, analytics, DM auto-replyPost content, page access tokens, incoming messagesUnited States / Ireland
LinkedIn APIPost publishing, comment managementPost content, comment textUnited States
X (Twitter) API v2Post publishing, analytics, DM auto-replyTweet content, incoming DMsUnited States
TikTok Content Posting APIVideo publishingVideo file, caption text, privacy preferencesSingapore / United States
TikTok Business Messaging APIReceiving and replying to DMs sent to your TikTok Business inboxMessage text, sender identifier, timestamps, AI-generated replies you choose to sendSingapore / United States
Snapchat Marketing APIAd account accessOAuth credentialsUnited States
Telegram Bot APIMessaging featuresMessages sent via connected botMultiple (Telegram-managed)
SendGridTransactional emailEmail address onlyUnited States
SmarterASP.NETApplication hosting & database storageAll data stored at restUnited States

We do not integrate Meta Pixel, Google Analytics, or any behavioral tracking SDKs. We do not sell or rent your personal data to any third party. We do not share platform data with any sub-processor not listed above.

9. Data Security & Incident Response

9.1 Technical Safeguards
  • AES-256 encryption at rest for all OAuth access tokens and refresh tokens stored in our database
  • HTTPS (TLS 1.2+) for all data in transit — all connections between your browser and our servers are encrypted; HTTP requests are automatically redirected to HTTPS
  • HMAC-SHA256 signed state tokens to prevent cross-site request forgery (CSRF) during OAuth authorization flows
  • PKCE (Proof Key for Code Exchange) for X/Twitter OAuth to prevent authorization code interception
  • Session and authentication cookies enforced with Secure and HttpOnly flags
  • Webhook signature verification (HMAC-SHA256) for all inbound platform events (Meta, TikTok, X)
  • Role-based access control on internal systems; production credentials are never logged
  • Automated daily backups of the production database with 7-day retention
9.2 Incident Response & Breach Notification

In the event of a data breach or security incident affecting your personal data, we will:

  • Notify affected users by email within 72 hours of confirmed discovery, in accordance with GDPR Article 33 and UAE PDPL requirements.
  • Notify the relevant supervisory authority (e.g., UAE Data Office, EU Data Protection Authorities) within the timelines required by applicable law.
  • Notify affected platform partners (TikTok, Meta, Google, X, LinkedIn) where the incident involves data received via their APIs, within the timelines specified in their developer terms.
  • Publish a post-incident report describing the scope, root cause, remediation, and preventive measures.

While we take commercially reasonable steps to protect your data, no system is 100% secure. Please notify us immediately at info@nextoria.ae if you suspect unauthorized access.

10. Data Retention

Data CategoryRetention Period
Account and profile dataUntil account deletion
OAuth tokens (all platforms)Until you disconnect the platform or delete your account
Published post historyUntil you delete your account
Cached analytics metrics30 days rolling, then refreshed from source
AutoReply message logs (Instagram, Facebook, X, LinkedIn)90 days rolling, then automatically purged
TikTok Business Messaging conversations & content90 days rolling, then automatically purged (see Section 6.5)
Server access logs30 days, then deleted
Backup snapshots7 days, then deleted

We do not retain data longer than necessary for the purposes described in this Policy. Upon account deletion, data is permanently removed from our active systems within 24 hours and from backup snapshots within 7 days.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

RightDescription
AccessRequest a copy of the personal data we hold about you
CorrectionRequest correction of inaccurate data
Deletion (Erasure)Request permanent deletion of all your data
PortabilityRequest your data in a machine-readable format
RestrictionRequest that we limit how we process your data
Opt-Out of AI ProcessingDisable AI-assisted features (AutoReply, content suggestions) to prevent your data from being sent to Google Gemini
Withdraw ConsentRevoke OAuth permissions for any connected platform at any time

Applicable frameworks: EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), and India’s Digital Personal Data Protection Act (DPDP) 2023.

To exercise any of these rights, email info@nextoria.ae. We will respond within 30 days. Residents of the EU/EEA may also lodge a complaint with their local data protection authority.

12. Children’s Privacy

The App is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@nextoria.ae.

13. International Data Transfers

Nextoria is based in Dubai, UAE. When you connect social platforms, data may be transferred to and processed in the United States, Singapore, Ireland, and other countries where these platforms operate (see Section 8 for per-service regions). We rely on your explicit consent (provided via OAuth authorization) and, where applicable, standard contractual clauses or equivalent safeguards for such transfers. TikTok user data may be processed in TikTok’s data centers located in Singapore, Malaysia, the United States, and Ireland, in accordance with TikTok’s data residency policies.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. The “Last Updated” date at the top will always reflect the most recent revision. Continued use of the App after a revision constitutes acceptance of the updated Policy.

15. Contact Us

Nextoria Information Technology LLC

Airport Rd, Al Garhoud, Dubai, United Arab Emirates

Email: info@nextoria.ae

  • Data Deletion Requests: Subject — Data Deletion Request — ReachXpand
  • Data Access / Portability Requests: Subject — Data Access Request — ReachXpand
  • TikTok Data Deletion: Subject — TikTok Data Deletion Request
  • Security / Breach Reports: Subject — Security Incident Report
© 2026 Nextoria Information Technology LLC  ·  ReachXpand  ·  info@nextoria.ae