Privacy Policy

This Privacy Policy describes how Scavenger ("Scavenger", "we", "us", or "the Service") collects, uses, and shares information when you use the application available at ig-scavenger.com.

Scavenger is a private, invitation-only tool. Access to the application is restricted to users who have been granted credentials by an administrator.

1. Who we are

Scavenger is operated by B-NOVAT LLC, with its principal place of business at 5830 E 2nd St, Ste 7000, Casper, WY 82609, USA. For any privacy-related question or request, contact us at contact@b-novat.com.

2. Information we collect

2.1 Account information

When you are granted access to Scavenger, we collect and store:

• Your email address
• Your display name
• A hashed (bcrypt) password — we never store passwords in plain text
• Authentication and session metadata (login timestamps, session IDs)

2.2 Information from Google services

With your explicit consent at the time you authorize the OAuth flow on the Config page, Scavenger requests access to the following Google APIs and scopes:

• Google Drive — scope https://www.googleapis.com/auth/drive — to read, list, upload, move, and download files in folders you connect to the application.
• Google Sheets — scope https://www.googleapis.com/auth/spreadsheets — to read and update Google Sheets that you explicitly designate as "post-production source sheets" for your content workflows.

We store an OAuth refresh token in our database so the application can continue to perform actions on your behalf in the background (for example, uploading a processed video to your Drive folder while you are offline). We never receive or store your Google password.

2.3 Third-party integration credentials

Scavenger lets you connect a number of third-party services. When you choose to connect them, we store the credentials, API keys, or session cookies you provide:

• OneUp App — for scheduling Instagram posts
• Apify — for running content-scraping actors
• Anthropic Claude — for AI-generated captions and rewrites
• GeeLark — for cloud-phone-based posting
• Instagram session cookies — which you upload manually to authorize the scraper

2.4 Activity and operational data

We record application activity for security, debugging, and product reliability purposes — for example, which pages you visited, when you triggered a batch job, and which videos were processed. We also record diagnostic information when an error occurs (request path, stack trace, timestamps).

2.5 Cookies

We use first-party cookies strictly for session management and CSRF protection. We do not use third-party advertising cookies and we do not track users across other websites.

3. How we use Google API data

Information that Scavenger accesses through Google APIs is used only to deliver the features you have configured:

• Uploading processed videos to a Google Drive folder that you select.
• Listing the contents of Drive folders that you connect, so the application can show inventories of source clips, processed videos, and used files.
• Reading rows from Google Sheets that you designate as content-source sheets.
• Writing back to those sheets the values of three managed columns (oneup_id, status, last_post).
• Moving files between Drive subfolders (for example, from Processing/ to Used/) once a video has been published.

Limited Use disclosure

Scavenger's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google user data to serve advertisements.
• We do not transfer Google user data to any third party except as necessary to provide or improve user-facing features that you have configured, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not allow humans to read your Google user data, except (a) with your explicit consent for specific data, (b) where it is necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized so that it cannot be associated with an individual.
• We do not use Google user data to develop, improve, or train generalized AI or machine-learning models.

4. How we use your information

We use the information we collect to:

• Provide the features you configure (video processing, scheduling, posting, sheet syncing, scraping).
• Authenticate you and keep your session secure.
• Run scheduled background jobs you have enabled (scrapes, processing pipelines, automated posts).
• Diagnose errors and improve the reliability of the Service.
• Communicate with you about your account when necessary.

5. How we share information

We do not sell your data.

We share data only with the following categories of recipients:

• Google — when you ask the application to read or write files and sheets in your Google account.
• The third-party services you connect (OneUp, Apify, Anthropic, GeeLark) — when you trigger features that use those services. Data is transmitted to them only as needed to fulfill your request.
• Hosting and infrastructure providers that store our servers, database, and queue workers. These providers process data only on our instructions and under contractual confidentiality obligations.
• Law-enforcement or regulators when we are legally compelled to do so.

6. Data retention

• Google OAuth refresh tokens are retained until you click "Disconnect" on the Config page, until you revoke access in your Google Account permissions page, or until your account is deleted.
• Account data is retained for as long as your account is active. On account deletion, we soft-delete the data; permanent deletion follows within 30 days unless we are required by law to retain it longer.
• Operational and activity logs are kept for up to 12 months and then deleted or anonymized.

7. Security

We protect your data with the following measures:

• TLS encryption for all traffic to and from ig-scavenger.com.
• Passwords stored using bcrypt with a per-user salt.
• OAuth refresh tokens and third-party API keys stored in our database with restricted server access.
• Application-level access controls — only authenticated, invited users can reach internal pages.
• Activity logging to detect and investigate suspicious usage.

No system is perfectly secure. If you become aware of a vulnerability or suspected breach involving Scavenger, please contact us immediately at contact@b-novat.com.

8. Your rights

You may, at any time:

• Access the data we hold about you by signing in to your Scavenger account.
• Correct account information by editing it in the application or by contacting us.
• Delete your data by requesting account deletion from your administrator. Once deleted, we will purge OAuth tokens and associated data within the retention schedule above.
• Revoke Google access at any time via your Google Account permissions page. Revoking does not delete data already stored in your own Google Drive or Sheets.
• Export the data associated with your account by contacting us.

If you are in the European Economic Area, the United Kingdom, Switzerland, or California, you may have additional rights under the GDPR, UK GDPR, FADP, or CCPA — including rights of portability, restriction, objection, and the right to lodge a complaint with a supervisory authority. To exercise any such right, contact us at contact@b-novat.com.

9. Children's privacy

Scavenger is not directed to children under the age of 16. We do not knowingly collect personal information from children. If we discover that we have collected such information, we will delete it promptly.

10. International data transfers

Our infrastructure is hosted in the European Union. By using the Service, you understand that your information may be processed there. Where data is transferred outside the EEA (for example, to Google, Anthropic, or other providers based in the United States), we rely on the safeguards offered by those providers, including Standard Contractual Clauses where applicable.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects when changes were last made. If we make material changes that affect how we use Google API data or how we share your data, we will notify users in the dashboard or by email before the new policy takes effect.

12. Contact

For questions about this Privacy Policy, your data, or to exercise any of the rights described above:

• Email: contact@b-novat.com
• Postal: 5830 E 2nd St, Ste 7000, Casper, WY 82609, USA