HanZook

Privacy Policy

Last updated: May 24, 2026

This Privacy Policy describes how HanZook (“we,” “us,” or “our”) collects, uses, stores, and shares information when you use our web application and related services (the “Service”). By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

1. Who operates the Service

HanZook is a tool that lets you sign in with Facebook, manage Facebook Pages you administer, and publish or schedule posts to those Pages. Questions about this policy or your data can be sent to info@only-hanz.com.

2. Information we collect

2.1 Information from Facebook (Meta)

When you connect your Facebook account, we receive information from Meta’s APIs, including:

• Your Facebook user ID and display name
• Your first and last name, when provided by Meta
• An access token and related OAuth metadata (type, expiry, when obtained)
• The list of Facebook Pages you manage and Page identifiers needed to publish on your behalf

We request permissions such as pages_show_list, pages_read_engagement, pages_manage_posts, and business_management so the Service can function. Meta’s own privacy policy also applies to data handled on their platform: Meta Privacy Policy.

2.2 Account and billing information

We store account-related data in our database, such as:

• Account balance and top-up history
• Subscription expiry date and payment timestamps
• Whether your account has administrator access
• Dates of account creation and last login

If you submit a payment or top-up request, we collect the amount you enter and an image of your payment receipt or bill that you upload. Requests are reviewed manually by administrators.

2.3 Content you provide for publishing

When you compose or schedule posts, we process content you submit, which may include:

• Post text (messages)
• Links, image URLs, or video URLs
• Image or video files uploaded from your device
• Selected Page IDs and optional scheduled publish times

This content is transmitted to Meta’s Graph API to publish or schedule posts on your chosen Pages. Portions of this information may also be sent to operational notification channels we configure (for example, Discord webhooks) to help us monitor publishing activity.

2.4 Session and technical data

We use server-side sessions to keep you signed in. Session data may include:

• Your Facebook access token and basic profile snapshot used during your visit
• OAuth state values used during login
• Administrator impersonation context, if an admin is acting on your account with proper authorization

We set an HTTP-only session cookie (typically valid for up to eight hours). In production, session records may be stored in our database alongside other application data.

We do not intentionally use third-party advertising or analytics trackers in the application code. Standard server logs (such as IP address, browser type, and request timestamps) may be collected by our hosting provider as part of normal operation.

2.5 Scheduled post metadata

Information about posts you schedule (such as Page IDs, content summaries, and scheduled times) may be kept in server memory for the duration of your session to power the Scheduled and History features. This data is not guaranteed to persist after a session ends or the server restarts unless stored elsewhere (for example, on Meta’s systems once scheduled there).

3. How we use your information

We use the information above to:

• Authenticate you and maintain your session
• Create and update your user account record
• List Pages you manage and publish or schedule posts on your behalf
• Enforce subscription and balance rules
• Process, review, and approve or decline payment requests
• Provide administrator tools (including user support and impersonation where permitted)
• Send operational notifications to our team (for example, via Discord)
• Protect the security and integrity of the Service
• Comply with applicable law and Meta Platform Terms and Policies

4. How we share information

We may share information with:

• Meta / Facebook — to perform login, list Pages, and publish or schedule content according to your instructions.
• Service providers — such as hosting (e.g., Railway), database hosting (MongoDB), and notification tools (e.g., Discord webhooks), solely to operate the Service.
• Administrators — authorized staff who can review payment requests, manage accounts, and support users.
• Legal requirements — when required by law, regulation, legal process, or to protect rights, safety, and security.

We do not sell your personal information.

5. Data retention

We retain information for as long as needed to provide the Service and for legitimate business purposes, including:

• User account and Facebook token data — while your account remains active and as needed thereafter for security, billing disputes, or legal obligations
• Payment request records and receipt images — until processed and for a reasonable period for record-keeping
• Session data — until the session expires or you log out, subject to our session store configuration
• Server logs — according to our hosting provider’s default retention

You may request deletion of your data at any time. See our User Data Deletion Instructions. Some data may remain in backups for a limited time or where retention is required by law.

6. Security

We use reasonable technical and organizational measures to protect information, including encrypted transport (HTTPS in production), HTTP-only session cookies, and access controls for administrative functions. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Facebook access tokens are sensitive. We store them to operate the Service on your behalf. You should protect your Facebook account and log out of the Service on shared devices.

7. Your choices and rights

Depending on where you live, you may have rights to:

• Access, correct, or delete personal information we hold about you
• Object to or restrict certain processing
• Withdraw consent where processing is consent-based
• Port your data in a machine-readable format, where applicable
• Lodge a complaint with a supervisory authority

To exercise these rights (including access or correction), email info@only-hanz.com. To request deletion of your data, follow our User Data Deletion Instructions. We may need to verify your identity before responding.

8. Children

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us data, email info@only-hanz.com and we will take appropriate steps to delete it.

9. International users

Your information may be processed in countries where we or our providers operate, which may have different data protection laws than your country. Where required, we take steps designed to provide appropriate safeguards for cross-border transfers.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Continued use of the Service after changes become effective constitutes acceptance of the updated policy where permitted by law.

11. Contact

For privacy questions or data access requests, email info@only-hanz.com. For data deletion, see our User Data Deletion Instructions.