Privacy Policy
Last updated 4 June 2026
Madala Machine is a creative operations platform for independent musicians and artists, operated by Ard Songs CC, a close corporation registered in South Africa. This policy explains what data we collect, how we use and protect it, and the rights you have over your information. We take your privacy seriously and handle all data in compliance with South African law and the requirements of the platforms we integrate with.
What data we collect
When you use Madala Machine, we collect and process the following categories of data on your behalf:
- Account information you provide: your name, email address, project details, brand voice settings, and any other profile information you choose to enter.
- OAuth credentials for connected platforms: when you connect external accounts — Meta (Facebook and Instagram), TikTok, YouTube, X, and any other platforms you choose — we receive and store encrypted access tokens that allow us to publish content and retrieve analytics on your behalf. These tokens are encrypted at the application layer using pgsodium before they touch our database, and they are never stored or transmitted in plaintext.
- Content you create or upload: posts, captions, images, videos, scheduled content, and any metadata you attach to that content (tags, descriptions, show links, ticket calls-to-action).
- Engagement analytics from connected platforms: we fetch and store performance data from your connected social accounts — including but not limited to Facebook, Instagram, and TikTok — such as post reach, impressions, likes, comments, shares, saves, follower counts, audience demographics, and video view metrics. This data is used to surface insights and reporting within Madala Machine.
- Usage data: which features you access, actions you take within the platform (for example, scheduling a post, generating a caption, or reviewing analytics), and when you log in. This is used to improve the product and diagnose issues.
How we store and protect your data
All data is stored in a managed backend environment powered by Lovable Cloud. Our database is encrypted at rest and protected by Row Level Security (RLS), which ensures that your data is only accessible within the project and user boundaries you define. Even within our own infrastructure, no engineer can arbitrarily browse user data outside of their authorised project scope.
- Encryption: OAuth tokens for Meta and TikTok are encrypted using pgsodium symmetric encryption before being written to the database. The encryption keys are managed within the same secure infrastructure and are never exposed to application logs or client-side code.
- Row Level Security: every table in our database has RLS policies enforced. This means your content, tokens, and analytics are logically isolated from other users at the database level. A query from another project or user will return no results.
- Infrastructure: Lovable Cloud provides the underlying database, authentication, and storage services. The infrastructure is hosted across multiple regions with automated backups, point-in-time recovery, and strict access controls.
- No third-party sale or sharing: we do not sell, rent, or trade your data to advertisers, data brokers, or any third party. We do not use your content to train external AI models without your explicit consent.
How we use your data
- To operate the platform: scheduling posts, publishing on your behalf to the platforms you have connected, displaying analytics dashboards, and sending weekly or periodic digests.
- To improve the platform based on aggregate usage patterns and feature adoption. This analysis is always performed on anonymised or aggregated datasets where possible.
- To send you transactional emails about your account, scheduled posts, or actionable alerts (for example, a failed publish or a token that needs refreshing).
- To comply with legal obligations or respond to lawful requests from government authorities where required by South African law.
We do not use your data for behavioural advertising and we do not build profiles about you for sale to third parties.
Data we share
We only share data in the following limited circumstances:
- Platforms you explicitly connect: when you connect Meta or TikTok, we share content and publishing instructions with those platforms so that posts can appear on your accounts. We only act within the OAuth scopes you grant during connection.
- Infrastructure providers: our hosting and storage providers (Lovable Cloud and its underlying infrastructure partners) process data on our behalf under strict data processing agreements. They do not have independent rights to use your data.
- We do not share with advertisers, brokers, or analytics aggregators. Your data is not monetised through resale or sublicensing.
Cookies and tracking
- We use cookies strictly for authentication and session management. These are essential for the platform to function — they keep you logged in and protect against cross-site request forgery.
- We do not use third-party advertising cookies, tracking pixels, or analytics scripts that follow you across the web.
- We do not participate in cross-site tracking or behavioural profiling through cookies or local storage.
Your rights
Under South African data protection principles and the terms of our service, you have the following rights:
- Access: request a copy of all data we hold about you and your projects at any time.
- Correction: update inaccurate or incomplete information through the platform settings.
- Deletion: delete your account and all associated data. Upon deletion, your content, tokens, and analytics are permanently removed from our systems within 30 days, except where retention is required by law.
- Portability: export your data in a structured, machine-readable format (JSON) for transfer to another service.
- Revocation: disconnect any linked platform at any time from the Settings page. Revoking an OAuth connection immediately invalidates the stored token and stops all publishing and data syncing for that platform.
To exercise any of these rights, email us at info@ardmatthews.com. We will respond within 30 days.
Data retention
- We retain your data for as long as your account is active and you have connected platforms or scheduled content.
- When you delete your account, we initiate a purge of all personal data, content, and tokens within 30 days. Some aggregated, anonymised metrics may be retained for platform integrity and billing reconciliation, but these cannot be linked back to you.
- Where legal obligations require longer retention (for example, tax or audit records), we retain only the minimum necessary data and secure it under the same encryption and access controls.
Children
Madala Machine is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child under 16 has provided us with personal information, please contact us at info@ardmatthews.com and we will delete the information promptly.
International transfers
Madala Machine is operated from South Africa and our primary data storage is hosted in regions covered by Lovable Cloud. Where platform integrations require data to be processed outside South Africa (for example, when publishing to Meta or TikTok servers in the United States or Europe), this transfer is necessary to perform the service you requested and is governed by the terms of those platforms.
Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to you by email or through a prominent notice in the platform at least 14 days before they take effect.
Governing law
This Privacy Policy is governed by the laws of the Republic of South Africa. Any dispute arising from it will be resolved in the courts of the Western Cape.
Contact
Ard Songs CC
Cape Town, South Africa
info@ardmatthews.com