DecodeCreator

Privacy Policy

Effective July 15, 2026. This policy tells you exactly what we collect, why, and how you can get us to stop.

Who we are

DecodeCreator ("we", "us") operates the website decodecreator.com and the DecodeCreator public API. We provide public-data analytics for Instagram, TikTok, and YouTube accounts — the kind of numbers you can already see on the account's public profile, aggregated and analyzed.

What we collect from YOU (our user)

When you sign in with Google, we receive:

  • Your email address
  • Your name (as shown in your Google profile)
  • Your Google profile picture URL
  • A stable Google-issued user ID (used only to log you back in)

We do not request or receive: your Gmail contents, your contacts, your YouTube subscriptions, your Google Drive, or any other Google service data. We only ask for the standard openid email profile scopes.

When you use the site or the API, we also record:

  • Which analytics tools you ran, and against which public handle
  • For API customers: your API key usage log (endpoint, credits charged, response code, timestamp)
  • Standard web-server logs (IP address, user-agent, request path) retained ≤30 days for security and abuse prevention

What we collect ABOUT public accounts you scan

When you analyze a public Instagram, TikTok, or YouTube account, we fetch data that is already publicly visible on that platform's website — follower count, post metrics, video views, comment authors, publicly-set bios, and publicly-set profile pictures. We aggregate this into the analytics you see.

The scanned account is not notified. Nothing you do on DecodeCreator writes to their account, follows them, DMs them, or leaves any trace on the source platform.

We never ask for or use anyone's login credentials, session cookies, or private account data. Private accounts return a "private account" response — we do not attempt to bypass.

Audience demographic inference (gender & age)

For the "Audience Gender & Age" tool, we infer aggregate demographics from public commenter profiles. Our pipeline, in order:

  • Bio text parsing — we look for self-declared pronouns (she/her, he/him, they/them), gendered self-descriptors (mom, dad, wife, husband), and explicit age mentions ("23 y/o", "born 1998"). Strongest, self-declared signal.
  • Profile-picture demographic estimate (aggregate only) — when configured, we may run a face-detection API over publicly visible profile pictures to estimate age range and gender in aggregate. We never identify individuals. This is opt-in per deployment and disabled by default; when enabled, we use Amazon Rekognition's DetectFaces API. No image data is stored.
  • First-name dictionary lookup — a curated in-repo dictionary of Indian and Western first names. Weakest signal, used only when bio and face were inconclusive.

Aggregate output only. The tool returns audience percentages and age-bracket distributions across the sample. We never show per-individual demographic classifications in tool output, exports, or API responses.

No facial recognition or identification. We use face detection to estimate demographic attributes only. We do not build a face database, do not match faces to identities, and do not store face embeddings. Each analysis is a stateless request to a third-party API for that one image, discarded after.

Sample cap and caching. At most 25 commenter profiles are enriched per scan. Profile data is cached for 48 hours so re-scans of the same handle avoid duplicate provider calls.

Why we collect this data

  • To sign you in and keep you signed in
  • To show your account dashboard, subscription, and unlock history
  • To meter API usage against your credit balance
  • To detect abuse (e.g. one account brute-forcing hundreds of scans)
  • To send transactional emails (subscription confirmations, credit alerts) — never marketing without an unsubscribe link

Who we share it with

We share data only with the vendors we need to operate the service:

  • Supabase — our database and auth provider (stores your account row)
  • Railway — our hosting provider (runs the Node.js server)
  • Razorpay / LemonSqueezy — payment processors (only sees the data needed to charge your card and confirm a subscription)
  • Provider APIs (HikerAPI, tikwm, YouTube Data API v3) — we send them the public handle you asked to scan; they return public data
  • Amazon Rekognition (only when audience-demographic inference is enabled) — we send publicly visible profile-picture URLs for one-shot face detection; no data is stored on our side or theirs beyond the request

We do not sell your data. We do not share it with advertisers, data brokers, or affiliates.

Cookies and tracking

We use a first-party session cookie to keep you signed in — this is strictly necessary and cannot be disabled without signing you out. With your explicit opt-in through our cookie banner, we may also load Google Analytics and PostHog (analytics category) and Google Ads conversion tracking (marketing category). Both categories are OFF by default; nothing loads until you actively accept it. See our Cookie Policy for the full list, retention periods, and how to change your choice.

We do not use Facebook Pixel, third-party data-broker cookies, or fingerprinting scripts on the site.

Your rights

  • Access — email us and we'll send you every row we hold about you
  • Delete — email us and we'll permanently delete your account within 7 days (API keys revoked, scan history erased, personal profile removed)
  • Correct — update your name via Google; other fields via support
  • Export — request a JSON export of your account data
  • Opt out — cancel your subscription any time from your account page

Data retention

  • Account data: kept while your account is active. Deleted within 7 days of a delete request.
  • Scan cache: 48 hours (then automatically expires).
  • API usage logs: 12 months for billing dispute resolution, then deleted.
  • Web server logs: 30 days maximum.

Where your data lives

Our Supabase database is hosted in ap-south-1 (Mumbai, India). Railway runs in the region closest to our users. We do not knowingly transfer personal data outside India except through the CDN edge that serves the site.

Children

DecodeCreator is not for anyone under 18. We do not knowingly collect data from anyone under 18. If you believe a child has created an account, email us — we'll delete it.

Changes to this policy

If we make material changes, we'll email you before they take effect. The current version is always at decodecreator.com/privacy.

Contact

Questions, data-access requests, or complaints: support.decodecreator@gmail.com. We aim to reply within 3 business days.

Privacy Policy — DecodeCreator | DecodeCreator