Spairc — Privacy Policy (TEMPLATE)

STATUS: template for solicitor review — not yet published. Bracketed items need decisions. GDPR applies: operator is Irish, customers are EU.

Last updated: [DATE] Controller: [Fahey Media legal entity], [address], Ireland — [privacy contact email].

1. What we process, and why

DataExamplesPurposeLegal basis
Account dataName, email, password hash, workspace membership, roleOperate your accountContract
Customer contentBrand profiles, briefs/submissions, photos, logos, generated postsProvide the serviceContract
Connection dataSocial account identifiers/tokens for schedulingPublish approved postsContract
Usage & billingGeneration counts and costs, invoices, payment statusBilling, fair useContract / legitimate interest
TechnicalIP address, logs, error reports, rate-limit countersSecurity, debuggingLegitimate interest
EmailAlerts, invitations, verification and reset messagesOperate the serviceContract

We do not sell personal data or use it for advertising. Generated content is produced from the material you provide; our AI providers process it to generate your content and are contractually barred from training on it. [VERIFY at review.]

2. Subprocessors

SubprocessorRoleLocation/notes
Vercel Inc.Application hostingEU deployment region; US company (SCCs)
Neon Inc.Postgres databaseFrankfurt, Germany
Vercel BlobImage/file storage[Confirm region]
AnthropicAI copy generation (Claude)US (SCCs) [confirm data residency options]
GoogleAI image generation (Gemini)US/EU (SCCs)
Freepik/MagnificStock imagerySpain
Zoho CorporationSocial scheduling (founding period)EU data centre (zoho.eu)
ResendTransactional emailUS (SCCs)
SentryError monitoringEU region
StripePaymentsEU entity
[Ayrshare or equivalent]Social scheduling (from Stage 2)[confirm on selection]

We will update this list and notify workspace owners before adding subprocessors that process customer content.

3. Retention

  • Account data: while your account exists; deleted [30] days after account deletion.
  • Customer content: while the workspace exists; deleted [30] days after termination (export available on request first).
  • Logs and error reports: [90] days. Backups: point-in-time recovery window of [7–30] days, after which deleted data ages out.

4. Your rights

You have GDPR rights of access, rectification, erasure, restriction, portability, and objection. Contact [privacy email]; we respond within one month. You may also complain to the Data Protection Commission (dataprotection.ie).

For personal data appearing inside customer content (e.g. a testimonial naming a person), the customer workspace is the controller and we act as processor on their instructions. [A separate DPA covering Art. 28 processor terms is available on request / to be appended at Stage 4.]

5. Security

Access to production systems is restricted and credentialed; passwords are hashed; tenant data is isolated per workspace at the query layer; transport is TLS throughout. We will notify affected customers without undue delay of any personal data breach as required by GDPR Art. 33/34.

6. Cookies

Spairc uses only strictly-necessary cookies (session authentication, theme). No analytics or advertising cookies. [Update if analytics are added; consent banner needed then.]