This policy explains what data KC Consulting ("KC," "we," "us") collects through the KC Content Engine platform (the "Service"), how we use it, who we share it with, and what choices you have. KC Consulting is a Texas-based marketing consultancy. Questions: write to info@kcconsulting.co.
1. What we collect
We collect three categories of data:
1.1 Account data
- Identity, via Clerk: name, email, password hash, optional 2FA factors, optional connected accounts (Google, etc.). Clerk holds your authentication credentials — we do not see or store your password.
- Organization data: agency name, slug, custom domain, brand colors, logo.
- Billing identifiers, via Stripe: Stripe customer ID, subscription ID, plan tier, payment status. Card numbers and bank details are held by Stripe — we never see or store them.
1.2 Content you create or upload
- Client briefs, intake-form answers, brand kits, headshots, product images, screenshots, brand-guidelines PDFs.
- AI-generated content: blueprints, knowledge base files, ideation, calendars, captions, static images, carousels.
- Chat threads + messages between you and the AI assistant.
- Optional uploaded reference documents.
1.3 Sensitive credentials
- BYOK (Bring Your Own Key) API keys: when you opt into Power User Mode, you supply your own Anthropic API key. Stored encrypted at rest with AES-256-GCM envelope encryption — the database row stores only ciphertext.
- LinkedIn access tokens: when you connect LinkedIn for direct publishing, we store your OAuth access token, encrypted at rest with the same envelope crypto. Token lifetime is ~60 days; we never see or store your LinkedIn password.
- TikTok access tokens & basic profile: when you connect TikTok for direct publishing, we use TikTok Login Kit and the Content Posting API. We store your OAuth access and refresh tokens, encrypted at rest with the same envelope crypto, and the basic profile fields TikTok returns (open id, display name, avatar) solely to attribute and publish the videos you explicitly choose to post. We never see or store your TikTok password, and we do not read, collect, or store your TikTok content, followers, or analytics beyond what is required to publish on your behalf. You can revoke access at any time from your TikTok account settings, which invalidates the tokens we hold.
1.4 Operational telemetry
- Usage events (which features you use, how often) and audit events (logins, billing actions, integrations connected) for security and product analytics.
- Server logs containing IP address, user agent, and request paths. Retained ~30 days for debugging and security.
2. How we use it
- To provide and operate the Service you signed up for.
- To call third-party AI providers (Anthropic, OpenAI, Google Generative AI, Voyage AI) on your behalf to generate content from your prompts and uploaded context.
- To send transactional email (Resend).
- To bill you (Stripe).
- To publish content to LinkedIn and TikTok (and, as added, other integrated platforms) when you explicitly trigger a post. Data obtained through the TikTok APIs is used only to enable this publishing on your behalf and is never sold, shared, or used to train AI models.
- To investigate abuse, secure the Service, and comply with legal obligations.
We do not use your content to train AI models, sell your data to advertisers, or share data with third parties outside the operational subprocessors listed below.
3. Subprocessors
The Service depends on these third parties. Each handles a narrow slice of data and is bound by their own privacy commitments:
- Clerk — authentication, session management.
- Supabase (Postgres + Storage) — database + asset storage. Our infrastructure host.
- Anthropic — Claude language models for chat + content generation.
- OpenAI — fallback / specialty models.
- Google — image generation (Gemini / Imagen).
- Voyage AI — text embeddings for retrieval.
- Stripe — payment processing.
- Resend — transactional email.
- Inngest — background job orchestration.
- Vercel — application hosting + CDN.
- Sentry — error monitoring (limited scope; no content payloads).
- LinkedIn — only when you connect LinkedIn for direct publishing.
- TikTok — only when you connect TikTok for direct publishing (Login Kit + Content Posting API).
4. Where data is processed
Primarily the United States. Some subprocessors (Clerk, Anthropic, Google, Stripe, Vercel) operate global edge networks; data may transit through their global infrastructure for performance reasons but rests in US regions.
5. Retention
- Account + content data: retained while your account is active. On account deletion, data is removed within 30 days except where retention is required for legal, billing, or audit purposes.
- Server logs: ~30 days.
- Stripe billing records: retained per Stripe's requirements and applicable tax law.
6. Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your data, and to object to or withdraw consent for specific processing. California residents have rights under the CCPA/CPRA; EU and UK residents have rights under the GDPR/UK GDPR.
To exercise any of these rights, email info@kcconsulting.co. We respond within 30 days.
7. Security
- Tenancy isolation: all multi-tenant tables enforce Postgres Row Level Security so each agency only sees its own rows.
- BYOK keys + integration tokens (LinkedIn): encrypted at rest with AES-256-GCM envelope encryption, per-agency data-encryption keys wrapped by a master key.
- All data transits over TLS.
- Authentication is enforced at the edge by Clerk; sensitive mutations are gated by additional procedure-level checks.
8. Children
The Service is not intended for users under 16. We do not knowingly collect data from children.
9. Changes
We'll update this policy as the product evolves. Material changes will be announced via in-app notice or email. The Effective Date at the top of this page tracks the latest revision.
10. Governing law
This policy is governed by the laws of the State of Texas, United States, without regard to its conflict of laws principles. Any disputes will be resolved in the state or federal courts of Dallas County, Texas.
11. Contact
KC Consulting
Email: info@kcconsulting.co