1. Overview

At PostPlanify (the “Company,” “we,” “us,” or “our”), we are committed to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 when processing personal data of individuals located in the European Union (“EU”) or European Economic Area (“EEA”). This GDPR Compliance Statement outlines how we collect, use, process, store, and disclose your personal data in accordance with the GDPR.

2. Data Controller & Scope

The entity responsible for deciding how your personal data is processed (the “Data Controller”) is PostPlanify. This statement applies to the personal data of EU/EEA residents who use our social media management platform and related services.

3. Legal Basis for Processing

We process personal data under the following GDPR-compliant legal bases:

• Consent: When you have explicitly provided your consent, for example, by signing up for marketing communications or integrating third-party services (e.g., Canva).
• Contractual Necessity: To provide and manage your account, process your subscription, and facilitate posting and scheduling on social media platforms in accordance with our Terms of Service.
• Legal Obligation: To comply with legal requirements (e.g., financial regulations, tax obligations, and law enforcement requests).
• Legitimate Interests: To protect our business and commercial interests, such as improving our services, preventing fraud, or ensuring network security. We will always balance our legitimate interests against your rights and freedoms.

4. Personal Data We Process

For details on what personal data we collect and how we use it, please see our Privacy Policy. In summary, we may collect:

• Contact details (e.g., name, email address).
• Account information (e.g., login credentials, profile image).
• Social media account data (tokens, profile IDs) when you choose to connect your social media profiles.
• Payment details (e.g., partial credit card information, billing address) through Stripe.
• Usage data, including analytics and log data (e.g., IP address, device information).
• Uploaded media assets stored on AWS S3.

We only collect and process personal data that is relevant, adequate, and limited to what is necessary in relation to the purposes for which it is processed.

5. Your GDPR Rights

As an EU/EEA resident, you have the following rights regarding your personal data under the GDPR:

• Right to be Informed: You have the right to be informed about how your personal data is being collected and used.
• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct any inaccuracies in your personal data.
• Right to Erasure (“Right to be Forgotten”): You can request that we delete your personal data under certain conditions.
• Right to Restrict Processing: You can request that we limit the way in which we use your personal data.
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: You can object to the processing of your personal data under certain circumstances, such as direct marketing.
• Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, if it produces legal or similarly significant effects on you.

To exercise any of these rights, please contact us using the information provided in Section 8. We will respond to your request within one month, or sooner where feasible.

6. Data Transfers

We may transfer your personal data to countries outside the EU/EEA in which we or our service providers operate. When doing so, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We incorporate SCCs approved by the European Commission for transfers to third countries.
• Adequacy Decisions: Where the European Commission has determined that a non-EU country ensures an adequate level of data protection, we may rely on such decisions for transfers.
• Binding Corporate Rules: Where applicable, our service providers may maintain Binding Corporate Rules to ensure a consistent level of protection.

If you would like more information on the specific mechanism used to transfer your personal data, please contact us using the details in Section 8.

7. Data Retention & Security

We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy and to comply with our legal obligations. We implement appropriate technical and organizational security measures to safeguard your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

8. Complaints

If you believe we are processing your personal data in a way that infringes upon your rights or violates the GDPR, we encourage you to contact us first at contact@postplanify.com. You also have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State where you live, work, or where the alleged infringement of data protection law has taken place.