Privacy Policy

1. Who we are

ScalePlant Socials is the data controller for the personal data processed through this platform. References to "we", "us", and "our" in this policy refer to ScalePlant Socials.

If you have a privacy question or want to exercise your rights, contact us through the support channels available in your account workspace.

2. Personal data we collect

Account and identity data: name, email address, hashed password, locale, timezone, profile picture (if provided through Google sign-in), and your acceptance of legal documents.

Workspace data: business profile (name, industry, brand description, brand colours, location, website, hashtag preferences), products and services, uploaded media (images, videos, captions), and team membership.

Integration data: tokens, page IDs, account IDs, and basic public profile data for the third-party social platforms you connect (Meta/Instagram, Facebook, LinkedIn). Tokens are stored encrypted at rest.

Content and AI inputs: prompts, reference images, captions, plans, and other instructions you submit to the AI tooling. These inputs are sent to our model provider (currently Google) under the configuration described in section 5.

Usage and telemetry: pages and features you visit, posts you create or schedule, error and audit logs, IP address, browser, device characteristics, and timestamps. We use this to operate the platform reliably and to investigate abuse.

Billing data: subscription plan, invoices, last four digits of the payment method, billing address, and Stripe customer/subscription identifiers. Full card numbers are never stored on our systems — they are handled directly by Stripe.

Communications: support messages, marketing preferences, and any feedback you submit.

3. Why we use your data and our legal bases

Performance of contract: to register your account, deliver subscription features, generate AI content you ask for, schedule and publish posts, process payments, and provide support.

Legitimate interests: to keep the platform secure, prevent abuse, debug errors, improve the service through aggregated analytics, monitor service quality, and exercise our legal rights.

Consent: for optional emails (marketing, product updates, service tips and tricks) and for optional analytics or marketing cookies, where applicable. You may withdraw consent at any time without affecting prior processing.

Legal obligation: to keep accounting records, comply with tax or anti-fraud obligations, and respond to lawful requests from competent authorities.

4. Cookies and similar technologies

We use a small set of strictly necessary cookies to keep you signed in, remember your locale, and protect against CSRF and abuse. These do not require consent.

Where used, analytics or marketing cookies are deployed only after you give explicit consent through the cookie banner. See our Cookie Policy for the full list of categories and how to manage them.

5. Sub-processors and data sharing

We share personal data only with carefully selected service providers ("sub-processors") who help us run the platform under written data-protection terms. The current set includes: Cloudflare (hosting, R2 object storage, network protection); Stripe (subscription billing); Google (Gemini AI for content generation, Google OAuth sign-in, optional Google Photos integration); Resend (transactional and marketing email); and the social platforms you choose to connect (Meta/Instagram, Facebook, LinkedIn).

We also share data with the social platforms when you choose to publish or schedule a post — by design, the post content, captions, and media you submit are forwarded to those platforms under their own terms.

We do not sell personal data, and we do not share personal data for advertising profiling outside the providers above.

6. International transfers

Some of our sub-processors are based outside the European Economic Area, including in the United States. Where data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms required by applicable law.

7. Data retention

Account and workspace data: kept for as long as your account is active, then deleted or anonymised within a reasonable period after closure (typically up to 6 months) to allow account recovery and dispute resolution.

Generated and uploaded media: kept while the related plan or post exists, and then removed in line with the media-bank retention rules of your subscription plan.

Billing records: retained for the period required by tax and accounting law (typically 10 years in Portugal).

Logs and telemetry: typically rotated within 90 days unless required for security investigations.

8. Security

We use industry-standard measures to protect personal data, including TLS in transit, encryption of sensitive credentials at rest, scoped access controls, audit logging, and regular dependency updates. No system is perfectly secure, so we ask you to keep your credentials safe and to enable strong authentication where available.

9. Your rights

Subject to applicable law, you have the right to access your personal data, ask us to correct or delete it, restrict or object to certain processing, port your data to another provider, and withdraw consent for activities that rely on consent.

You may also lodge a complaint with the Portuguese data-protection authority (CNPD) or with the supervisory authority in your country of residence.

To exercise these rights, contact us through the support channels in your workspace. We aim to respond within one month, with a possible extension where the request is complex.

10. Children

ScalePlant Socials is intended for businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this policy from time to time. The most recent version will always be available on this page, and we will indicate the new effective date at the top. Material changes will be highlighted in-app or by email where appropriate.