Privacy Policy
Effective date: 2026-05-25 · Last updated: 2026-05-25
This Privacy Policy explains what personal data WhatIf (the "Service") handles, how it is stored, and your rights regarding that data. WhatIf is operated by the WhatIf operator (the "Operator") as a self-hosted internal tool. WhatIf does not provide a public end-user application and does not collect personal data from members of the public.
1. Summary
The only personal data WhatIf stores is the Operator's own OAuth credentials for the Operator's own social media accounts.
WhatIf does not collect data about TikTok or YouTube end users, does not track viewers, does not run advertisements, does not sell data, and does not share data with anyone other than the third-party APIs strictly required to publish the Operator's own videos.
2. Data we collect
The following data is stored on the Operator's own server:
- OAuth access and refresh tokens for each connected TikTok and YouTube account that the Operator owns. These are used solely to publish videos to those accounts and to read engagement metrics for videos already published by the Operator.
- OAuth scope grants recording which permissions the channel owner granted.
- Channel identifiers (display name, channel ID, avatar URL) for the Operator's connected accounts, used in the admin dashboard for identification.
- Production metadata generated by the Service itself — idea drafts, scripts, audio/visual asset URLs, schedule timestamps, publish results. None of this is personal data.
- API usage logs for every external API call (provider, endpoint, success/error, cost) for budget tracking. These logs contain no personal data.
What we do NOT collect
- Personal data about TikTok or YouTube viewers, followers, or comment authors.
- The contents of comments, direct messages, or private interactions on integrated platforms.
- Cookies, device identifiers, or analytics signals from members of the public.
- Payment or financial data.
3. How data is used
Data stored by the Service is used exclusively to:
- Publish videos to the Operator's own TikTok and YouTube Shorts accounts.
- Read back basic engagement metrics (views, likes, comments count) for those same videos for internal analytics.
- Display the Operator's connection status in the admin dashboard.
- Track AI provider spend against a configured monthly budget cap.
4. Data storage and security
- All data is stored on infrastructure controlled by the Operator (PostgreSQL 16, MinIO object storage, Redis).
- Database services are bound to
127.0.0.1 on the host and not exposed publicly. Public-facing endpoints sit behind Caddy with auto-HTTPS.
- OAuth tokens are encrypted at rest using AES-256-GCM with a key supplied via environment variable.
- All admin dashboard access requires an API key.
- No data is replicated to or backed up to third-party storage providers without explicit operator action.
5. Third-party data processors
The Service interacts with the following third parties strictly to perform its function. Each handles only the data necessary for that interaction:
- TikTok (ByteDance) — receives video uploads and returns publish confirmations and metrics for the Operator's own videos. Subject to TikTok's Privacy Policy.
- YouTube (Google) — receives video uploads and returns publish confirmations and metrics for the Operator's own videos. Subject to the Google Privacy Policy.
- Anthropic, OpenAI — receive text prompts for idea/script generation. Subject to their respective privacy policies. No personal data is included in prompts.
- AutoVideo.app — receives prompts for image, video, and TTS generation. No personal data is included in prompts.
- Telegram — receives internal operator alerts only. The bot is private to the Operator's chat.
6. Data retention
- OAuth tokens are kept as long as the Operator keeps the corresponding channel connected. The Operator may revoke a connection at any time from the admin dashboard, which deletes the stored tokens.
- Production metadata and API usage logs are retained indefinitely for analytics and budget tracking. They contain no personal data.
- Final video files are kept until the Operator manually deletes them.
7. Your rights
Because WhatIf does not collect data about members of the public, conventional data-subject rights (access, deletion, portability) do not apply to viewers. The Operator may at any time:
- Disconnect any integrated account, which removes its OAuth tokens from local storage.
- Revoke API access at the source platform (e.g., from TikTok's account settings) at any time, which immediately invalidates any tokens stored by the Service.
- Delete the entire database and object storage volumes, which fully removes all data.
8. Children
The Service is not directed to and is not intended for use by children under 13. The Service does not knowingly collect data from children.
9. International transfers
The Service runs on infrastructure of the Operator's choosing and is not bound to any specific jurisdiction. Third-party processors listed above may process data internationally per their own policies.
10. Changes to this Policy
The Operator may update this Privacy Policy at any time. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For privacy questions, requests, or concerns, contact: luu@askkpop.com