War MachineBack to App

Privacy Policy

Last updated: March 31, 2026

1. Introduction

War Machine ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing automation platform and our Aegis Chrome extension (collectively, "our services").

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password. If you opt in to SMS notifications, we collect your phone number. If you subscribe to a paid plan, we collect payment information through our payment processor, Stripe.

2.2 Connected Accounts

When you connect third-party services (such as social media platforms, email providers, WordPress, or analytics services), we collect and store access tokens and related credentials to perform actions on your behalf. This may include:

  • Social media accounts (Facebook, Instagram, Twitter/X, LinkedIn, Bluesky, Mastodon, Reddit)
  • Email accounts (Gmail, Outlook, IMAP)
  • Website platforms (WordPress)
  • Analytics services (Google Analytics, Google Search Console)

2.3 Content and Usage Data

We collect content you create or upload through our platform, including text, images, and generated content. We also collect usage data such as features used, conversations, and interactions with our systems.

2.4 Aegis Chrome Extension

The Aegis Chrome extension operates differently from our web platform. To provide browser security protection, the extension accesses the following data locally within your browser:

  • URLs you visit — checked against threat databases to block malicious sites
  • Download metadata — file names and download URLs are inspected for dangerous file types
  • Page content (DOM) — analyzed locally for phishing indicators such as fake login forms
  • Script elements — monitored for known cryptomining code

This data is processed entirely within your browser and is never transmitted to War Machine servers. We do not operate any servers that receive data from the extension. The extension does not require a War Machine account and does not link browsing activity to your account in any way.

The extension also stores the following data in your browser's local storage:

  • User preferences — which protection features are enabled or disabled
  • Threat statistics — aggregate counts of blocked threats (e.g., "5 URLs blocked")
  • URL cache — temporary cache of threat lookup results to reduce API calls (automatically expires)
  • Whitelist — domains you have chosen to allow

This locally stored data never leaves your browser and is deleted if you uninstall the extension.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Generate content on your behalf
  • Post content to your connected social media accounts
  • Send emails through your connected email accounts
  • Send SMS notifications about account activity, automation alerts, and daily digests (with your opt-in consent)
  • Analyze website performance and SEO metrics
  • Send administrative communications and updates
  • Respond to your comments and questions
  • Protect against fraudulent or illegal activity

Aegis extension: Data accessed by the extension is used solely to provide real-time threat protection within your browser. It is not used for marketing, analytics, profiling, or any other purpose.

4. Third-Party Services

We use the following third-party services to operate our platform:

  • Meta (Facebook & Instagram): Social media management, engagement, and advertising (see Section 5 for details)
  • Supabase: Database and authentication services
  • Stripe: Payment processing
  • OpenAI: Content generation
  • Anthropic: Content generation
  • Resend: Transactional emails
  • Twilio: SMS messaging services
  • Vercel: Hosting and deployment

Each third-party service has its own privacy policy governing the use of your information.

4.1 Third-Party Services Used by Aegis Extension

The Aegis extension uses the Google Safe Browsing API to check URLs against Google's threat database. This works as follows:

  • URL hash prefixes (not full URLs) are sent to Google's Safe Browsing service for lookup
  • Google does not associate these lookups with your Google account or personal identity
  • This service is governed by Google's Privacy Policy

No other third-party services receive any data from the Aegis extension.

5. Facebook & Meta Platform Data

Our platform integrates with Meta's products (Facebook, Instagram, and Meta Ads) to provide social media management and advertising features. This section describes how we handle data obtained through Meta's APIs in compliance with Meta's Platform Terms and Developer Policies.

5.1 Data We Access from Meta

When you connect your Facebook or Instagram account, we access the following data through Meta's Graph API:

  • Your account information: Name, email, and profile details associated with your Facebook account
  • Pages you manage: Page names, IDs, categories, and page-level access tokens for Facebook Pages you administer
  • Instagram Business accounts: Username, name, profile picture, and account ID for Instagram Business accounts connected to your Facebook Pages
  • Page engagement data: Comments, likes, mentions, and messages on your Facebook Pages and Instagram Business accounts, including the names and profile pictures of users who interact with your business assets
  • Page and post insights: Follower counts, engagement metrics, impressions, reach, and other analytics data
  • Ad account data: Campaign performance, ad set targeting, spend, impressions, clicks, and conversion metrics from your Meta Ads accounts

5.2 How We Use Meta Data

We use data obtained from Meta exclusively to provide the following features:

  • Content publishing: Creating and scheduling posts to your Facebook Pages and Instagram Business accounts on your behalf
  • Engagement management: Displaying comments, mentions, and messages on your business assets so you can view and respond to them from our dashboard
  • Analytics and reporting: Presenting engagement metrics, follower trends, and post performance in dashboards and automated reports
  • Automated engagement: With your explicit opt-in, using AI to suggest or auto-send responses to comments and mentions on your Pages
  • Advertising management: Creating, monitoring, and optimizing Meta Ads campaigns on your behalf

5.3 Business Asset User Profile Data

When users interact with Facebook Pages or Instagram Business accounts that you manage (for example, by commenting on a post or sending a message), we access their basic profile information (such as name and profile picture) solely to display it within our dashboard so you can identify and respond to those interactions. This data is:

  • Used only to display interactions within our dashboard for the Page administrator
  • Never sold, licensed, or shared with any third party
  • Never used for advertising, profiling, or tracking purposes beyond the business asset context
  • Never used for surveillance or any purpose unrelated to managing your business assets
  • Not stored permanently — it is retrieved from Meta's API when needed and displayed in-session

5.4 Meta Data Retention and Deletion

Access tokens and page credentials are stored in encrypted form for as long as your account is connected. When you disconnect your Facebook or Instagram account through our platform, we immediately delete all stored access tokens, page tokens, and associated credentials from our database. Cached engagement data is purged and no longer accessible.

If you remove our app from your Facebook settings or deauthorize access through Meta, we process the deauthorization and delete all associated Meta data from our systems.

5.5 Meta Platform Compliance

Our use of data obtained from Meta's APIs complies with Meta's Platform Terms, Developer Policies, and all applicable data use requirements. We do not use Meta data for purposes other than those described in this section and approved by Meta through their app review process.

6. SMS Messaging

6.1 SMS Opt-In and Consent

War Machine offers optional SMS notifications for account alerts, automation summaries, and transactional messages. SMS messaging is strictly opt-in — consent to receive text messages is collected through a separate, standalone opt-in checkbox in your account settings, independent of any other agreement. You must explicitly check the SMS consent box and provide your phone number to receive messages. Consent to receive SMS is not required as a condition of purchasing or using the Service. You may opt out at any time by replying STOP to any message or disabling SMS notifications in your account settings.

6.2 Data Collected for SMS

When you opt in to SMS notifications, we collect and store:

  • Phone number: Used solely to deliver SMS notifications you have opted in to receive
  • SMS consent status: Whether you have opted in or out of SMS notifications
  • Message delivery logs: Delivery status of messages sent to your number, retained for troubleshooting and compliance

6.3 How We Use SMS Data

Your phone number and SMS data are used exclusively to:

  • Send account notifications and alerts you have opted in to
  • Deliver automation summaries such as daily digests, analytics alerts, and lead scoring updates
  • Send transactional messages related to your account activity

We do not use your phone number for marketing, promotional messages, or any purpose beyond the notifications you have consented to. Your phone number is never sold, shared with third parties for their marketing purposes, or used for advertising.

6.4 SMS Service Provider

SMS messages are delivered through Twilio, a third-party communications platform. When we send you an SMS, your phone number is transmitted to Twilio solely for message delivery. Twilio's handling of this data is governed by Twilio's Privacy Policy.

6.5 SMS Data Retention and Deletion

Your phone number is stored for as long as you have SMS notifications enabled. When you opt out of SMS notifications or delete your account, your phone number and associated SMS data are deleted from our systems within 30 days. Message delivery logs may be retained for up to 90 days for compliance and troubleshooting purposes.

6.6 Message Frequency and Charges

Message frequency varies based on your notification preferences and automation settings. Standard message and data rates may apply depending on your mobile carrier and plan. You can control which notifications are sent via SMS in your account settings.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

  • With your consent or at your direction
  • With service providers who assist in our operations
  • To comply with legal obligations
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, acquisition, or sale of assets

Aegis extension: Because the extension does not collect or transmit personal data to our servers, there is no extension user data to share or disclose. The only external communication is URL hash prefix lookups to Google Safe Browsing, as described in Section 4.1.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption of data in transit and at rest, secure authentication, and regular security assessments.

For the Aegis extension, all data processing occurs locally within your browser's sandboxed extension environment. No personal data is transmitted to or stored on our servers.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. You may request deletion of your account and associated data at any time by contacting us. We will delete or anonymize your information within 30 days of such request, unless we are required to retain it for legal purposes.

For the Aegis extension, locally stored data (preferences, statistics, and cached results) is retained only within your browser and is automatically deleted when you uninstall the extension. You can also reset statistics or clear cached data through the extension's dashboard at any time.

10. Your Rights

Depending on your location, you may have the following rights:

  • Access your personal information
  • Correct inaccurate information
  • Delete your personal information
  • Object to or restrict processing
  • Data portability
  • Withdraw consent

To exercise these rights, please contact us at the email address provided below.

11. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use third-party advertising cookies. You can control cookie settings through your browser preferences.

The Aegis extension does not use cookies, tracking pixels, or any analytics or telemetry systems.

12. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

The Aegis extension does not collect personal information from any user of any age.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place for such transfers.

The Aegis extension processes all data locally on your device. The only cross-border data transmission is URL hash prefix lookups to Google's Safe Browsing service, which is governed by Google's data processing practices.

14. Aegis Extension Permissions

The Aegis Chrome extension requests certain browser permissions to function. We believe in transparency about why each permission is needed:

  • Access to all websites: Required to check URLs and scan page content for threats across all sites you visit
  • Web requests: Needed to intercept and analyze navigation requests before malicious pages load
  • Downloads: Needed to inspect downloads for dangerous file types and malicious source URLs
  • Storage: Needed to save your preferences and threat statistics locally in your browser
  • Tabs: Needed to redirect you to a warning page when a threat is detected
  • Notifications: Needed to alert you when a threat is blocked or a suspicious download is detected
  • Scripting: Needed to inject content scripts for cryptominer detection and page-level phishing analysis

These permissions are used exclusively for security protection. They are never used to collect, store, or transmit personal data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of our services after any changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@warmachine.io