Privacy Policy

Last updated: 7 May 2026

This Privacy Policy explains how GuildOS ("GuildOS", "we", "us", "our") collects, uses, stores and discloses personal data when you use the GuildOS service (the "Service") available at guild-os.net. We are committed to handling your data lawfully, transparently, and only for the purposes described here.

1. Who we are

GuildOS is a content-automation platform operated from Norway by the operator identified on our Contact page. For the purposes of the EU / EEA General Data Protection Regulation (GDPR), the operator acts as the data controller for personal data processed through the Service.

You can reach us about anything in this policy — including data access, correction, or deletion requests — at the email address on the Contact page.

2. What we collect

2.1 Account data

When you create a GuildOS account or start a subscription, we collect:

• your name and email address;
• billing data handled by our payment processors (Lemon Squeezy, Gumroad, or GitHub Sponsors). We do not see or store your full card number;
• basic technical metadata such as IP address and user agent.

2.2 Connected platform accounts

When you connect a third-party platform (such as TikTok or YouTube) to your GuildOS workspace, we receive and store the OAuth access and refresh tokens issued by that platform, scoped to the permissions you explicitly granted. We do not collect, see, or store your platform password.

2.3 Content and operational data

We process the briefs, ideas, prompts, draft scripts, generated videos, captions, schedules and analytics that flow through your workspace. This is the working substance of the Service.

3. TikTok-specific data handling

Because GuildOS publishes to TikTok on your behalf and reads performance data back to inform future content, we want to be explicit about how the TikTok integration works.

3.1 What we receive from TikTok

When you connect a TikTok account through TikTok Login, with your consent we receive — depending on the scopes you authorise — a subset of the following:

• Profile data (e.g. display name, avatar, open ID, union ID) via the user.info.basic scope, used to identify which connected account you're operating in.
• Video list and metadata via video.list, used to associate posts created through GuildOS with their TikTok counterparts and feed analytics back into your workspace.
• Permission to publish video via video.publish and video.upload, used to post the videos you queue for publication.

3.2 How we use TikTok data

TikTok data is used solely inside your workspace, for two purposes:

• Posting content to the TikTok accounts you've connected, when you (or a schedule you've set up) instruct GuildOS to publish.
• Showing you post-level performance metrics (such as views, likes, comments, shares) and using those metrics, in aggregate, to improve content suggestions for that workspace.

3.3 What we do not do with TikTok data

• We do not sell, rent, or trade TikTok data.
• We do not use TikTok data for advertising, profiling, or targeting outside of your own workspace.
• We do not share TikTok data with other GuildOS customers, and workspaces are isolated from each other.
• We do not use TikTok data to train general-purpose AI models. AI generation runs against your own briefs and your own workspace history only.

3.4 Retention and deletion

OAuth tokens are stored encrypted at rest for as long as your workspace remains connected to TikTok. Cached metadata (post lists, metrics) is retained for up to 24 months to support analytics continuity. You can delete your TikTok connection at any time from inside GuildOS or by emailing us; on disconnection we revoke and delete the stored tokens and purge cached TikTok data within 30 days. You can also revoke GuildOS's access directly from your TikTok account's connected-apps settings.

4. How we use data generally

We process the categories of data above to:

• provide and operate the Service;
• publish content on your behalf to the platforms you connect;
• show you analytics about content GuildOS has produced or scheduled;
• handle billing and subscription management;
• communicate with you about the Service (transactional email);
• secure the Service, prevent abuse, comply with legal obligations, and resolve disputes.

5. Legal bases (GDPR)

• Performance of a contract — to deliver the Service you have subscribed to.
• Consent — for connecting third-party platforms and publishing on your behalf, given explicitly through each platform's OAuth flow.
• Legitimate interests — to keep the Service secure, debug issues, and improve product quality, balanced against your privacy interests.
• Legal obligation — where we are required to retain data (e.g. tax records).

6. Sharing and sub-processors

We share personal data only with the providers we need to operate the Service:

• Payment processors — Lemon Squeezy, Gumroad, and GitHub Sponsors, for subscription billing.
• Cloud and hosting providers — for application hosting and database storage.
• Email provider — for transactional email.
• Model providers — for AI content generation, limited to the prompts and source material strictly required for generation, governed by their respective privacy terms.

We do not sell personal data to anyone, and we do not use it for third-party advertising.

7. International transfers

Some of our providers operate outside the EU/EEA. Where data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards. Contact us for details on a specific provider.

8. Security

We use industry-standard technical and organisational measures to protect personal data — encrypted transport (TLS), encryption at rest for credentials and tokens, restricted access to production data, and regular review of dependencies. No service can guarantee perfect security, but we treat your credentials and content as sensitive by default.

9. Your rights

If you are in the EU/EEA, you have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• request deletion ("right to be forgotten");
• restrict or object to processing;
• data portability;
• withdraw consent at any time, including by disconnecting a third-party platform from your workspace;
• lodge a complaint with your local supervisory authority. In Norway, that is Datatilsynet.

To exercise any of these rights, email us using the address on the Contact page. We respond within 30 days.

10. Children

GuildOS is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Cookies

The marketing site at guild-os.net uses only essential cookies required for the site to function. We do not use third-party tracking or advertising cookies on the marketing pages. The authenticated application uses session cookies for login and CSRF protection.

12. Changes to this policy

We may update this Privacy Policy when the Service or applicable law changes. Material changes will be communicated through the Service or by email. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

For any privacy-related question, request, or complaint, write to us at the address listed on our Contact page.