10Ten Analytics10Ten Analytics

Privacy Policy

Effective date: 11 May 2026

This Privacy Policy describes how Solution Club Limited, a company registered in England and Wales (company number 13420470, registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom) and trading as 10Ten Creatives (“10Ten”, “we”, “us”, “our”), collects, uses, stores, and protects information in connection with the 10Ten Analytics platform (the “Service”) accessible at analytics.10tencreatives.com.

10Ten Analytics is a business-to-business (B2B) analytics platform used by marketing agencies and their clients to monitor the performance of social media accounts they own or manage on Instagram and TikTok. This policy applies to data we process about users of the Service and about the social-media accounts they connect to it.

1. Who this policy applies to

We process two broad categories of personal data:

  • Platform users— staff of marketing agencies and their clients who log into 10Ten Analytics with an email address and password.
  • Connected social-media accounts— the Instagram and TikTok accounts that platform users authorise the Service to read. We process this data on behalf of the platform user, who must own the account or have the account owner’s permission to connect it.

2. What data we collect

2.1 Account data (from you)

  • Email address and password (passwords are hashed by our authentication provider; we never see the plaintext).
  • Display name and the name of the agency or company you represent.
  • Role and permissions assigned to you within the Service.
  • Session cookies and authentication tokens required to keep you logged in.

2.2 Connected-account data (from Meta and TikTok)

When you connect an Instagram or TikTok account to the Service we request access to data about that account through the third parties listed in section 3. The categories we request are:

  • Account profile— username, display name, profile picture, biography, follower and following counts, account category, and whether the account is a Business, Creator, or Personal account.
  • Posts and media— captions, hashtags, media URLs, post type (image, video, reel, carousel, story), permalink, and publish timestamp.
  • Engagement metrics— likes, comments, shares, saves, plays, video views, watch time, reach, impressions, and other metrics that the platform exposes through its analytics API.
  • Audience demographics(where the platform exposes them) — aggregated, anonymised breakdowns of the account’s audience by country, city, age band, and gender. We do not receive personally identifiable information about followers.

We do notrequest or store: direct messages, private content, contact lists, the content of followers’ profiles, or payment information.

2.3 Operational data

  • Application logs— request paths, response codes, and timing data, retained for operational debugging.
  • Error reports— uncaught exceptions and stack traces, sent to Sentry. We configure Sentry to scrub email addresses, tokens, and other obvious personal data from error events.
  • Cookies— we use first-party cookies for authentication (Supabase-issued session cookies). We do not use third-party advertising cookies and we do not run third-party analytics scripts on the authenticated dashboard.

3. Third-party data sources

We retrieve connected-account data from the following APIs, in each case only with the access scopes you authorise:

  • Meta Graph API (Instagram). Access is granted via the Meta-issued OAuth flow (Instagram Login) and uses the long-lived access token issued to your account.
  • TikTok Display API(and the TikTok Login Kit). Access is granted via TikTok’s OAuth flow under the Display API permission scope.
  • Third-party data providers via RapidAPI— for public profile and public post metrics on accounts that have not been connected through OAuth (for example, when an agency wants to benchmark a competitor’s public profile). These providers only return information that is already publicly visible on the relevant social network.

Use of data obtained through Meta’s APIs is bound by Meta’s Platform Terms. Use of data obtained through TikTok’s APIs is bound by TikTok’s Developer Terms of Service. We comply with both.

4. How we use your data

We use the data described above to:

  • Authenticate you and keep you logged in to the Service.
  • Display analytics dashboards, charts, post-level breakdowns, and exportable reports for the social-media accounts you have connected.
  • Compute derived metrics (rolling averages, period-over-period comparisons, and performance scores) over the connected-account data.
  • Send transactional notifications (for example, alerting you when a connected account is underperforming or when an integration has disconnected).
  • Monitor and debug the Service through application logs and Sentry error reports.
  • Comply with our legal obligations and enforce our Terms of Service.

We do not sell your data, use it for cross-context behavioural advertising, or share it with advertisers.

5. Legal basis for processing (UK / EU GDPR)

  • Contract— processing necessary to provide the Service you have signed up for (Article 6(1)(b) UK GDPR).
  • Legitimate interests— service improvement, security monitoring, and fraud prevention (Article 6(1)(f) UK GDPR).
  • Consent— where you grant Meta or TikTok permission to share data with the Service through their OAuth flow.
  • Legal obligation— where we are required by law to retain or disclose data (Article 6(1)(c) UK GDPR).

6. Where and how we store data

  • Database— Supabase-managed PostgreSQL, hosted in the European Union (Ireland). All data is encrypted at rest using AES-256 and in transit using TLS 1.2+.
  • Compute— Amazon Web Services EC2, hosted in the eu-west-2 (London) region.
  • Error logs— Sentry. Sensitive payload fields are scrubbed before transmission.
  • Backups— daily encrypted database snapshots managed by Supabase.

Where data is transferred outside the UK or European Economic Area (for example, to Sentry in the United States), we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum to safeguard the transfer.

7. How long we keep data

  • Account data— retained for as long as your account is active. If you close your account, we delete it within 30 days, except where we are required to retain records for longer to comply with a legal obligation.
  • Connected-account profile and posts— retained for as long as the connection is active. If you disconnect an account or revoke our access via Meta or TikTok’s native permission controls, we delete the connection’s API tokens immediately and delete the historical data within 30 days, unless you ask us to retain the historical analytics record.
  • Historical metric snapshots— we keep daily metric snapshots for the lifetime of the connection to enable long-range trend analysis. If you delete the connection or your account, these snapshots are deleted within 30 days.
  • Application logs— up to 30 days.
  • Error reports— up to 90 days in Sentry.

8. Sharing your data

We share data only with the following categories of recipient:

  • Sub-processors who help us run the Service (Supabase, Amazon Web Services, Sentry, Resend for transactional email, and the RapidAPI providers listed in section 3). Each sub-processor is contractually bound to process data only for the purposes we instruct and to apply appropriate technical and organisational measures.
  • Authorised users of your account— for example, if your agency adds team members to the same workspace, those team members can see the connected accounts your workspace has access to.
  • Authorities and legal advisors, where disclosure is required by law, court order, or to defend our legal rights.

9. Your rights

Under the UK GDPR and the EU GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data deleted (subject to legal-retention obligations).
  • Export your data in a portable, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent for OAuth-based integrations at any time.
  • Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@10tencreatives.com. We respond within 30 days.

10. How to disconnect or delete connected accounts

You can revoke 10Ten Analytics’ access to a connected social-media account in two ways:

  • In-app— open the connected-account’s settings in 10Ten Analytics and choose “Disconnect”. This invalidates the stored API tokens and queues the data for deletion within 30 days.
  • From the social network— you can also revoke access from Instagram’s “Apps and Websites” settings or TikTok’s “Manage app permissions” settings. We detect token revocations and delete the data on the same 30-day cycle.

11. Meta and TikTok data-deletion callbacks

Meta and TikTok require apps to honour user-initiated data-deletion requests issued through their platforms. We comply with both:

  • Meta Data Deletion Callback — submitted requests are received at /api/auth/meta/data-deletion. We confirm receipt of the request with the status URL Meta requires, then delete all data associated with the user’s Meta identifier within 30 days.
  • TikTok Data Deletion— requests received through TikTok’s channel are processed by the same internal deletion pipeline within 30 days.

You can also email privacy@10tencreatives.com at any time to request deletion of all data we hold about you or about an account you control.

12. Security

We protect your data with: TLS-encrypted transport, AES-256 encryption at rest, short-lived access tokens, row-level access controls in the database, segregated production and staging environments, automated security patching of operating-system and dependency vulnerabilities, audit logs of administrative actions, and a documented incident-response process. No system is perfectly secure, but we make a reasonable effort to apply industry-standard safeguards.

13. Cookies

The Service uses first-party cookies issued by our authentication provider (Supabase) to keep you signed in. These cookies are strictly necessary for the operation of the Service. We do not set third-party advertising cookies on the authenticated dashboard and we do not share cookie data with advertisers.

14. Children

The Service is a B2B analytics platform for marketing agencies and is not directed at individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, please contact us at privacy@10tencreatives.com and we will delete it promptly.

15. Changes to this policy

We may update this policy from time to time to reflect changes to the Service, our sub-processors, or applicable law. When we make a material change we will (a) update the “Effective date” at the top of this page and (b) notify registered users by email or by an in-app notice at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact us

Questions about this policy or about how we handle your data can be sent to:

Solution Club Limited
71-75 Shelton Street
Covent Garden, London WC2H 9JQ
United Kingdom
Email: privacy@10tencreatives.com