Privacy Policy
1. Who controls your data
The controller of your personal data is F. H. U. ITAMA Dariusz Niemczak (sole proprietorship, NIP: 9581479203, REGON: 222025985, ul. Starowiejska 16/2, 81-356 Gdynia), hereinafter: ITAMA. Contact: support@publineo.com.
2. What data we collect
- Email address and password — necessary to create an account and log in (the password is stored only as a cryptographic hash).
- Organization name and brand profile (industry, tone of communication, descriptions) — entered by you and used to generate posts tailored to your company.
- Content of posts and images generated by AI — stored until the account is deleted.
- Access tokens for external channels (Facebook, Instagram, WordPress, LinkedIn) — encrypted and used only to publish posts indicated by you.
- Technical logs — IP address, browser, action time — stored for up to 90 days for security and incident resolution.
- Usage statistics — number of generated posts and AI costs in a given period. We do not analyze post content for purposes other than servicing your account.
We do not collect special categories of data (e.g. medical or biometric data) or data of children under the age of 16.
3. Why we collect this data (purpose and legal basis)
- Creating and maintaining an account — Article 6(1)(b) GDPR (contract).
- Generating AI posts and publishing them on your channels — Article 6(1)(b) GDPR (contract).
- Issuing invoices and keeping accounts — Article 6(1)(c) GDPR (tax obligation).
- Security, auditing, and fraud detection — Article 6(1)(f) GDPR (legitimate interest).
- Contact regarding account support — Article 6(1)(b) GDPR.
4. Integration with Facebook and Instagram (Meta Platforms)
If you connect a Facebook or Instagram account to Publineo, we request access permissions only for your business pages and for publishing on them on your behalf. We never request access to your private profile, friends list, personal posts, or photos.
The permissions we request are: managing business pages, publishing content on behalf of a page, and reading basic publication metrics. Each permission has a clear purpose and is necessary for Publineo to operate.
You can disconnect the integration at any time from Publineo settings or directly in Facebook settings: Settings → Business Integrations → Publineo → Remove.
5. Who we entrust your data to (processors)
We use trusted infrastructure providers:
- Supabase (Supabase Inc., USA — server region: Frankfurt, Germany) — database and authorization hosting.
- Cloudflare (Cloudflare Inc., USA / EU) — hosting the application frontend, attack protection, and Turnstile anti-bot protection.
- OpenAI (OpenAI L.L.C., USA) — generating content and images. Data entered into the models is used only to generate responses and is not used to train models (in accordance with OpenAI’s API policy).
- Resend (Resend Inc., USA / EU) — sending transactional emails (confirmations, password resets).
- Meta Platforms Ireland Ltd. (Facebook, Instagram) — only for publishing posts, based on tokens that you grant yourself.
- Automattic / the Client’s WordPress installation and LinkedIn — similarly, based on the Client’s tokens.
We have entered into a data processing agreement (DPA) with each of the above providers or use their standard DPA. Data transfers to the USA take place on the basis of standard contractual clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914.
6. How long we store data
- Account data — for the duration of the contract plus 30 days after account deletion.
- Security logs — up to 90 days.
- Invoices and billing data — 5 years (tax law requirement).
- Post content — until the account is deleted or the content is individually deleted in the application.
7. Your rights
You have the right to:
- access your data (a copy in machine-readable format),
- rectify your data,
- delete your data (the “right to be forgotten”) — see the pageData Deletion,
- restrict processing,
- data portability,
- object to processing based on legitimate interest,
- withdraw consent (if any processing is based on consent),
- lodge a complaint with the President of the Personal Data Protection Office (uodo.gov.pl).
To exercise these rights, write to support@publineo.com. We respond within 30 days.
8. Security
We use, among other measures:
- connection encryption (HTTPS/TLS),
- encryption of data in the database and backups,
- strict access control (RLS at database level),
- two-factor authentication (TOTP) for administrative accounts,
- audit logs of all administrative actions,
- geo-blocking and anti-bot protection on the administration panel,
- regular database backups.
9. Cookies and browser storage
The application uses necessary browser storage mechanisms (localStorage, sessionStorage) to maintain a logged-in session, remember settings (theme, font size), and, where applicable, remember the device for 7 days when logging in with 2FA. We do not use marketing or analytics cookies that collect data for advertising.
10. Changes to this policy
We notify you of material changes by email to the address provided during registration at least 14 days before they take effect. Minor editorial changes are published in this policy with the current date.
11. Contact
Questions, requests, incident reports: support@publineo.com.