Lawful Basis for Processing (GDPR)
We process your personal data on the following legal bases under GDPR Article 6:
- Consent (Art. 6(1)(a)): When you grant OAuth access to your social media accounts, you explicitly consent to data collection for dashboard functionality.
- Contractual Necessity (Art. 6(1)(b)): Processing is necessary to provide the service you signed up for — managing your social media accounts.
- Legitimate Interest (Art. 6(1)(f)): We process minimal analytics data to improve the service, with your privacy balanced against our legitimate interest.
Your Rights (GDPR & CCPA)
Under GDPR and CCPA, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of all data we hold about you | Settings → Export Data |
| Rectification | Correct inaccurate personal data | Settings → Profile |
| Erasure | Delete all your data permanently | Delete Account |
| Portability | Receive your data in a machine-readable format | Compliance → Export |
| Restriction | Restrict processing of your data | Contact us |
| Objection | Object to processing based on legitimate interest | Contact us |
| Opt-Out of Sale (CCPA) | We do NOT sell personal data | N/A |
Data We Process per Platform
| Platform | Data Categories | Purpose |
|---|---|---|
| Meta (FB/IG) | Page insight metrics, comments, messages, post content | Analytics display, content management, inbox |
| Google (YouTube) | Video analytics, subscriber count, comments | Analytics display, comment management |
| Pin metrics, board info, follower count | Analytics display, pin creation | |
| X (Twitter) | Tweet metrics, follower count, DMs | Analytics display, posting, inbox |
Data Retention Schedule
| Data Type | Retention Period | After Deletion |
|---|---|---|
| OAuth tokens | Until disconnected or expired | Immediately destroyed |
| Analytics cache | 30 days rolling | Auto-purged |
| Audit logs | 90 days | Auto-purged |
| User profile | Until account deletion | Immediately destroyed |
| Media uploads | Until user deletes | Removed from Cloudinary within 24hrs |
| Backups | 7 days after deletion | Purged from backup rotation |
Data Breach Notification
In the unlikely event of a data breach affecting your personal data, we will:
- Notify the relevant supervisory authority within 72 hours (GDPR Art. 33)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document the breach and remediation steps in our internal incident log
Sub-Processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | US / EU (configurable) |
| Cloudinary | Media storage & delivery | US / EU regions |
| Vercel | Hosting & edge functions | Global edge network |
Data Protection Officer
For data protection inquiries, rights requests, or to file a complaint: