Privacy Policy

We collect the minimum needed to run the Service, store it securely, and never sell it. This page explains exactly what and why.

1. Who’s in charge of your data

The data controller is the operator of Social Media Agent. Contact: deylian@heykoop.nl.

2. What we collect

From you, directly

• Email address, name, avatar (Google OAuth or email sign-in)
• Workspace and brand voice settings
• Posts, captions, hashtags, images, videos you create or upload
• AI chat messages you send and the responses
• Connected social account metadata (handle, ID, profile name)

From platforms you connect

• OAuth access + refresh tokens (encrypted at rest with AES-256-GCM)
• Per-post performance metrics (impressions, reach, likes, comments, etc.)

Automatically

• IP address, user-agent, and last-active time for sessions (security)
• Cookieless product events (which features you use) — first-party, no third-party trackers
• Server logs (kept 30 days, then auto-deleted)

3. Why we collect it (lawful basis)

• To provide the Service — contract (GDPR Art. 6(1)(b))
• Security (session info, IPs) — legitimate interest (Art. 6(1)(f))
• Billing — contract + legal obligation (Art. 6(1)(c))
• Product analytics — legitimate interest, cookieless, opt-out anytime

We never use your content to train shared AI models.

4. Sub-processors we use

• OpenAI — AI text + image generation (your prompts + outputs)
• HeyGen — AI video generation (only when you use it)
• Stripe — billing (handles card data; we never see it)
• Hetzner — server hosting (Postgres, Redis, MinIO)
• Google — OAuth identity
• Meta / LinkedIn / X / TikTok / etc. — only when you connect them and only to publish what you asked us to publish

5. Where it lives

Primary storage is in the EU (Hetzner Falkenstein). Some sub-processors (OpenAI, HeyGen, Stripe) may process data in the US under Standard Contractual Clauses (SCCs).

6. How long we keep it

• Account data — until you delete your account
• Server logs — 30 days
• Audit trail — 12 months
• Invoices & payment records — 7 years (Dutch tax law)
• Deleted account data — purged within 30 days, except invoices

7. Your rights (GDPR)

You can, at any time:

• Export everything we hold for you — one JSON file via Privacy & data
• Delete your account and all associated data — same page
• Disconnect any social account immediately — Connected accounts
• Correct incorrect data — most fields are editable in-app; email us for anything else
• Object to processing or withdraw consent — email us
• Complainto the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we’ve mishandled your data

8. Security

• All traffic is HTTPS (TLS 1.2+, modern ciphers only).
• OAuth tokens are encrypted at rest with AES-256-GCM.
• Sessions are httpOnly, SameSite=Lax cookies. We never store the token itself — only a SHA-256 hash.
• Optional two-factor authentication (TOTP) available in Security.
• Strict Content Security Policy and rate-limiting on all endpoints.

9. Children

The Service is not for users under 16. If we learn we’ve collected data on a child under 16, we delete it.

10. Changes to this policy

Material changes will be announced in-app at least 14 days before they take effect. The last-updated date at the top of this page always reflects the current version.

11. Contact

Privacy questions, data requests, or complaints: deylian@heykoop.nl.