Effective date: 2026-04-30
Version: 1.0.0
This Privacy Policy explains how BCAX LLC ("we", "us", "Contentko") collects, uses, shares, and protects personal data when you use contentko.com and any related Contentko domain (collectively, the "Service"). It supplements our Terms of Service, Cookie Policy, Acceptable Use Policy, AI Content Disclosure Policy, OAuth Disclosures, and DMCA Policy.
1. Who we are
Contentko is operated by BCAX LLC, Wyoming, USA — see Legal Entity below.
2. What we collect
Categories of Personal Data We May Collect
| Category | Examples | Source |
| Identity & Contact | Name, email, phone, business name, role | You, when you sign up or contact us |
|---|---|---|
| Account & Authentication | Account ID, hashed password, OAuth tokens (Google, TikTok, Meta, where applicable), 2FA secrets | You; identity providers |
| Billing & Transaction | Billing address, last 4 digits of card, Stripe customer ID, invoice history | You; Stripe (we never store full card numbers) |
| Usage & Telemetry | IP address, browser/device, pages visited, feature interactions, referrer | Automatically, via cookies and server logs |
| Content You Provide | Files, messages, prompts, lists, listings, reviews you upload to the service | You |
| Communications | Support tickets, emails to/from us, chat transcripts | You and us |
| Cookies & Similar Tech | First-party session cookies, anti-CSRF tokens, optional analytics cookies | Your browser |
Categories of Sensitive Data
We do not intentionally collect sensitive personal data (health, biometrics, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, precise geolocation) unless you voluntarily provide it in user-generated content. Where collected, processing is based on your explicit consent (Art. 9(2)(a) GDPR).
Children's Data
Our services are not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
In addition, when you connect a third-party account, we receive:
- Google OAuth tokens — for Drive (asset management) and Calendar (post scheduling) where you grant those scopes; details in OAuth Disclosures
- TikTok OAuth tokens — for Direct Post / Display API
- Meta OAuth tokens — for Facebook / Instagram publishing
- Frame.io credentials — where you connect Frame.io for video review
- AI prompts and outputs you generate — temporarily processed by Anthropic Claude or OpenAI; not used to train external models under our enterprise API contract
3. Why we collect it (legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
| Provide the Service | Contract — Art. 6(1)(b) |
|---|---|
| Authenticate you (OAuth, password, MFA) | Contract |
| Generate AI content on your prompt | Contract |
| Publish content to TikTok / Meta / Google on your instruction | Contract |
| Bill you / process Stripe payments | Contract |
| Detect prompt-injection, AI abuse, deepfake-attempts | Legitimate interest — Art. 6(1)(f) |
| Improve, secure, develop the Service using de-identified aggregate data | Legitimate interest |
| Defend against claims, audits, regulatory inquiries | Legitimate interest + legal obligation |
| Successor-in-interest transfer | Legitimate interest |
| Comply with court orders / regulatory requests | Legal obligation |
4. AI data handling
When you submit a prompt:
- The prompt is sent over TLS to Anthropic (Claude) or OpenAI (where used) under our enterprise API agreement.
- Under those agreements, your prompt and the model's response are NOT used to train, fine-tune, or otherwise improve the AI provider's foundation models.
- Anthropic and OpenAI may retain prompts for up to 30 days for trust & safety review (abuse detection), after which they are deleted.
- Contentko itself may store prompt + output for 30 days for safety review on our side, then deletes. Outputs you save to your account live for the life of your account.
We do not use your prompts or outputs to train any AI model owned by Contentko, BCAX, or any third party.
5. Multi-platform OAuth
See OAuth Disclosures for the verbatim Google "Limited Use" disclosure, the TikTok Developer Terms compliance statement, and Meta Platform Terms compliance statement.
6. Sub-processors
Sub-processors
We use the following third-party service providers ("sub-processors") to operate the Service. Each sub-processor processes only the personal data needed for its specific purpose, under contractual data-protection commitments at least as protective as the GDPR (Art. 28) Standard Contractual Clauses where required.
| Sub-processor | Function | Personal data | Region | Transfer safeguard |
| Stripe, Inc. | Payment processing | Billing & transaction data | USA | DPF-certified; SCCs |
|---|---|---|---|---|
| Mercury / Choice Financial Group | U.S. business banking | Identity, KYC, transaction | USA | Mandatory contractual safeguards |
| Wise Payments Ltd | International transfers | Identity, transaction | UK / Belgium | UK adequacy + SCCs |
| Supabase, Inc. (on AWS) | Database, auth, storage | All categories | USA (us-east-1) | DPF + SCCs |
| Anthropic, PBC | AI processing (Claude) | Prompts (no training; content-moderation only) | USA | DPF + SCCs |
| OpenAI, L.L.C. | AI processing (where used) | Prompts (no training under API terms) | USA | DPF + SCCs |
| Google LLC (Workspace, OAuth, Maps) | Email, OAuth, geo data | OAuth tokens, Google account email | USA / EU | DPF + SCCs |
| Meta Platforms, Inc. | OAuth (where used) | Meta account data | USA | DPF + SCCs |
| TikTok Pte Ltd / ByteDance | Direct-Post & developer APIs (where used) | TikTok account data | Singapore / USA | SCCs |
| Resend, Inc. | Transactional email | Email addresses, message content | EU (Ireland) | EU adequacy |
| Sinch (CLX Communications AB) | Fax & SMS | Phone, message content | EU (Sweden) | EU adequacy |
| DocuSeal (self-hosted) | E-signature | Identity & signed documents | EU (Frankfurt VPS — Hostinger) | EU hosting |
| Hostinger International Ltd | VPS hosting | Server logs | EU (Lithuania) | EU adequacy |
| Contabo GmbH | VPS hosting (browser-worker) | Server logs | EU (Germany) | EU adequacy |
| Cloudflare, Inc. | DNS, CDN, edge proxy | IP, request metadata | Global edge | DPF + SCCs |
| AdsPower (where used) | Anti-detect browser profiles | Limited (no PII forwarding) | Singapore | SCCs |
| GitHub, Inc. | Source-code hosting (no production user data) | Limited | USA | DPF + SCCs |
We may add or replace sub-processors. Material additions are announced at least 30 days in advance, by updating this page and (where required) emailing account holders. Continued use after the effective date constitutes acceptance.
To object to a new sub-processor, email [email protected] within the notice period. Objection on reasonable data-protection grounds entitles you to terminate the affected service for a pro-rated refund of unused fees.
7. International transfers
Same as Section 5 of the BCA Privacy Policy. We rely on the EU–U.S. Data Privacy Framework, SCCs (2021/914), and your explicit consent under GDPR Art. 49(1)(a) where required.
8. Retention
See Data Retention Policy. Headlines:
- AI prompts: 30 days for safety review, then deleted
- Generated outputs you save: life of account
- OAuth tokens: deleted within 24 hours of disconnection
- User-uploaded source content (videos, images): life of account + 30 days
- Account / billing: life of account + 6 years (statute of limitations)
9. User-generated content & DMCA
Where you upload content (videos, images, audio) for AI processing or publishing, you remain the owner. We act as a passive host; if your content infringes a third-party copyright, that party may file a DMCA notice under our DMCA Policy.
10. Security
Same as Section 7 of the BCA Privacy Policy. No system is 100% secure; you provide data at your own risk; breach notification per Art. 33 GDPR (72 hours) where applicable.
11. Your rights
Your Rights
If you are in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK-GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you (Art. 15 GDPR)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure — request deletion of your data, also known as the "right to be forgotten" (Art. 17)
- Restriction — limit how we process your data while a dispute is resolved (Art. 18)
- Portability — receive your data in a structured, machine-readable format (Art. 20)
- Object — object to processing based on our legitimate interests, including direct marketing (Art. 21)
- Withdraw consent — at any time, where processing is based on consent (Art. 7(3))
- Lodge a complaint — with your local supervisory authority (a list is available at edpb.europa.eu)
To exercise any of these rights, email [email protected] with the subject line DSR Request. We may need to verify your identity before responding.
If you are a California resident (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we have collected, the sources, the purposes, and any third parties with whom we share it
- Delete personal information we have collected from you (subject to certain exceptions)
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell your personal information)
- Limit use of sensitive personal information
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right
We do not knowingly collect personal information from California consumers under 16 years of age.
To exercise these rights, email [email protected] or use the "Do Not Sell or Share My Personal Information" link in the site footer (where applicable).
If you are in another jurisdiction
We extend the substantive rights above to all users where reasonably possible, regardless of residence. Email [email protected] for assistance.
12. Automated decisions
We do not make automated decisions producing legal or similarly significant effects. AI generation is initiated by your prompt and reviewed by you before any external publication.
13. Changes
Material changes are announced 30 days in advance to the email on your account.
14. Contact
Contacting BCA on legal matters
| Type of inquiry | Subject line | Address |
| General privacy / data-subject rights | DSR Request | [email protected] |
|---|---|---|
| Refund request | Refund Request — [Engagement Reference] | [email protected] |
| Acceptable-use violation report | AUP Report | [email protected] |
| DMCA takedown notice | DMCA — Takedown | [email protected] (designated agent: see DMCA Policy) |
| DMCA counter-notice | DMCA — Counter-Notice | [email protected] |
| Spam / abuse complaint | Spam Complaint | [email protected] |
| Law-enforcement / subpoena | Law-Enforcement Request | [email protected] |
| Sanctions / OFAC concern | Sanctions Disclosure | [email protected] |
| Legal service of process | (paper, certified mail) | BCAX LLC, c/o Registered Agent, 30 N Gould St Ste R, Sheridan WY 82801, USA |
| Security vulnerability | Security | [email protected] (we follow coordinated disclosure; we do not pay bounties) |
We acknowledge each request within 5 business days and substantively respond within the timelines required by applicable law (typically 30 days under GDPR, 45 days under CCPA, 14 days for DMCA).
Email is preferred. Mail and fax service of process is accepted but slower; electronic delivery to [email protected] is sufficient legal service of any pre-litigation notice required under these legal pages.
15. Legal Entity
Legal Entity
Contentko is a service operated by:
BCAX LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States of America
Employer Identification Number (EIN): 42-2153191
State of formation: Wyoming, USA
This entity is the data controller and contracting party for all users of contentko.com.
Governing Law & Jurisdiction
These terms are governed by the laws of the State of Wyoming, United States, without regard to its conflict-of-laws principles. The exclusive forum for any dispute shall be the state and federal courts located in Sheridan County, Wyoming, except where applicable consumer-protection law of your country of residence grants you a non-waivable right to a local forum.
Contact
Legal & data-protection inquiries: [email protected]
For data-subject-rights requests (access, deletion, portability, objection), use the same email with subject line DSR Request. We respond within 30 days as required under GDPR Article 12 and within 45 days under California CCPA §1798.130.