Privacy Policy

Effective Date: April 27, 2024

Last Updated: May 29, 2026

TONVI TECH SL ("we", "our", "us", "Upload-Post") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website https://www.upload-post.com and related services (collectively, the "Services").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, password, and profile information when you create an account
• Payment Information: Billing address, payment card details (processed securely by our payment processors Stripe and Paddle)
• Communications: Messages, support requests, and feedback you send to us
• User Content: Videos, images, text, and other content you upload through our Services

1.2 Information from Third-Party Platforms

When you connect social media accounts, we may receive:

• Profile information (name, username, profile picture)
• Account identifiers and access tokens
• Platform-specific data required for posting (channel IDs, page IDs)
• Limited analytics data where permitted by the platform

1.3 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent, click patterns
• Log Data: Server logs, error reports, API requests
• Cookies and Similar Technologies: See Section 8 for details

2. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our Services and fulfill our contractual obligations to you
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate business interests, such as improving our Services, fraud prevention, and security
• Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, such as marketing communications
• Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with legal requirements

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

• Creating and managing your account
• Processing and posting your content to connected social media platforms
• Processing payments and subscriptions
• Providing customer support

3.2 Service Improvement

• Analyzing usage patterns to improve our Services
• Developing new features and functionality
• Conducting research and analytics

3.3 Communication

• Sending service-related notifications (transactional emails)
• Responding to inquiries and support requests
• Sending marketing communications (with your consent)

3.4 Security and Compliance

• Detecting, preventing, and addressing fraud and abuse
• Enforcing our Terms of Use
• Complying with legal obligations

3.5 Automated Processing

Our Services rely on automated systems to process and deliver your content to connected social media platforms. This automated processing includes scheduling, formatting, and transmitting your content. While we implement safeguards to ensure accuracy, automated processing may occasionally result in errors, including content being delivered to incorrect accounts or platforms. We do not use automated decision-making that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

You have the right not to be subject to a decision based solely on automated processing. If you believe an automated process has adversely affected you, please contact us at [email protected] to request human review.

3.6 AI-Powered Features

When you choose to use AI-powered features, we may process the content, media, captions, titles, descriptions, metadata, account context, platform requirements, and performance signals that you provide or select for the purpose of generating, improving, translating, summarizing, classifying, or optimizing suggestions for you.

We use this data to provide the requested AI feature, maintain security, troubleshoot errors, and improve the reliability of Upload-Post. By using the Services, you agree that we also use your User Content and associated analytics — in aggregated and/or anonymized form, and where reasonably necessary in identifiable form — to develop, train, evaluate, and improve our machine-learning and AI models and features, including shared models that power AI features offered to all users (such as automatic title, description, caption, and hashtag generation). The legal basis for this processing is the performance of our contract with you (Article 6(1)(b) GDPR) and our legitimate interest in developing and improving the Services (Article 6(1)(f) GDPR).

Where AI functionality is provided through third-party AI providers, those providers act under contractual safeguards and are listed on our Sub-processors page when they process Personal Data on our behalf.

4. Information Sharing and Disclosure

We do NOT sell your personal data. We may share your information in the following circumstances:

4.1 Service Providers and Sub-processors

We engage a limited number of third-party service providers to operate the Services. Our authorised sub-processors, their locations, and the applicable transfer mechanisms are listed on our public Sub-processors page, which forms part of our Data Processing Agreement. As of the Last Updated date above, our principal categories of service providers are:

• Hosting and Infrastructure: Hetzner Online GmbH (Germany, EU) — application servers, databases (MongoDB, Redis), and back-ups.
• Object Storage: Cloudflare, Inc. (R2 Object Storage, EU jurisdictional restriction) — media files uploaded for publication.
• Payment Processing: Stripe Payments Europe, Ltd. / Stripe, Inc. and Paddle — billing, invoicing, subscription management, tax and payment operations.
• Product Analytics: PostHog Inc. (EU region) — feature usage and telemetry.
• Customer Communications: Email and support providers used for transactional emails, support requests, product notifications, and account communications.
• Optional AI Processing: AI providers used only when an AI-powered feature is enabled or requested, for example to generate or optimize captions, titles, descriptions, hashtags, translations, summaries, or related metadata.
• Web Analytics: Plausible Analytics, self-hosted on our own infrastructure (no third-party processor).

For the complete, current and version-controlled list of sub-processors, see upload-post.com/subprocessors.

4.2 Social Media Platforms

When you use our Services to post content, your content and associated metadata are transmitted to the social media platforms you have connected. This transmission is necessary to provide our core service functionality. You acknowledge that once content is transmitted to a third-party platform, it is subject to that platform's terms and privacy policies, and we cannot guarantee its retrieval, modification, or deletion from those platforms.

These platforms may process data in countries outside the European Economic Area, including the United States and other jurisdictions, under their own roles as independent controllers and their own transfer mechanisms. You should review the privacy policy and platform terms of each connected social media service.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, privacy, safety, or property
• Prevent fraud or illegal activities
• Respond to lawful requests from public authorities

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your data.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• For US transfers: EU-US Data Privacy Framework certification where applicable

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Data Retention

We retain your personal data for as long as necessary to:

• Provide our Services and maintain your account
• Comply with legal obligations (e.g., tax records for 6 years)
• Resolve disputes and enforce our agreements
• Prevent fraud and abuse

Specific retention periods:

• Account Data: Until account deletion + 30 days
• Transaction Records: 6 years (legal requirement)
• User Content: Until deletion by user or account termination
• Log Data: 90 days
• Analytics Data: 26 months (aggregated, anonymized)

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

8.1 Essential Cookies

Required for the website to function properly (authentication, security, preferences). These cannot be disabled.

8.2 Analytics Cookies

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. No consent is required for Plausible. We may also use product analytics such as PostHog to understand feature usage, diagnose issues, and improve the product. Where product analytics relies on cookies or similar identifiers, it is configured and governed according to applicable consent requirements.

8.3 Marketing Cookies

With your consent, we may use cookies for advertising and conversion tracking (e.g., Google Ads). You can withdraw consent at any time.

You can manage cookie preferences through your browser settings or our cookie consent banner.

9. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restriction (Art. 18): Request limitation of processing
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint (Art. 77): File a complaint with a supervisory authority

9.1 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Address: Calle Puerta del Mar, 18 5th Floor, 29005 Málaga, Spain

We will respond to your request within one month. Where permitted by GDPR, this period may be extended by up to two additional months if the request is complex or numerous, and we will inform you of any extension within the first month. We may need to verify your identity before processing your request.

9.2 YouTube API Data

If you have authorized our application to access your YouTube data:

• You can revoke access at any time through Google security settings
• Upon account deletion request, we will delete all stored YouTube API data within 30 days
• To request deletion, contact us at the email address above

10. Children's Privacy

Our Services are intended exclusively for users who are at least 18 years old and have the legal capacity to enter into a binding agreement. Our Services are not directed at minors, and we do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a minor, we will delete that information promptly. If you believe we have inadvertently collected data from a minor, please contact us at [email protected].

11. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

13. Supervisory Authority

If you are located in the European Union and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD): www.aepd.es

14. Contact Us

For any questions or concerns about this Privacy Policy or our data practices, please contact us:

• Company: TONVI TECH SL
• C.I.F.: B-19780394
• Address: Calle Puerta del Mar, 18 5th Floor, 29005 Málaga, Spain
• Email: [email protected]