Privacy Policy

1. Controller

Please replace this section before going live:

[Legal entity name]

[Street, postal code, city, country]

[Email address for privacy requests]

2. Purposes and legal bases

We process personal data only to the extent necessary to operate the website, provide secure account access, answer inquiries, and protect the product against misuse.

Depending on the specific processing activity, the legal bases are Article 6(1)(b) GDPR where processing is necessary to provide account and contract-related functionality, Article 6(1)(f) GDPR for security, abuse prevention, and technical operation, and Article 6(1)(c) GDPR where statutory retention duties apply.

3. Website access data

• When you visit the site, technical request data may be processed, including IP address, browser and device information, timestamps, referrer, and requested resources.
• We use this data to deliver the site securely, diagnose technical issues, and maintain system integrity.
• Retention depends on operational necessity and security requirements.

4. Processors and third-party services

The following third-party services process personal data on our behalf or in connection with our services.

4.1 Kinde — Authentication and user management

We use Kinde Pty Ltd (Level 4, 60 Martin Place, Sydney NSW 2000, Australia) for registration, sign-in, session management, user administration, and related security features. Kinde operates regional infrastructure; for our deployment customer data is processed in the European Union.

Under Kinde’s Data Processing Addendum, we act as controller for our end users’ personal data and Kinde acts as processor. Kinde may process limited account information as an independent controller where required to operate the service and the contractual relationship with us.

• Categories of data: email address, name, profile image URL, authentication identifiers, session data, technical metadata such as IP address, browser and device information, and where applicable role and permission assignments.
• Purposes: account creation, sign-in, verification, session management, abuse prevention, and account administration.
• Legal bases: Article 6(1)(b) GDPR for account and contract functionality, plus Article 6(1)(f) GDPR where security and misuse prevention measures are required.

4.1.2 Transfer safeguards

Kinde is headquartered in Australia and runs regional data residency. EU customer data is hosted in EU regions. Where Kinde or its subprocessors process data outside the EEA, the Kinde DPA incorporates Standard Contractual Clauses as the transfer mechanism.

• Primary measure: EU data residency for end-user authentication data.
• Fallback mechanism: Standard Contractual Clauses as incorporated by the Kinde DPA.
• Current subprocessors and their processing locations are published by Kinde on its trust and subprocessor pages.

4.2 Convex — Backend infrastructure and database

We use Convex, Inc., San Francisco, CA, United States, as our backend infrastructure provider. Convex hosts our application database, executes serverless functions, and provides file storage. In this context, Convex acts as a processor under Article 28 GDPR.

• Categories of data: user profile data linked to authentication (user IDs, display names, email addresses), application content created or uploaded by users (documents, media references, project metadata, image metadata including EXIF/XMP/IPTC), organization and membership data, and technical metadata (timestamps, function execution logs).
• Purposes: persistent storage of application data, execution of server-side business logic, real-time data synchronization between clients, and file storage.
• Legal bases: Article 6(1)(b) GDPR for contract performance and Article 6(1)(f) GDPR for system integrity and security.

4.2.2 Transfer safeguards

Convex is based in the United States. Application data is hosted in Convex’s US infrastructure. The transfer of personal data to the United States cannot be excluded.

Convex provides a Master Subscription Agreement that includes data protection provisions. The applicable transfer mechanisms are set out in the agreement between us and Convex.

4.3 Cloudflare — Hosting, CDN, and object storage

We use Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, United States, for website hosting (Cloudflare Pages), serverless computing (Cloudflare Workers), content delivery (CDN), and object storage (Cloudflare R2). Cloudflare acts as a processor for these services.

• Categories of data: IP addresses and technical request metadata (browser, device, timestamps, referrer) processed during content delivery, as well as user-uploaded media files stored in R2 (which may contain embedded image metadata such as EXIF data including GPS coordinates).
• Purposes: secure delivery and hosting of the website, edge computing for image processing, and persistent storage of user-uploaded media.
• Legal bases: Article 6(1)(b) GDPR for providing the service and Article 6(1)(f) GDPR for security, performance optimization, and DDoS protection.

4.3.2 Transfer safeguards

Cloudflare operates a global network. Content is served from the edge location closest to the user. Cloudflare is self-certified under the EU–U.S. Data Privacy Framework and offers a Data Processing Addendum that includes Standard Contractual Clauses.

R2 object storage may be configured for specific regions. The applicable storage location depends on our configuration.

4.4 Stripe — Payment processing

We use Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, United States, and its EU entity Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland, for payment processing. Depending on the processing activity, Stripe acts as a processor on our behalf or as an independent controller for its own fraud prevention, regulatory compliance, and financial reporting obligations.

Payment card details are collected directly by Stripe through Stripe Elements. Card numbers are never transmitted through or stored on our servers. Stripe is a certified PCI DSS Level 1 service provider.

• Categories of data: name, email address, billing address, payment method details (handled directly by Stripe), transaction amounts, currency, transaction identifiers, and device data and IP address for fraud detection.
• Purposes: processing payments for subscriptions or purchases, invoice generation, fraud detection and prevention, and regulatory compliance (anti-money laundering, sanctions screening).
• Legal bases: Article 6(1)(b) GDPR for payment processing necessary to perform the contract, Article 6(1)(c) GDPR for Stripe’s statutory obligations as a payment service provider, and Article 6(1)(f) GDPR for fraud prevention.

4.4.2 Transfer safeguards

Stripe Payments Europe, Ltd. processes EU payment data within the EEA where possible. For transfers to Stripe, Inc. in the United States, Stripe relies on the EU–U.S. Data Privacy Framework and Standard Contractual Clauses.

4.5 Google Gemini — AI-powered text and image analysis

We use the Google Gemini API provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, for automated text and image analysis within our application. This includes content description, categorization, and quality assessment of user-uploaded media.

Google acts as a processor for data submitted through the Gemini API when used under paid service terms. Under Google’s API terms for paid services, prompts and responses are not used by Google to train or improve its models.

• Categories of data: text content and image data submitted for analysis, associated metadata, and API request data (IP address, authentication tokens).
• Purposes: automated content analysis, image description, categorization, and generation of text suggestions based on user content.
• Legal bases: Article 6(1)(b) GDPR for providing AI-assisted features as part of the service and Article 6(1)(f) GDPR for content quality and relevance assessment.

4.5.2 Transfer safeguards

Google LLC is based in the United States. Data submitted to the Gemini API is processed in Google’s infrastructure, which may include US-based facilities. Google is self-certified under the EU–U.S. Data Privacy Framework and offers a Data Processing Addendum with Standard Contractual Clauses.

4.6 Social media integrations — Publishing to social media platforms

Our application allows users to connect their accounts on social media platforms (including Facebook, Instagram, Threads, Pinterest, Bluesky, and potentially others) in order to publish and manage content. When a user connects a platform, our application accesses platform APIs on behalf of that user using OAuth tokens.

The social media platforms themselves act as independent controllers for data processed on their platforms. We act as a controller for the OAuth tokens and related connection data stored in our systems. OAuth tokens are stored in encrypted form.

• Categories of data: OAuth access tokens and refresh tokens (stored encrypted), platform user identifiers, page or profile identifiers, platform-specific content identifiers, and content metadata returned by platform APIs.
• Purposes: authenticating with social media platforms on behalf of the user, publishing content to connected platforms, retrieving post performance data, and managing platform connections.
• Legal bases: Article 6(1)(b) GDPR for providing the social media publishing functionality as part of the service.

4.6.2 Token lifecycle and disconnection

OAuth tokens are stored only for as long as a platform connection is active. When a user disconnects a social media platform, the associated tokens and connection data are deleted from our systems. Token refresh cycles follow each platform’s expiration policies.

5. International transfers

Several of the services listed above are based in the United States or operate global infrastructure. Where personal data is transferred to a third country, the transfer relies on the mechanisms described in each service section above (EU–U.S. Data Privacy Framework, Standard Contractual Clauses, or other applicable safeguards).

6. Storage periods

• Account-related data is stored for as long as an account exists and as long as required for contract performance, security, and legitimate retention duties.
• When an account is deleted, data is erased or restricted in line with applicable retention obligations and technical deletion routines.
• Log and security data may be retained for shorter operational periods where necessary to detect abuse or investigate incidents.

7. Recipients

Personal data is disclosed only where this is necessary for service delivery, legal compliance, or secure technical operations. The following recipients process personal data in connection with our services:

• Kinde for authentication and user management.
• Convex for backend infrastructure and database.
• Cloudflare for hosting, cdn, and object storage.
• Stripe for payment processing.
• Google Gemini for ai-powered text and image analysis.
• Social media integrations for publishing to social media platforms.

8. Data subject rights

• Right of access under Article 15 GDPR.
• Right to rectification under Article 16 GDPR.
• Right to erasure under Article 17 GDPR.
• Right to restriction of processing under Article 18 GDPR.
• Right to data portability under Article 20 GDPR.
• Right to object under Article 21 GDPR.
• Right to lodge a complaint with a supervisory authority.

9. Security

We implement technical and organizational measures appropriate to the risk in order to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access.

10. Updates to this policy

We may update this privacy policy where our services, processors, or legal obligations change. The version published on this page is the current version.