Candle Light

Legal

User Data Policy

Effective date: June 16, 2026

1. Scope

This User Data Policy explains how Candle Light handles data we receive when you connect third-party accounts (such as Facebook) to build your biography, and how you can review or delete that data at any time. It supplements our Privacy Policy.

2. What we receive from Facebook

When you connect your Facebook account, we may receive:

  • Your Facebook user ID and basic profile (name, profile picture).
  • Posts and "About" information from your own profile that you grant access to.
  • Public information from Pages you explicitly mention (e.g. a band or business page about you).
  • Content from public post URLs you paste into Candle Light.
  • An access token used only to fetch the above; tokens are stored encrypted.

We never request friends lists, private messages, or data from people who have not connected the service.

3. How we use it

  • To generate and refresh your biography on demand (live fetched each time).
  • To attribute sources in your biography so you can review and edit them.
  • To remember which accounts you have connected and when the token expires.

We do not sell user data, and we do not use Facebook data for advertising.

4. Retention

Connection records and tokens are retained while the connection is active. Generated biography content remains in your account until you remove it. If you disconnect Facebook or delete your account, we remove the connection and tokens immediately.

5. How to delete your data

You have three ways to remove data we received from Facebook:

  1. Disconnect from inside Candle Light: go to your Dashboard and remove the Facebook connection. This deletes the token and link to your Facebook user ID.
  2. Delete your Candle Light account: contact us and we will erase your account and all associated data within 30 days.
  3. Remove the app from Facebook: in your Facebook settings, remove Candle Light from Apps and Websites. Facebook will notify us via our Data Deletion Callback (below) and we will automatically delete the linkage.

6. Data Deletion Callback URL

For Facebook's "Data Deletion Request" requirement, our callback URL is:

https://candlelight.cloud/api/public/facebook/data-deletion

What happens when Facebook calls this URL:

  1. Facebook sends a signed_request containing your Facebook user ID, signed with our App Secret using HMAC-SHA256.
  2. Our endpoint verifies the signature with a timing-safe comparison. Unsigned or tampered requests are rejected with HTTP 400.
  3. We generate a unique confirmation code, record the request, and immediately delete every Facebook connection in our database that matches that Facebook user ID (tokens, page links, fetched-at timestamps).
  4. We respond to Facebook with JSON: { "url": "...", "confirmation_code": "..." }. The URL points to our public status page so you can verify the deletion.

You can look up the status of any deletion request here: https://candlelight.cloud/data-deletion-status

7. Security

All data is stored in an encrypted database with Row Level Security so only you (and our admin processes acting on your behalf) can read your records. Tokens and secrets are stored as restricted secrets and never exposed to the browser.

8. Contact

For any data-related question, email us via the address listed in our Privacy Policy. We respond to verified deletion and access requests within 30 days.