Privacy Policy
Last Updated: February 21, 2026
1. Introduction
Quetzal ("we," "us," or "our") operates the website located at quetztal.com and the associated AI-powered social media content generation, scheduling, and publishing platform (collectively, the "Service"). Quetzal is the data controller responsible for your personal data processed through the Service.
This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you visit our website, create an account, or use any features of the Service. It applies to all users worldwide, including those located in the European Economic Area ("EEA"), the United Kingdom, California, and other jurisdictions with comprehensive privacy legislation. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you register for an account, we collect your name, email address, and password credentials. Authentication is managed through Amazon Web Services Cognito ("AWS Cognito"), which securely stores your credentials and issues authentication tokens. If you sign up using a social login provider, we receive your name and email address from that provider. Account information may also be received from third-party authentication providers, including Google and Amazon, when you choose to sign in with those services. When you sign in with Google, we may also receive your profile picture. We may also collect a profile photo, display name, and any other information you voluntarily provide in your account settings.
2.2 Social Media OAuth Tokens and Account Data
To enable publishing, scheduling, and analytics features, you may connect one or more third-party social media accounts to the Service, including Facebook, Instagram, Twitter/X, LinkedIn, YouTube, TikTok, and Reddit. When you authorize a connection, we receive and store OAuth access tokens and refresh tokens issued by the respective platform. These tokens grant the Service permission to perform actions on your behalf, such as publishing posts, reading analytics, and managing content. We also receive basic profile information from the connected platform, such as your account name, profile picture URL, and account identifier. We do not store your social media passwords.
2.3 AI-Generated Content and Prompts
When you use the AI content generation features of the Service, we collect and store the prompts, instructions, brand guidelines, and preferences you provide, as well as the AI-generated content produced in response. This includes drafts, variations, approved posts, and any edits you make to generated content. We retain this data to provide the Service, to improve content generation quality for your account, and to display your content history.
2.4 Analytics Data
When you use the analytics features, we fetch engagement metrics, reach statistics, follower counts, impressions, click-through rates, and other performance data from your connected social media platforms using their respective APIs. This data is stored temporarily to render your analytics dashboard and is refreshed periodically to provide up-to-date insights.
2.5 Usage and Technical Data
We automatically collect certain technical information when you access the Service, including your Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, referring URL, pages visited, features used, timestamps of interactions, and general geolocation data derived from your IP address. This information is collected through server logs, cookies, and similar technologies.
2.6 Communications
If you contact us via email, support forms, or other communication channels, we collect the content of your messages, your contact information, and any attachments you provide. We also retain records of customer support interactions for quality assurance and training purposes.
3. How We Use Your Information
We use your personal information for the following purposes, each paired with the applicable lawful basis under the General Data Protection Regulation (GDPR):
Service Delivery and Account Management (Lawful basis: Performance of a contract) — We use your account information, OAuth tokens, and content data to provide, operate, and maintain the Service, including generating AI content, scheduling and publishing posts to your connected platforms, and displaying your analytics dashboard.
Service Improvement and Product Development (Lawful basis: Legitimate interest) — We analyze aggregated and anonymized usage patterns, feature adoption rates, and error logs to improve the reliability, performance, and user experience of the Service. Our legitimate interest is in continually enhancing the product we offer to users.
Security and Fraud Prevention (Lawful basis: Legitimate interest) — We use technical data, IP addresses, and authentication logs to detect and prevent unauthorized access, abuse, fraud, and other security threats. Our legitimate interest is in protecting the Service and our users from malicious activity.
Customer Support (Lawful basis: Performance of a contract) — We use your communications and account data to respond to your inquiries, resolve issues, and provide technical support related to the Service.
Marketing and Promotional Communications (Lawful basis: Consent) — With your explicit opt-in consent, we may send you product updates, feature announcements, and promotional materials. You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by updating your account preferences.
Legal Compliance and Regulatory Obligations (Lawful basis: Legal obligation) — We process and retain certain data as required by applicable laws and regulations, including tax and financial reporting requirements, responding to lawful government requests, and complying with data protection regulations.
4. Third-Party Services
The Service relies on trusted third-party providers to deliver its functionality. We carefully select partners that maintain robust privacy and security practices. Below is an overview of the key third parties involved in processing your data:
4.1 Amazon Web Services (AWS)
We use AWS for cloud hosting, data storage, and authentication services. Specifically, AWS Cognito manages user authentication and identity, Amazon DynamoDB stores application data, and AWS infrastructure hosts the Service. AWS processes data in accordance with the AWS Data Processing Addendum and maintains SOC 2, ISO 27001, and other industry certifications. For more information, see the AWS Privacy Notice.
4.2 Anthropic (Claude AI)
We use the Anthropic Claude AI API to power our content generation features. When you request AI-generated content, your prompts, brand guidelines, and related context are sent to Anthropic's API for processing. Importantly, Anthropic does not use data submitted through its API to train its models. Anthropic processes API inputs solely to generate the requested output and in accordance with its data usage policies. API inputs may be temporarily retained by Anthropic for abuse and safety monitoring for a limited period, after which they are deleted. For more information, see Anthropic's Privacy Policy.
4.3 Social Media Platforms
When you connect your social media accounts, the Service interacts with APIs provided by Meta (Facebook and Instagram), X Corp (Twitter/X), LinkedIn Corporation, Google (YouTube), TikTok (ByteDance), and Reddit. Each of these platforms has its own privacy policy that governs how they collect and process data. We only access and use the permissions you explicitly grant during the OAuth authorization flow. We encourage you to review the privacy policies of each platform you connect.
4.4 Google Authentication and API Services
Quetzal uses Google Sign-In / Google OAuth for user authentication. When you sign in with Google, we receive your name, email address, and profile picture from Google. This data is used solely to create and maintain your Quetzal account. We do not use Google data for advertising, data brokering, or AI model training.
Quetzal's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4.5 Amazon Authentication
Quetzal offers Login with Amazon as an authentication option. When you sign in with Amazon, we receive your name and email address. This data is used solely to create and maintain your Quetzal account. We do not share Amazon account data with third parties except as described in this policy.
4.6 Data Sharing Policy
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your personal data with third parties except as described in this Privacy Policy (i.e., with service providers who process data on our behalf), when required by law, or with your explicit consent. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, and we will notify you before your data becomes subject to a different privacy policy.
5. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply to specific categories of data:
Account Data: Your account information (name, email, profile details) is retained for the duration of your account. Upon account deletion, we will delete or anonymize your account data within 30 days, except where retention is required by law.
OAuth Tokens: Social media access tokens and refresh tokens are retained for as long as the corresponding platform remains connected to your account. Tokens are deleted immediately upon disconnection of a platform or deletion of your account.
AI-Generated Content and Prompts: Your prompts, generated content, and brand guidelines are retained for the duration of your account. Upon account deletion, this data is deleted within 30 days.
Analytics Data: Social media analytics data fetched from connected platforms is retained for up to 12 months to enable trend analysis and historical reporting. After 12 months, analytics data is aggregated and anonymized.
Payment and Billing Records: Transaction records, invoices, and payment history are retained for 7 years after the date of the transaction, as required by applicable tax and financial reporting regulations.
Server Logs and Technical Data: Server access logs, error logs, and technical diagnostic data are retained for 90 days, after which they are automatically purged.
Customer Support Communications: Support tickets and correspondence are retained for 2 years after the issue is resolved, to allow for follow-up and quality assurance review.
Marketing Consent Records: Records of your consent to receive marketing communications are retained for as long as the consent is active, plus 3 years after withdrawal of consent, to demonstrate compliance with applicable regulations.
6. Your Privacy Rights
6.1 Rights Under the GDPR (EEA and UK Residents)
If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation and the UK GDPR:
Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Erasure: You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing, subject to certain legal exceptions.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
Right to Object: You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement if you believe that our processing of your personal data infringes the GDPR.
To exercise any of these rights, please contact us at privacy@quetztal.com. We will respond to your request within 30 days, as required by the GDPR.
6.2 Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions provided by law.
Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale or Sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising purposes. Therefore, there is no need to opt out. However, if our practices change in the future, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, quality of service, or access to features based on your exercise of these rights.
To exercise your CCPA/CPRA rights, please contact us at privacy@quetztal.com. We will verify your identity before fulfilling your request and will respond within 45 days, as required by the CCPA.
6.3 Data Deletion
You may request deletion of your personal data at any time. Visit our Data Deletion page at /data-deletion for instructions, or email privacy@quetztal.com.
If you connected via Facebook or Instagram, you can also initiate deletion from your Facebook Settings by removing the Quetzal app. This triggers our automated data deletion process.
7. Cookies and Tracking
We use cookies and similar tracking technologies to operate and improve the Service. A cookie is a small text file stored on your device when you visit our website. We use the following categories of cookies:
Essential Cookies: These cookies are strictly necessary for the operation of the Service. They enable core functionality such as user authentication, session management, and security features. Because these cookies are essential, they cannot be disabled without affecting the functionality of the Service.
Functional Cookies: These cookies enable enhanced features and personalization, such as remembering your preferences, display settings, and previously connected accounts. While not strictly necessary, they improve your experience when using the Service.
Analytics Cookies: These cookies help us understand how visitors interact with the Service by collecting information about pages visited, time spent on pages, features used, and errors encountered. This data is aggregated and anonymized and is used solely to improve the Service. Analytics cookies are only placed with your consent.
Third-Party Authentication Cookies: When you sign in using a third-party authentication provider such as Google, Amazon, or Facebook, those providers may set their own cookies during the sign-in process. These cookies are governed by the respective provider's cookie and privacy policies. For more information, see the Google Privacy Policy, Amazon Privacy Notice, and Meta Privacy Policy.
You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of our website. Most web browsers also allow you to control cookies through their settings. Please note that disabling essential cookies may prevent you from using certain features of the Service.
8. Data Security
We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
Encryption in Transit: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher. All API communications between the Service and third-party providers are also encrypted using TLS.
Encryption at Rest: All data stored in our databases and storage systems is encrypted at rest using AES-256 encryption. Encryption keys are managed through AWS Key Management Service (AWS KMS), which provides centralized control over cryptographic keys with hardware security module (HSM) backing.
Access Controls: Access to personal data is restricted to authorized personnel who require it to perform their job functions. We enforce the principle of least privilege, use multi-factor authentication for administrative access, and maintain audit logs of all data access events.
Infrastructure Security: The Service is hosted on AWS infrastructure, which maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and other compliance certifications. We conduct regular security assessments and vulnerability scans to identify and remediate potential threats.
While we strive to protect your personal data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable law.
9. International Data Transfers
The Service is operated from the United States, and your personal data is primarily processed and stored on servers located in the United States. If you are accessing the Service from outside the United States, including from the European Economic Area, the United Kingdom, or other jurisdictions with data protection laws that differ from those in the United States, please be aware that your personal data will be transferred to and processed in the United States.
For transfers of personal data from the EEA and the UK to the United States, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as applicable. Where the Data Privacy Framework does not apply, we use Standard Contractual Clauses (SCCs) approved by the European Commission as a lawful mechanism for transferring personal data to countries outside the EEA. We also implement supplementary measures where necessary to ensure that the level of data protection required by the GDPR is maintained.
You may request a copy of the Standard Contractual Clauses or other transfer mechanisms we rely on by contacting us at privacy@quetztal.com.
10. Children's Privacy
The Service is not directed at, and is not intended for use by, children under the age of 13 (or under the age of 16 in the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children under these age thresholds. If we become aware that we have inadvertently collected personal data from a child under the applicable minimum age, we will take steps to delete that information as promptly as possible. If you believe that a child under the applicable age has provided us with personal information, please contact us at privacy@quetztal.com, and we will investigate and take appropriate action.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will provide at least 30 days' advance notice before the changes take effect. Notice will be provided by posting the updated policy on our website with a revised "Last Updated" date, by sending an email notification to the address associated with your account, or by displaying a prominent notice within the Service. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms.
12. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Email: privacy@quetztal.com
Website: quetztal.com
For GDPR-related inquiries, you may also contact our Data Protection Officer at the email address above. We will endeavor to respond to all privacy-related inquiries within 30 days of receipt.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.