Legal

Privacy Policy

Last updated: April 2026

Pyxsoft Computing Ltd. ("we", "us", "our") operates MediaBuilder (www.mediabuilder.app). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a cryptographic hash, never in plain text). If you join as part of a team, we also store your role within the workspace.

Content Data

To provide our service, we process content you provide or authorize us to access, including:

  • Documents you upload (PDFs, presentations, text files)
  • Website content fetched from URLs you provide
  • Brand voice profiles generated from your content
  • Social media posts created, scheduled, or published through the platform

Usage Data

We collect information about how you interact with the platform, including pages visited, features used, and actions taken. This data is used solely to improve the service and is not shared with third parties.

Social Media Credentials

When you connect social media accounts, we store OAuth tokens (encrypted with AES-256) to publish content you have reviewed and approved. We never store your social media passwords.

2. How We Use Your Information

We use your information to:

  • Provide, operate, and maintain the MediaBuilder platform
  • Generate brand voice profiles and content strategies based on your inputs
  • Help you create, review, and publish social media content
  • Manage your account, subscriptions, and team access
  • Communicate with you about service updates or support requests
  • Improve the platform based on aggregated, anonymised usage patterns

We do not sell your personal data. We do not use your content to train AI models. Your content is processed solely to deliver the service you requested.

3. Data Storage & Security

Your data is stored on servers located in the United Kingdom. We implement appropriate technical and organisational measures to protect your data, including:

  • AES-256 encryption for sensitive credentials (OAuth tokens)
  • Passwords hashed using industry-standard algorithms
  • Strict tenant isolation ensuring each organisation's data is completely separated
  • HTTPS encryption for all data in transit
  • JWT authentication with HttpOnly cookies (immune to XSS attacks)

4. Third-Party Services

To deliver our service, we interact with the following categories of third-party providers:

  • AI providers — We send content data to AI services to generate brand voice profiles, content strategies, posts, and images. Data is transmitted securely and not retained by these providers beyond processing.
  • Social media platforms — When you connect accounts and schedule posts, we interact with their APIs (LinkedIn, Instagram, Twitter/X, etc.) using your authorised OAuth tokens.

We do not share your personal data with advertisers, data brokers, or any other third parties for their own purposes.

5. LinkedIn Integration — Specific Data Handling

When you connect a LinkedIn account or LinkedIn Company Page to MediaBuilder, additional, specific data handling rules apply. This section explains them in detail. A complete overview of the integration is available on our LinkedIn Integration page.

5.1 Data we receive from LinkedIn

With your authorisation, we receive the following data from LinkedIn:

  • Member identifier and basic profile (member URN, name, profile picture URL) — via the openid and profile scopes. Used to display the connected identity inside the workspace.
  • Email address — via the email scope. Used to associate the LinkedIn identity with your platform account.
  • List of administered Company Pages — via the rw_organization_admin scope. Used so you can pick which Company Page the workspace will publish to.
  • Confirmation of posts you publish through us — via the r_organization_social scope. Used to verify the publication succeeded and to show a deep link in the calendar.
  • OAuth access and refresh tokens — needed to call the LinkedIn API on your behalf, scoped to the workspace you connected.

5.2 Data we send to LinkedIn

Through the w_organization_social scope, we send LinkedIn the post text and image you have explicitly approved through our review workflow, at the time you have scheduled. We do not send any other data, and never publish content that has not been individually approved by a human user inside the platform.

5.3 Storage and retention of LinkedIn data

  • OAuth tokens are encrypted at rest using AES-256 and stored only within the workspace that authorised them.
  • Profile data (name, email, avatar URL, member URN) is stored for as long as the LinkedIn account is connected to the workspace.
  • For each post we publish on your behalf, we retain the LinkedIn URN, publication timestamp, and a copy of the text/image we sent — so you can see what was published from the calendar.
  • We do not store likes, comments, reactions, follower lists, or any third-party engagement data.

5.4 Deletion and disconnection

You can disconnect LinkedIn from your workspace at any time. When you do:

  • OAuth tokens are revoked through LinkedIn's /oauth/v2/revoke endpoint and erased from our database within minutes.
  • LinkedIn profile data and post metadata are purged within 30 days.
  • Posts already published on LinkedIn remain on LinkedIn under your control — we cannot and will not retract them.

Deleting your MediaBuilder account triggers the same erasure for all connected LinkedIn data.

5.5 Restrictions on LinkedIn data

In line with the LinkedIn API Terms of Use, we commit that LinkedIn data:

  • Is never sold, licensed, or shared with any third party.
  • Is never used to train AI models, ours or anyone else's.
  • Is never used for advertising, profiling for ad targeting, or audience building.
  • Is shown only to authorised members of the workspace that connected the LinkedIn account.
  • Is not used to send unsolicited messages, automate connection requests, scrape profiles, or perform any growth-hacking activity.

6. Cookies

MediaBuilder does not currently use cookies for tracking or analytics purposes. We use HttpOnly cookies solely for authentication (session management). These are strictly necessary cookies and do not require consent under UK GDPR.

If we introduce non-essential cookies in the future, we will update this policy and obtain your consent before using them.

7. Your Rights Under UK GDPR

As a data subject, you have the following rights:

  • Right of access — Request a copy of all personal data we hold about you
  • Right to rectification — Request correction of inaccurate personal data
  • Right to erasure — Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing — Request we limit how we use your data
  • Right to data portability — Receive your data in a structured, machine-readable format
  • Right to object — Object to processing based on legitimate interests
  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. When you delete your account:

  • Account data is deleted within 30 days
  • Content data (uploaded documents, generated posts, brand profiles) is deleted within 30 days
  • OAuth tokens are immediately revoked and deleted
  • Anonymised, aggregated usage data may be retained for analytical purposes

We may retain certain data longer where required by law or to resolve disputes.

9. Children's Privacy

MediaBuilder is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or through a notice on the platform. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of MediaBuilder after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us:

Pyxsoft Computing Ltd.

United Kingdom

Email: