Toolwise is private internal software operated by Kabir Hafeez (KabirHafeez.co) at https://kabir.toolwise.tech. This document describes what data Toolwise processes and the third-party services it integrates with.
1. Who can use Toolwise
Toolwise is admin-only software. Access is gated by login. The only operator is Kabir Hafeez. No public sign-up exists and the platform is not offered as a service to outside users.
2. What data we process
When Kabir authenticates with a social platform (Meta / Facebook Pages + Instagram Business, LinkedIn Organizations, YouTube Channels, TikTok accounts) to grant Toolwise access, Toolwise receives and stores:
- Account IDs, page IDs, channel IDs, usernames, display names, follower counts, and profile pictures
- Long-lived access tokens and refresh tokens (encrypted at rest with AES-256-GCM)
- The set of OAuth scopes / permissions the operator granted to the Toolwise app on each platform
- Public post insights once posts have been published (impression / engagement counts as returned by the platform)
When Toolwise is used to manage agency clients, the following data is stored:
- Client metadata (name, slug, industry, brand voice, brand kit)
- Content drafts (captions, hashtags, scheduled times, attached media references)
- Image and video media uploaded by the operator or generated via AI
- Conversation history with AI agents (used for context across turns)
- Operational logs and audit records of administrative actions
3. Third-party services
Toolwise integrates with the following services using credentials the operator explicitly configures. No personal data is shared between clients.
- Meta Graph API — for publishing to Facebook Pages and Instagram Business accounts the operator has authorized. Uses pages_manage_posts, instagram_content_publish, and related scopes granted at connect time.
- LinkedIn API — for publishing to LinkedIn Organization pages the operator has authorized.
- YouTube Data API v3 — for uploading videos and Shorts to YouTube channels the operator has authorized. Uses the youtube.upload scope.
- TikTok Content Posting API — for uploading and publishing videos to TikTok accounts the operator has authorized. Uses user.info.basic, video.upload, and video.publish scopes.
- OpenRouter (routing to Anthropic Claude Sonnet 4) — for the Yahya agent runtime, which reasons over conversation context and platform actions.
- OpenRouter (Google Nano Banana Pro / Gemini 2.5 Flash Image) — for AI image generation.
- Cloudflare R2 — for media storage. Bytes are scoped to per-client folder prefixes.
- Google Drive (service account) — optional file storage for research output and references.
- GitHub — for backing up the agent’s persistent memory (markdown files) to a private repository.
- Discord webhooks — for operational notifications (errors, audit events, agent activity).
- Hostinger — VPS infrastructure provider hosting Toolwise.
4. Data retention
Data is retained for as long as Toolwise continues to operate. The operator can manually delete most data at any time:
- Access tokens and refresh tokens for every connected social platform (Meta, LinkedIn, YouTube, TikTok) are deleted when the operator disconnects that account in /social/accounts.
- Content posts and media may be deleted from the content library or media library.
- AI conversation history can be pruned per session.
- Discord notifications are sent in real time and not retained outside Discord’s own retention.
- Encrypted backups of the agent’s brain memory are mirrored to GitHub on a 15-minute schedule and persist for the lifetime of that repository.
5. Data deletion
To request deletion of any data Toolwise holds about a Meta account or a connected Page or Instagram Business account, see /data-deletion for the manual process, or email mail@kabirhafeez.co. Requests are honored within 7 business days.
6. Security
- TLS in transit (Let’s Encrypt certificate, managed by CloudPanel).
- AES-256-GCM envelope encryption for sensitive secrets at rest, keyed off a server-side master secret.
- SSH key authentication only on the production servers; no password access.
- Environment secrets (API keys, OAuth credentials, database URLs) are never committed to source control.
- Audit logging of all administrative database mutations.
7. Children
Toolwise is not directed at children. It is internal agency operations software for an adult professional.
8. Cookies
Toolwise sets a single httpOnly session cookie (tw_auth) for authenticated session management. No analytics, advertising, or third-party tracking cookies are set.
9. Contact
Kabir Hafeez
Email: mail@kabirhafeez.co
Web: https://kabirhafeez.co
10. Changes to this policy
Material changes to this policy will be reflected by updating the "Last updated" date above. Because Toolwise is internal-only, no external user notifications are necessary; the operator (Kabir) is the only party affected by policy revisions.