Privacy Policy

Last updated: 19 May 2026

1. Overview

qrdy-daily-reel (“the application”) is a single-tenant internal automation tool operated by the owner of Qrdy (qrdyai.com). This policy describes what data the application collects, why it collects it, and how it is stored. The application has only one user — the owner — and is not offered to the public.

2. Data we collect

The application processes the following data:

• TikTok account information — when the owner connects their TikTok account via OAuth, the application requests the scopes user.info.basic, video.upload, and video.publish. The application retrieves the owner’s public TikTok display name and the open_id identifier provided by TikTok, and stores an access_token and refresh_token so that the application can upload videos on the owner’s behalf.
• Design frames — the application reads frames the owner has previously created in the owner’s private Qrdy content library (MongoDB Atlas). Frames are used only to render the daily showcase video.
• Generated videos — short mp4 files (1080×1920, ~12 seconds, 5–15 MB) rendered from the owner’s frames. Videos are stored temporarily on a Railway persistent volume and uploaded to the owner’s social accounts.
• Operational metadata — timestamps, job identifiers, and TikTok publish identifiers used to track upload status. No third-party user data is collected.

3. How data is used

Data is used exclusively to: (a) render the daily showcase video, (b) upload that video to the owner’s connected TikTok / Instagram / YouTube accounts via the platforms’ official APIs, and (c) log the operation for the owner’s own monitoring. Data is never sold, shared with third parties, or used for advertising.

4. Storage and retention

• OAuth tokens are stored as encrypted environment variables on Railway, accessible only to the running application. They are retained until the owner revokes the connection.
• Generated videos are retained on the Railway volume for up to 7 days and then automatically deleted by a scheduled cleanup job.
• Design frames remain in the owner’s private MongoDB cluster and are read with a read-only credential.

5. Third-party platforms

The application interacts with the following third-party services. Each has its own privacy policy:

• TikTok — tiktok.com/legal/privacy-policy
• Instagram / Meta — facebook.com/privacy/policy
• YouTube / Google — policies.google.com/privacy
• Railway — railway.app/legal/privacy
• MongoDB Atlas — mongodb.com/legal/privacy-policy

6. Revoking access and deleting data

The owner may revoke the application’s access to TikTok at any time from TikTok > Manage app permissions. Equivalent settings exist for Instagram (Meta Account Center) and YouTube (Google Account permissions). After revocation, the corresponding token in the application becomes unusable. The owner can additionally clear the stored token by removing the relevant environment variable.

7. Security

Access tokens are stored only on the server. Browser sessions to the admin dashboard use signed httpOnly cookies and password authentication. The application is hosted on Railway and served over HTTPS.

8. Children

The application is not directed to children. No data from anyone other than the owner is collected.

9. Changes

This policy may be updated. The current version is always available at /privacy.

10. Contact

For questions, contact the owner via Qrdy at qrdyai.com.

Terms of Service · Privacy Policy