Privacy Policy
Last updated: 1 Junio 2026
1. Who we are (Data Controller)
Communitae is a social media management platform operated by:
- Legal entity: Communitae Solutions, S.L.
- Tax ID (NIF/CIF): B26895433
- Registered address: C/ Doctor Roux, n.º 36, 6º, 08017 Barcelona, Spain
- Contact email: [email protected]
- Data Protection Officer (DPO): Not appointed. Communitae operates as a B2B SaaS and the criteria of Art. 37(1) GDPR (large-scale, regular and systematic monitoring of data subjects, or large-scale processing of special categories of data) are not currently met. This position is reviewed annually. For privacy questions, contact [email protected].
We are established in Spain and operate under the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and the Spanish Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD, Ley Orgánica 3/2018).
2. Scope
This policy explains what personal data we collect when you use the Communitae web application at communitae.ai (the “Service”), how we use it, who we share it with, how long we keep it, and the rights you have under GDPR.
It does not cover:
- Data your end users post publicly on Instagram or other social networks (those platforms have their own privacy policies).
- Data processed by third-party services we link to but do not control.
3. What we collect
3.1 Account data
- Name, email address, hashed password (or Google OAuth identifier).
- Business profile details you provide (brand voice, target audience, content guidelines, brand colors, hashtags).
3.2 Connected social-media account data
When you connect an Instagram Business account via the Instagram API:
- Instagram username, account ID, profile picture URL, account category.
- A long-lived access token issued by Meta. Tokens are encrypted at rest using AES-256-GCM (envelope encryption).
- The list of OAuth permissions you granted.
- Refresh-tracking metadata (last refresh attempt, failure count, status).
- Webhook events Meta sends us (comments, direct messages, mentions, reactions).
3.3 Content data
- Posts you create, schedule, or publish through the Service (text, images, video).
- AI-generated drafts and concepts.
- Comments and direct messages received via Instagram webhooks (for inbox features).
- Media files you upload (stored in object storage).
3.4 Billing data
Stripe customer ID, subscription tier, billing cycle, payment method metadata (last 4 digits, brand). We do not store full card numbers; payment data is processed directly by Stripe.
3.5 Usage data
- Authentication events (login, logout).
- AI generation quotas consumed.
- Application logs containing IP address, user agent, timestamps, request paths (for security and debugging).
3.6 Cookies
- Session cookies (essential, NextAuth.js).
- Language preference cookie.
- We do not currently use third-party advertising or analytics tracking cookies.
4. Why we process your data (legal bases under Art. 6 GDPR)
| Finalidad | Base legal |
|---|---|
| Prestar el servicio (publicar posts, gestionar cuentas de Instagram, generar contenido IA) | Contrato (Art. 6(1)(b)) |
| Cumplir con los Términos de Meta y la ley aplicable | Obligación legal (Art. 6(1)(c)) |
| Facturar y procesar pagos | Contrato |
| Enviar emails del servicio (alertas de cuota, avisos de seguridad) | Interés legítimo (Art. 6(1)(f)) |
| Atender solicitudes de soporte | Interés legítimo |
| Emails de marketing | Consentimiento (Art. 6(1)(a)) — solo opt-in |
| Detectar fraude, abuso e incidentes de seguridad | Interés legítimo |
5. AI processing
To deliver content-generation features, we send your inputs (briefs, prompts, brand profile data, sometimes uploaded images) to the following AI providers:
- OpenRouter (text, chat, vision, image generation). Underlying models include Google Gemini and others routed by OpenRouter. Data may be processed in the United States.
- Google Cloud (Gemini API) for video generation via Veo 3.1.
- Google Cloud Speech-to-Text for audio transcription.
These providers process data on our behalf as data processors. We have selected providers that offer Standard Contractual Clauses (SCCs) for international transfers and that do not retain customer prompts to train their models by default.
You can opt out of AI features at any time by disabling the relevant features in your settings; doing so disables AI-powered content generation.
6. Who we share data with
We share personal data only with:
| Destinatario | Finalidad | País | Garantías |
|---|---|---|---|
| Meta Platforms Ireland Ltd. | Publishing to Instagram, receiving webhooks | EU | Meta Platform Terms, GDPR compliance |
| Stripe Payments Europe Ltd. | Payment processing | EU/US | SCCs |
| Railway | Application hosting | US | SCCs |
| Tigris (object storage on Railway) | Media file storage | US | SCCs |
| OpenRouter | AI inference | US | DPA + SCCs |
| Google LLC (Gemini, Speech) | AI inference | US | SCCs |
| Transactional email provider | Account, billing and security emails | EU/US | SCCs |
We do not sell personal data. We do not share data with advertisers or data brokers.
7. International transfers
Some processors are located in the United States. Transfers to the US rely on Standard Contractual Clauses (Art. 46 GDPR) and additional supplementary measures (encryption at rest and in transit). On request, we will provide a copy of the SCCs.
8. How long we keep data
| Dato | Retención |
|---|---|
| Datos de cuenta activa | Mientras tu cuenta esté activa |
| Instagram access tokens | While the account is connected; deleted within 30 days of disconnect or token revocation |
| Published post records | While your account is open, then 90 days post-deletion (audit) |
| Billing records | 6 years (Spanish tax law) |
| Application logs | 90 days |
| Webhook events (comments, DMs) | While the connected Instagram account is active; deleted on disconnect |
| Backups | Up to 30 days |
9. Your rights (Art. 15–22 GDPR)
You can:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17) — see also Section 10 and our Data Deletion Policy
- Restrict processing (Art. 18)
- Port your data to another service (Art. 20) — JSON export available on request
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for marketing emails at any time
To exercise these rights, email [email protected] with subject “GDPR request”. We respond within 30 days (extendable by 60 days for complex requests, with notice).
If you believe we are processing your data unlawfully, you can lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es).
10. Account deletion and data deletion
You can delete your Communitae account at any time from Settings → Account. When you do:
- Your account is marked deleted and access is revoked immediately.
- Connected Instagram accounts are soft-deleted; their access tokens are cleared from our database.
- Posts, scheduled content, comments and direct messages associated with your account are deleted within 30 days.
- Backups containing your data are purged within 90 days.
- Records we are legally required to keep (invoices, tax records) are retained for the period required by law and then deleted.
Meta Platforms can also trigger a deletion request on your behalf via the Instagram “Apps and Websites” panel. We honor these signed deletion requests through our /api/instagram/delete-data and /api/instagram/deauthorize endpoints.
For details, see the Data Deletion Policy. The status of an in-progress deletion request can be checked at communitae.ai/data-deletion-status.
11. Security
- Passwords are hashed with bcrypt.
- Instagram access tokens are encrypted at rest (AES-256-GCM).
- All transport is TLS 1.2+.
- Application secrets are stored in environment variables, not in source control.
- Production access is limited to authorized personnel and audited.
- We follow security best practices including OWASP Top 10 mitigations.
No system is 100% secure. If you become aware of a security issue, please email [email protected] with subject “Security report”.
12. Children
The Service is not intended for users under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this policy
We may update this policy. Material changes will be notified by email and/or in-app at least 30 days before they take effect. The “last updated” date at the top reflects the most recent revision.
14. Contact
- General privacy questions: [email protected]
- DPO: Not appointed (see Section 1).
- Postal address: Communitae Solutions, S.L. — C/ Doctor Roux, n.º 36, 6º, 08017 Barcelona, Spain