MarbSocial
||
Empezar

Privacy Policy

Effective date: April 17, 2026

1. Introduction

MarbSocial is a social media management and AI content generation platform (the “Service”, “we”, “our”). This Privacy Policy describes what personal data we collect when you use marbsocial.com and the application, how we use it, who we share it with, and your rights.

By using the Service, you agree to this Policy. If you do not agree, please stop using the Service.

Data Controller: the MarbSocial team. Privacy contact: [email protected].

2. What data we collect

2.1 Registration data

  • First and last name
  • Email address
  • Organization name
  • Password hash (we do not store passwords in plain text)
  • IP address and user-agent at sign-up and login

2.2 Profile data

  • Avatar (if uploaded)
  • Time zone and UI language
  • Organization role (owner / admin / editor / viewer)
  • Notification preferences

2.3 Connected social account data

See section 4 below — covered separately.

2.4 Content you create

  • Posts and drafts
  • Uploaded images, videos, files
  • AI prompts and generated results
  • Schedules, tags, categories
  • Inbox replies and comments

2.5 Technical data

  • IP address
  • Device, browser, OS type
  • Action logs (which endpoints, when, outcome)
  • Session ID and cookies
  • Performance metrics

2.6 Payment data

If you subscribe — card details are processed by our payment provider (NOWPayments / Stripe depending on region). We do not store full card numbers, CVV, or PIN. We see: last 4 digits, expiry, country of issuance, transaction status.

3. How we use data

We use your data strictly for the following purposes:

  • Providing and supporting the Service (account, authentication, publishing)
  • Performing actions you initiated (posting, AI generation, sending emails)
  • Billing and subscription management
  • Security: fraud prevention, brute-force protection, abuse detection
  • Legal compliance (taxes, regulatory requests)
  • Product improvement (anonymized usage analytics, A/B testing)
  • Notifying about material Service changes (mandatory notices)
  • Marketing emails — only with explicit consent; you can opt out anytime

GDPR Art. 6 legal bases: contract performance, legitimate interests (security, improvement), consent (marketing, optional cookies), legal obligations (tax records).

4. Social media access & content

When you connect a social account (Instagram, VK, TikTok, Telegram, YouTube, LinkedIn, Threads, Facebook), we receive an access token from the platform — a key allowing us to post on your behalf and read data per the scopes you approved.

What we store

  • The access token and refresh token (encrypted at rest)
  • Platform account ID, name, avatar, handle
  • List of granted scopes
  • Token expiry

What we do with this data

  • Publish posts you scheduled or asked us to publish manually
  • Upload media (photos, videos) to platforms for publishing
  • Fetch your post statistics (impressions, likes, comments) for Analytics
  • Receive incoming comments and messages (if you use Inbox)
  • Never publish anything without an explicit action from you

What we DO NOT do

  • Sell tokens or share them with third parties
  • Use tokens for advertising or marketing
  • Post on your behalf without an explicit action
  • Read your private messages beyond what is necessary for Inbox

You can revoke access at any time via Settings → Connected Accounts → Disconnect, or directly in the social network settings. After revocation, tokens are deleted within 24 hours.

5. Who we share data with

We share data with third parties strictly as needed:

RecipientWhat dataPurpose
Social networks (Meta, ByteDance, VK, Google, LinkedIn)Post content, metadataPublishing on your request
Email provider (Resend)Email, name, message bodyTransactional emails
Payment provider (NOWPayments / Stripe)Email, amount, card detailsPayment processing
Hosting (AWS EC2, ECR — Frankfurt)All app dataService hosting
CDN/Security (Cloudflare)IP, request headers, contentDDoS protection, acceleration
AI providers (see section 6)Prompts, generation inputContent generation on your request
Regulators and law enforcementAs legally requiredLegal compliance

We DO NOT sell your personal data to third parties.

6. AI content processing

MarbSocial uses generative models for AI features: assistant, post generation, images, video, translations, comment replies.

Who processes

  • Google Gemini (Google Cloud, EU region) — text, images
  • Anthropic Claude (Anthropic API) — text
  • Moonshot Kimi — alternative text model

What is sent to AI

  • The prompt you enter
  • Context of the current post or thread (if “use context” is enabled)
  • Your language and basic tone preferences

What is NOT sent to AI

  • Your email, password, payment data
  • Social tokens
  • Content of others' accounts beyond what you explicitly paste in the prompt

All AI providers we work with have signed DPAs and respect zero-retention — they do not use your prompts to fine-tune models.

7. Cookies and analytics

We use three types of cookies:

  • Essential (session, CSRF token, theme, language) — cannot be disabled, the Service won't work without them
  • Analytics (internal usage counters for UX improvement) — anonymized, can be disabled in Privacy Settings
  • Marketing — not currently used; if introduced, we will ask consent via banner

Manage cookies: Settings → Privacy & Data → Cookies.

8. Data retention

Data typeRetention period
User accountUntil account deletion
Post contentUntil deleted by you or account removal
Social tokensUntil disconnect, or token expiry
Security logs90 days
Audit log180 days
DB backups30-day rolling
Payment records7 years (tax law requirement)

After account deletion, we erase your data within 30 days, except records we are required by law to retain (payment history).

9. Security

  • HTTPS with TLS 1.2+ for all traffic
  • Authenticated Origin Pulls — origin reachable only via Cloudflare
  • Encrypted social tokens at rest (AES-256)
  • Password hashing with bcrypt
  • Two-factor authentication (2FA) available to all users
  • Rate limiting and WAF at CDN level (Cloudflare)
  • Regular security audits and dependency scanning
  • Principle of least privilege across components

No system is 100% secure. In case of a breach, we will notify affected users within 72 hours per GDPR Art. 33–34.

10. Your rights (GDPR / CCPA)

If you are in the EU, EEA, UK, Switzerland, or California, you have the following rights:

  • Access — find out what data we hold about you
  • Rectification — correct inaccurate data
  • Erasure (right to be forgotten) — delete your account and related data
  • Restriction — pause processing
  • Portability — receive your data in machine-readable form (JSON / CSV)
  • Object — opt out of legitimate-interest processing
  • Withdraw consent — for marketing and optional cookies
  • Lodge a complaint — with your local supervisory authority (e.g., UODO in Poland)

Most requests can be fulfilled in Settings → Privacy & Data. For others, email [email protected] — we respond within 30 days.

11. International data transfers

Service servers are in Frankfurt, Germany (AWS eu-central-1). Some third parties may process data outside the EEA:

  • Anthropic, OpenAI — USA (Standard Contractual Clauses, EU-US Data Privacy Framework)
  • Cloudflare — global (SCCs, Data Privacy Framework)
  • Social networks — each per their own policy

12. Children

The Service is not intended for users under 16. We do not knowingly collect data from children. If you are a parent and learn that your child has signed up — please contact us, we will delete the account and related data.

13. Changes to this policy

We may update this Policy. For material changes, we will notify by email and an in-app banner at least 14 days before they take effect. Minor edits (typos, wording) are published without notice, fixed by the date at the top of the document.

14. Contact

Privacy inquiries: [email protected]
General inquiries: [email protected]
Operating address: Warsaw, Poland