Privacy Policy

Last updated: March 1, 2026

Overview

Causeway ("we", "our", "the Service") is a creator analytics platform that connects to your social media accounts to detect and explain follower growth spikes. This Privacy Policy explains what data we collect, how we use it, and your rights as a user.

By using Causeway you agree to the practices described here. If you disagree, please do not use the Service.

Data We Collect

Account Data

When you register, we store your email address and, if provided, your full name. If you sign in with a social provider (Google, GitHub, Apple), we also store your avatar URL from that provider.

Connected Platform Credentials

When you connect a social media platform (YouTube, Instagram, TikTok, Facebook), we store:

—OAuth access and refresh tokens — encrypted at rest using AES-256-GCM. The plaintext key is never written to disk or logged.
—Platform user ID and username — used to identify your account on each platform.
—Token expiry timestamps — so we know when to refresh credentials automatically.
—Granted OAuth scopes — to record exactly which permissions you approved.

Analytics Data

We collect and store the following analytics on a daily cadence:

—Follower count snapshots — one row per connected platform per day.
—Follower spike events — recorded when daily growth ≥ 5% vs. the prior snapshot.
—Content mentions — public posts, videos, or stories from other accounts that mention or feature you, retrieved through platform search APIs.
—Correlation records — associations between a spike event and a nearby mention, along with a confidence score and the direct URL of the mentioned content.

Billing Data

Payment details are handled entirely by Stripe. Causeway stores only your Stripe Customer ID and subscription tier — never raw card numbers.

Usage and Error Data

We collect anonymized usage telemetry via Vercel Analytics and runtime error reports via Sentry. These contain no OAuth tokens or raw follower data. API key requests are logged at the prefix level only (e.g. cwy_live_ab12…).

How We Use Your Data

—Fetch your follower count once per day to detect growth spikes.
—Search platform APIs for public posts that mention your account name or channel, to correlate with spikes.
—Generate AI-powered explanations of spike causes using Anthropic's Claude API. Only spike metadata (platform, delta, correlated post URLs) is sent — never raw OAuth tokens.
—Display your growth history, spike events, and mention feed in your private dashboard.
—Expose your data through the Causeway REST API and MCP Server if you generate an API key (Pro plan only).
—Send transactional emails (subscription receipts, security alerts) via Resend.

We do not sell your data. We do not use your content for advertising. We do not share your OAuth tokens or follower data with any third party except as described in this policy.

Platform Permissions (OAuth Scopes)

We request only the minimum permissions needed to provide the Service. Below is a plain-English explanation of each scope:

YouTube

Scope	Why we need it
`youtube.readonly`	Read your channel's subscriber count and basic channel info (title, ID). Required to detect follower growth spikes on YouTube.
`yt-analytics.readonly`	Read channel-level analytics (views per video, traffic sources). Used to correlate spikes with specific videos that drove sudden growth.

We do not access, read, or modify your videos, playlists, comments, or any YouTube content on your behalf. We do not upload anything to your channel.

Instagram

Scope	Why we need it
`instagram_basic`	Read your follower count and basic Business/Creator account info. Required for spike detection.
`instagram_manage_insights`	Read post-level insights (impressions, reach) for your own content. Used to identify which posts correlate with follower spikes.

We do not read private messages, publish content, or access follower/following lists of other accounts.

TikTok

Scope	Why we need it
`user.info.basic`	Read your TikTok display name and username. Used to identify your account.
`user.info.stats`	Read your follower count, following count, likes count, and video count. Required for spike detection.

We do not access your direct messages, videos, or any other TikTok content beyond the stats listed above.

Facebook (Pages)

Scope	Why we need it
`pages_show_list`	List the Pages you manage, so you can select which Page to connect.
`pages_read_engagement`	Read the follower count of your selected Page. Required for spike detection.
`read_insights`	Read Page-level analytics to identify which posts correlate with follower growth spikes.

We access only the Page you explicitly select during setup. Personal Facebook profile data is not accessed.

Data Retention and Deletion

—Active account: All data is retained for as long as your account is active.
—Disconnected platform: When you disconnect a platform in Settings, we mark the connection inactive and stop fetching data. Historical snapshots and spike events from that platform are retained for your dashboard history.
—Account deletion: Email privacy@causeway.you to request full deletion. All personal data, OAuth tokens, follower snapshots, spike events, and API keys are permanently deleted within 30 days.
—Anonymized analytics: Aggregate, non-identifiable analytics (e.g., total spikes detected across all users) may be retained indefinitely.

Security

—OAuth access and refresh tokens are encrypted at rest (AES-256-GCM) before database storage.
—All traffic between your browser, our servers, and platform APIs is encrypted in transit (TLS 1.2+).
—API keys are stored as SHA-256 hashes — the plaintext is shown once at creation and never again.
—Two-factor authentication (TOTP) is available and, if enrolled, enforced on every session.
—Row-Level Security is enabled on all database tables — your data is never accessible to other users.
—The ingestion CRON job runs with a service role key, scoped only to the ingestion operation.

Third-Party Services

Service	Purpose	Privacy Policy
Supabase	Database, auth, row-level security	View →
Vercel	Hosting, edge functions, analytics	View →
Stripe	Payment processing	View →
Anthropic	AI spike summaries (Claude API)	View →
Resend	Transactional email	View →
Sentry	Error monitoring	View →

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To exercise any of these rights, email privacy@causeway.you. We will respond within 30 days.

To revoke platform access at any time, go to Settings → Connected Platforms → Disconnect, or revoke Causeway's access directly from the platform's own app management page (e.g., Google Account Permissions for YouTube).

Children's Privacy

Causeway is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided data, contact us at privacy@causeway.you and we will delete it promptly.

Changes to This Policy

We may update this policy as the Service evolves. Material changes will be announced via email to registered users at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

Questions about this Privacy Policy or your data? Contact us:

Email: privacy@causeway.you

Website: https://causeway.you