Privacy Policy

We collect the following categories of personal data, each with a stated lawful basis under GDPR Art. 6:

• Account data (name, email address, authentication provider) — necessary to perform the contract (Art. 6(1)(b)).
• Subscription and billing data (Stripe customer ID, plan tier, usage counts) — necessary to perform the contract (Art. 6(1)(b)).
• Audit data (social media usernames you scan, AI-generated risk findings, detected locations, privacy scores) — necessary to perform the contract (Art. 6(1)(b)).
• Public post images and captions processed during an audit — processed transiently to deliver the service; not retained after the audit completes (Art. 6(1)(b)).
• Monitoring alerts (Guardian and Sentinel plans) — sent on the basis of legitimate interest in providing the subscribed service (Art. 6(1)(f)).

• Passwords or credentials of any kind
• Private messages or non-public social media content
• Content from private accounts — we only access publicly visible posts
• Payment card details (processed entirely by Stripe; we never receive raw card data)
• Advertising identifiers, behavioral tracking data, or third-party tracking cookies

We use third-party processors that may be located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) or an EU adequacy decision:

• Supabase — database and authentication (EU region; SCCs in place)
• Stripe — payment processing (US; SCCs in place)
• Apify — public social media data collection (EU region)
• Google Gemini — AI analysis (US; SCCs in place)
• Resend — transactional email delivery (US; SCCs in place)
• Mapbox / Google Maps — geocoding of detected place names (US; SCCs in place)

• Account data: retained for the life of your account, then deleted within 30 days of account deletion
• Audit results and findings: retained until you delete them or close your account
• Post images processed during an audit: deleted immediately after the audit completes
• Billing records: retained for 7 years to comply with tax and accounting legal obligations
• Server logs: retained for 90 days for security and debugging purposes

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request erasure of your personal data (Art. 17 GDPR)
• Restriction — request that we restrict processing of your data (Art. 18 GDPR)
• Portability — receive your data in a structured, machine-readable format (Art. 20 GDPR)
• Objection — object to processing based on legitimate interests (Art. 21 GDPR)
• Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing
• Supervisory authority — you have the right to lodge a complaint with your local data protection authority (e.g. CNPD in Portugal, ICO in the UK, or the supervisory authority in your EU member state)

To exercise any of these rights, contact us at privacy@stalkmind.com. We will respond within 30 days.