← Gamdo

Gamdo Privacy Policy

Last updated: July 4, 2026

This Privacy Policy describes how EarthMera (“we”, “us”, or “our”) collects, uses, shares, and protects your personal information when you use Gamdo (the “Service”), available at https://gamdo.my. Gamdo is an AI-powered card news generator and publishing tool that, upon your explicit per-post approval, publishes content to social media accounts you own and have connected (currently Instagram and TikTok). The Service also includes tools for managing comments on posts you published: a comment reply workbench and an optional keyword-based direct message auto-reply feature.

This policy applies only to data collected through Gamdo. Other EarthMera products are covered by their own privacy notices.

1. Information We Collect

Account data

  • Email address
  • Password, stored only as a bcrypt hash (we never store plaintext passwords)
  • Optional display name and default brand preferences

Instagram integration data (only when you connect an Instagram account)

  • Instagram user ID
  • Instagram username (@handle)
  • Instagram account type (Business or Creator)
  • Long-lived OAuth access token

Instagram comment data (only when you use the comment reply workbench)

  • Comments on posts you published: the comment text, the commenter’s @handle, and the comment timestamp, temporarily cached solely to power the comment reply workbench
  • Replies you send through the workbench (reply text and time sent)

Cached comments are automatically deleted after 90 days, or immediately when you delete your account. Instagram remains the source of truth: deleting our cache does not delete the comment on Instagram. This feature requires the instagram_business_manage_comments permission.

TikTok integration data (only when you connect a TikTok account)

  • TikTok account identifier (open_id)
  • TikTok display name
  • TikTok profile image URL
  • OAuth access token

Service usage data

  • Card news content you create (topic, slide text, AI-generated images, layout settings)
  • Publishing history (post URLs, scheduled times, publishing status)
  • Direct message automation rules you create (trigger keywords, the message template to send, and rule settings)

Automatically collected data

  • Server logs (IP address, browser type, timestamps, and request information), used for security and incident response

Other than the cached comments described above, the Service does not collect Instagram or TikTok direct message contents, insights, follower lists, videos, or any data from social media accounts other than your own connected accounts. Incoming comment and message events that trigger an automation rule are processed in real time and are not stored. If an automation rule includes a follow condition, the Service checks in real time whether that specific user follows your account at that moment; the result is not stored, and we never collect or store follower lists. We do not collect sensitive personal information.

2. How We Use Information

  • Email, hashed password: account authentication and identification.
  • Instagram and TikTok OAuth tokens: publishing card news to your own connected account, executed only upon your individual approval of each post.
  • Instagram username and account type; TikTok display name and profile image: displaying the connected account in the UI and confirming that publishing occurs only to the intended account.
  • Card news content and publishing history: providing you access to your own creations and history.
  • Cached comments: showing comments on your posts in the reply workbench and, only when you request it, drafting a suggested reply with AI.
  • Direct message automation rules: sending the message you pre-wrote when a comment on your post matches the keywords you configured.
  • Server logs: maintaining account security, detecting misuse, and protecting the reliability of the Service.

We do not use Instagram or TikTok data for advertising, profiling, or training AI models. We use it only to provide the features you request: publishing posts you approved, operating the comment reply workbench, and running the direct message automations you configure.

3. How We Share Information

We do not sell your personal information. We share data only with the following processors, strictly for the purposes listed:

  • Meta Platforms (Instagram API): receives the card news image URLs, caption, and your Instagram OAuth access token solely during a publishing action you approved.
  • TikTok (Content Posting API): receives the card news images, caption, and your TikTok OAuth access token solely during a publishing action you approved.
  • OpenAI:receives your topic and brand inputs to generate card news text and images. In addition, when you use the AI reply assistant in the comment reply workbench, the text of the comment you are replying to is sent to OpenAI to draft a suggested reply. The commenter’s identity (username, profile, or follower information) is never sent. OpenAI does not use data submitted through its API to train its models.
  • Google (Gemini API): same as OpenAI for card news text and images, when the Gemini provider is selected. Comment data is never sent to Gemini.
  • Amazon Web Services (AWS): hosting, database, object storage, and log management.

Instagram-derived data is shared only with Meta Platforms and, in the single case of comment text used to draft an AI reply as described above, with OpenAI. TikTok-derived data is shared only with TikTok. Publishing data is sent to each platform only at the moment a publishing action is executed. Platform data is never shared with any other processor. We may also disclose information if required by law or to protect our rights, users, or the public.

4. How We Protect Information

  • All traffic between your browser, our servers, and third parties uses HTTPS.
  • OAuth access tokens are encrypted at the application layer before being stored.
  • Passwords are stored as bcrypt hashes.
  • Database access is restricted to a least-privilege application user.

No method of transmission or storage is completely secure, but we work to protect your information with appropriate technical and organizational measures.

5. Data Retention

  • Account data (email, hashed password, display name, brand preferences): retained for the duration of the active account; deleted within 30 days of account deletion.
  • Social media OAuth tokens (Instagram, TikTok):retained while the connection is active and refreshed as needed; promptly revoked and deleted upon disconnection or account deletion. The platform may retain or recognize the token on its own systems until it expires or you deauthorize the Service in the platform’s settings.
  • Social account identifier data (user IDs, usernames, account type, profile image URL): retained only while the connection is active; deleted or de-identified within 30 days after disconnection or account deletion, except where retention is required for security or legal compliance.
  • Card news content and publishing history (including post URLs and scheduled posts): retained for the duration of the active account; deleted within 30 days of account deletion.
  • Cached comments (comment reply workbench): retained for up to 90 days, then automatically deleted. Also deleted immediately upon account deletion.
  • Direct message automation rules: retained for the duration of the active account; deleted upon account deletion, or immediately when you delete the rule.
  • Server logs: retained for up to 90 days for security and incident response, then deleted.

6. Your Rights and Choices

  • Access and correction:you can review and update your account information in the Service’s settings page, or contact us at support@earthmera.com to request access to, correction of, or deletion of your personal information. Depending on where you live, you may have additional rights under applicable data protection law, and we will honor them.
  • Disconnecting a social account:remove the Instagram or TikTok integration at any time via the Service’s settings page. The Service promptly revokes and deletes the stored OAuth token. To also revoke access on the platform side, remove the Service from Instagram’s “Apps and websites” settings or TikTok’s “Security > Apps” settings.
  • Account deletion:request deletion of your entire Gamdo account at any time via the Service’s settings page. Deletion is processed after a 72-hour grace period during which you may cancel by signing in. After the grace period, all associated user data is removed within 30 days, except where retention is required by law. If you cannot access your account, email support@earthmera.com.

For step-by-step data deletion procedures, see the Gamdo Data Deletion page.

7. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided personal information, we will delete it as quickly as reasonably practical.

8. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction. We protect your information as described in this policy regardless of where it is processed.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date at the top of this page. If we make material changes, we will notify you through the Service or by email.

10. Contact Us

If you have questions or comments about this policy, or wish to exercise your privacy rights, contact us at:

EarthMera
1010 Bedford Avenue #206
Brooklyn, NY 11205, United States
support@earthmera.com