1.Introduction
This Privacy Policy explains how SocialAPI.ai ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website (https://social-api.ai), our API services, our MCP server, our SDKs, our documentation, and any related services (collectively, the "Service").
We are committed to protecting your privacy and handling your data transparently. This policy complies with the General Data Protection Regulation (RGPD/GDPR), the French Loi Informatique et Libertés, the Loi pour la Confiance dans l'Économie Numérique (LCEN), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
By using our Service, you agree to the practices described in this policy. If you do not agree, please do not use our Service.
2.Who We Are
SocialAPI.ai is operated by Erwan Prost, auto-entrepreneur / micro-entreprise registered in France (SIREN: 102198884).
- General inquiries: legal@social-api.ai
- Data Protection Officer: dpo@social-api.ai
- Security: security@social-api.ai
- Supervisory authority: CNIL (www.cnil.fr)
For the purposes of RGPD/GDPR, we act as:
- A data controller for your account data, billing information, and website usage data.
- A data processor when we access and store social media data (comments, DMs, posts, reviews) on your behalf through our API. In this capacity, you (our customer) are the data controller and we process data according to your instructions.
3.Data We Collect
Account data: Email, name, profile picture, and optional onboarding preferences.
Authentication data: Passwords and API keys (securely hashed), encrypted social media access tokens, and login activity logs (IP address, timestamp).
Billing data: Stripe customer ID and plan information. We never store card numbers.
Social media data: When you connect an account, we store your posts, comments, direct messages, and engagement metrics. This includes data from third-party users who interact with your content (e.g., commenter names and profile pictures). Reviews and mentions are fetched in real-time and not stored. We access data via platform APIs including the Instagram Graph API.
Media files: Uploaded files stored on Cloudflare R2 with a 60-day automatic expiry.
4.How We Use Your Data
We use your data for the following purposes:
- Providing the Service: Authenticating requests, connecting social media accounts, reading and sending comments and DMs, publishing posts, and storing inbox data.
- Billing: Processing subscriptions via Stripe and enforcing plan limits.
- Security: Detecting and preventing fraud, abuse, and unauthorized access. Recording login activity (IP address, user agent) for security monitoring.
- Analytics (with your consent): Analyzing page views and checkout events via PostHog to improve our Service.
- Communication: Sending transactional emails via Resend (password resets, billing receipts).
- Legal compliance: Fulfilling our obligations under applicable laws, responding to CNIL inquiries, and processing Meta data deletion callbacks.
We do not:
- Sell your personal data to third parties
- Use social media content for advertising purposes
- Train AI models on your data or the data of your end-users
- Profile your end-users for marketing purposes
5.Legal Bases for Processing
Under RGPD/GDPR, we process your personal data based on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Billing and payments | Performance of a contract (Art. 6(1)(b)) |
| Transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics — anonymous (PostHog) | Legitimate interest (Art. 6(1)(f)) |
| Analytics — identified (PostHog) | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Billing data retention (10 years) | Legal obligation (Art. 6(1)(c)) |
6.Data Sharing & Third Parties
We share your data only with the following categories of third parties, and only as necessary to provide our Service:
6.1 Service Providers (Sub-processors)
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner | Infrastructure (app, database, cache) | All data | EU (Germany) |
| Stripe | Payment processing | Billing data, customer ID | US (EU-US DPF) |
| Cloudflare | Media storage (R2) + CAPTCHA (Turnstile) | Media files, IP address | EU |
| PostHog | Analytics (with consent) | User ID, page views, checkout events | Via x.social-api.ai |
| Resend | Transactional email | Email address, name | US (EU-US DPF) |
6.2 Social Media Platforms
When you connect a social media account, we exchange data with that platform's API on your behalf. This includes Meta (Instagram, Facebook, Threads), TikTok, LinkedIn, and Google Business Profile. Each platform has its own privacy policy governing how they handle data.
6.3 Legal Requirements
We may disclose data if required by law, regulation, legal process, or governmental request.
6.4 Business Transfers
In the event of a merger, acquisition, or asset sale, your data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.
We do not share data with advertisers, data brokers, or any third party for marketing purposes.
7.Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account & profile data | Duration of your account + 30 days after deletion |
| Authentication data (API keys, tokens) | Until account deletion or manual revocation |
| Billing data | 10 years after transaction (French tax law, Art. L123-22 Code de Commerce) |
| Social media inbox data (DMs, comments, posts) | Duration of your account (deleted on account deletion) |
| Media files (Cloudflare R2) | 60 days (automatic expiry) |
| API event/activity logs | Plan-dependent: 1 day (free) to 90 days (business/enterprise) |
| Login activity logs (IP, user agent) | Duration of your account |
| Webhook delivery audit logs | Duration of your account |
| OAuth consent & refresh tokens | Until expiry (~90 days) or revocation |
When you delete your account (via the dashboard or by contacting us), all your data is purged within 30 days. This includes cascading deletion across our API database and authentication service. Media files on Cloudflare R2 auto-expire within 60 days.
8.Your Rights
Depending on your location, you have the following rights regarding your personal data:
Under RGPD/GDPR (EU/EEA residents):
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure ("Right to be forgotten"): Request deletion of your data — you can delete your account directly from the dashboard or contact us
- Restriction: Request limitation of processing
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Withdraw consent at any time (e.g., via the cookie settings on this website)
- Lodge a complaint: File a complaint with the CNIL (www.cnil.fr) or your local supervisory authority
Under CCPA/CPRA (California residents):
- Right to know: Request disclosure of data collected and its purpose
- Right to delete: Request deletion of personal information
- Right to opt-out: Opt out of the sale or sharing of personal information (note: we do not sell personal data)
- Right to non-discrimination: We will not discriminate against you for exercising your rights
Third-party data subjects:
If your personal data appears in our system because you interacted with one of our customers' social media accounts (e.g., you left a comment or sent a DM), you have the right to request access to or erasure of your data under RGPD Article 14. Contact us at dpo@social-api.ai.
To exercise any of these rights, contact us at dpo@social-api.ai. We will respond within 30 days (RGPD) or 45 days (CCPA).
10.Security
We implement industry-standard security measures to protect your data:
- All data encrypted in transit (TLS 1.3)
- OAuth tokens and MFA secrets encrypted at rest (AES-256-GCM)
- Passwords and API keys hashed with bcrypt
- Infrastructure hosted in the EU (Hetzner, Germany)
- 72-hour breach notification to the CNIL (RGPD Art. 33) and notification to affected users without undue delay (Art. 34)
If you discover a security vulnerability, please report it responsibly to security@social-api.ai.
11.Children's Privacy
SocialAPI.ai is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
12.International Data Transfers
SocialAPI.ai is based in France (EU). Our primary infrastructure is hosted in the EU (Hetzner, Germany). When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:
- EU-US Data Privacy Framework (DPF): For transfers to US-based service providers certified under the DPF (Stripe, Resend, Cloudflare).
- Standard Contractual Clauses (SCCs): For transfers to countries without an EU adequacy decision where DPF does not apply.
Social media platform APIs (Meta, TikTok, LinkedIn, Google) are governed by each platform's own data processing terms.
You can request a copy of the relevant transfer safeguards by contacting us at dpo@social-api.ai.
13.Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will notify you by email if changes are significant
- We will provide a summary of key changes
Continued use of the Service after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at legal@social-api.ai, dpo@social-api.ai, or security@social-api.ai.