Privacy Policy
Last updated: May 1, 2026 · Effective date: April 19, 2026
Pochi ("the Service") is a multi-platform social media automation tool operated by Icery.tw, an independent developer based in Taiwan. It lets creators connect their Instagram, Threads, Facebook Page, YouTube, and TikTok accounts, then configure automated flows that respond to comments across those platforms and publish content to multiple platforms from one interface. This policy describes what information we collect, how we use it, and how you can control it.
Contact: Icery@Icery.tw
1. Information We Collect
When you connect a social account via OAuth (Instagram, Threads, Facebook, YouTube, or TikTok), we collect:
- Your account identifier, username (and display name / avatar URL where the platform exposes them) on that platform
- A long-lived access token (or access + refresh token pair for YouTube and TikTok) that lets the Service act on your behalf within the scopes you granted. All refresh tokens are encrypted at rest server-side; access tokens are short-lived and refreshed on demand
- Platform content required to evaluate your automation rules: comments on your posts, post captions, post metadata (published timestamp, permalink), and the commenter's public display name
- Metadata about automation events (timestamps, matched flow, action results, short link click counts)
- For publishing flows: the video / image / caption you uploaded into Pochi for distribution to your selected target platforms
We do notcollect: your password, payment information, contact lists, private messages you haven't explicitly routed through an automation, or any content unrelated to the Service's operation.
2. How We Use Information
- Matching incoming comments across connected platforms against the flows you configure
- Posting automated replies (public comment or DM, where the platform supports it) on your behalf
- Generating short links and tracking click metrics so you can measure automation effectiveness
- Displaying event logs, connection status, and statistics inside the Service's dashboard
- Debugging and improving the Service
We do not sell, rent, or share your data with third parties for advertising or marketing purposes.
3. Data Storage & Security
Account metadata, access tokens, flow definitions and event logs are stored in a MongoDB Atlas cluster with TLS in transit. Access tokens are held only as long as needed to operate the Service and are never exposed to third parties.
Media files:When you upload a video through the compose page, the file is stored in Cloudflare R2 object storage under a public custom domain (media.pochi.icery.tw) so that target platforms (Instagram, Threads, Facebook, YouTube, TikTok) can fetch it for publishing. Encryption at rest is enabled on the bucket (R2 server-side encryption). After a successful publish, R2 objects are kept for 7 days for retry / re-publish purposes, then purged automatically by a daily lifecycle job. A separate cleanup job removes any orphaned R2 object that isn't tracked by the database within 24 hours.
4. Your Rights
- Disconnect from inside Pochi: click the ✕ icon next to any connected platform card on the home page. The OAuth token, refresh token, and cached metadata for that connection are immediately deleted from our database, and Pochi stops processing events for that account.
- Disconnect at the platform side:you may also revoke Pochi's access from the platform's own settings (e.g. Instagram > Settings > Apps and Websites; YouTube > Google Account permissions; TikTok > Settings > Privacy > Apps and websites). Pochi detects revocation on the next API call and removes the stale token.
- Full account deletion: see /data-deletion for the complete process. We respond within 7 days.
- Export data: you may request a copy of your data stored by the Service at any time by emailing Icery@Icery.tw.
5. Data Retention
Event logs are retained for up to 90 days. Access tokens are retained until you disconnect or the Service is decommissioned. Aggregated, anonymized statistics may be retained indefinitely for analytical purposes.
6. Third-Party Services
The Service interacts with the following third parties on your behalf:
- Meta Platforms (Instagram Graph API, Threads API, Facebook Graph API) — to read comments, post replies, send DMs, and publish videos where supported
- Google (YouTube Data API v3) — to list your videos, reply to comments, and upload videos you compose through the Service
- TikTok (Login Kit + Content Posting API) — to read your TikTok display name and avatar for UI display, and to upload the videos you compose through Pochi to your own TikTok account, with caption / hashtags / privacy / comment-duet-stitch settings you specify in the Pochi compose page
- MongoDB Atlas — AES-256 at rest, TLS-protected in transit. Stores your connection refresh tokens (encrypted), flow definitions, and event logs
- Anthropic (Claude API) — for optional AI-generated reply content / caption drafts. Only user-explicitly-typed prompts and templates are sent. Platform user data (comments, post metadata, OAuth tokens) is never sent to Anthropic
- Vercel — hosting and serverless execution
- Cloudflare R2 — object storage for videos you upload to be published; the bucket is served at media.pochi.icery.tw so that platforms can fetch the file to re-host on their own infrastructure. Server-side encryption at rest is enabled. Successfully-published media is retained 7 days for retry, then purged by a daily lifecycle job. Unreferenced uploads are purged within 24 hours by a separate cleanup job.
Each of these providers has its own privacy policy. We only send them the data strictly required to complete the requested action.
7. Children's Privacy
The Service is not intended for users under 16. We do not knowingly collect information from children.
8. Changes to This Policy
We may update this policy from time to time. Material changes will be announced on this page and/or communicated via email to connected accounts at least 30 days before taking effect.
9. Contact
Questions or concerns? Email Icery@Icery.tw.