Features Platforms Pricing Blog Log inGet Started

Privacy Policy

Last updated: March 20, 2026

1. Introduction

Socilot, operated by INFO MEDIA d.o.o. ("we", "us", "our"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), the Croatian Data Protection Act (Zakon o provedbi Opće uredbe o zaštiti podataka), and other applicable data protection laws.

2. Data Controller

INFO MEDIA d.o.o.
Širolina ulica - Via Vitomir Širola Pajo 9
52100 Pula, Croatia
VAT ID: HR33583811286
Email: support@info-media.it

Data Protection Officer: support@info-media.it

As a company processing data that does not involve large-scale systematic monitoring or large-scale processing of special categories of data, we are not required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37. All data protection inquiries can be directed to the contact above.

3. Data We Collect

3.1 Account Data

  • Name, email address, password (hashed with bcrypt — we never store plaintext passwords)
  • Organization name, billing address, and payment information (processed by Stripe — we do not store credit card numbers)
  • Language preference and timezone
  • Telegram Chat ID (if you voluntarily connect Telegram notifications)

3.2 Connected Platform Data

  • OAuth access tokens and refresh tokens (encrypted at rest using AES-256)
  • Platform user IDs and usernames
  • Page/profile information you explicitly grant access to
  • Platform-specific metadata (e.g., Facebook Page ID, Instagram Business Account ID)

3.3 Meta Platform Data (Facebook, Instagram, Threads)

When you connect your Facebook, Instagram, or Threads account, we access the following data through Meta's Graph API:

  • Your Facebook Pages and their metadata (name, ID, category)
  • Page access tokens (encrypted at rest)
  • Instagram Business Account ID linked to your Facebook Page
  • Post publishing permissions

We use this data EXCLUSIVELY to:

  • Publish content you have scheduled to your connected Pages/accounts
  • Display your connected pages within the Service interface
  • Monitor the publishing status of your scheduled posts

We do NOT:

  • Store your Facebook/Instagram friends list, likes, personal feed data, or private messages
  • Access your personal Facebook profile data beyond what is required for Page management
  • Share, sell, or transfer your Meta platform data to any third parties
  • Use your Meta data for advertising, profiling, marketing, or any purpose other than providing the Service
  • Retain Meta data after you disconnect the platform or delete your account

3.4 Content Data

  • Posts, templates, and media you create or upload
  • AI-generated content suggestions
  • Scheduling dates, publishing status, and publishing results
  • Hashtag sets and content library entries

3.5 Analytics Data

  • Post performance metrics (fetched from connected platform APIs)
  • Link click data (IP address — anonymized after 30 days, country, device type, browser, referrer)
  • Usage statistics (feature usage, login frequency — aggregated)

3.6 Technical Data

  • IP address (retained for security purposes for 90 days)
  • Browser type and version, device information, operating system
  • Cookies and similar technologies (see Section 9)
  • Server logs (retained for 30 days)

4. Legal Basis for Processing (GDPR Article 6)

Processing Activity Legal Basis
Account management, content publishing Contract performance (Art. 6(1)(b))
Payment processing, billing Contract performance (Art. 6(1)(b))
AI content generation Contract performance (Art. 6(1)(b))
Security, fraud prevention Legitimate interest (Art. 6(1)(f))
Service improvement, analytics Legitimate interest (Art. 6(1)(f))
Marketing communications Consent (Art. 6(1)(a))
Non-essential cookies Consent (Art. 6(1)(a))
Telegram notifications Consent (Art. 6(1)(a))
Tax/billing record retention Legal obligation (Art. 6(1)(c))

5. How We Use Your Data

  • To provide, operate, and maintain the Service
  • To publish content on connected platforms on your behalf and at your direction
  • To generate AI-assisted content based on your app settings and prompts
  • To provide analytics and reporting on your published content
  • To send notifications (email, Telegram) about your content status
  • To process payments and manage subscriptions
  • To improve and develop the Service
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

6. Data Sharing

We do not sell, rent, trade, or monetize your personal data. We share data only with:

  • Social media platforms: Content you explicitly choose to publish through their APIs — only at your direction
  • Stripe: Payment processing only (they do not have access to your content or platform data). Stripe Privacy Policy
  • AI providers (Anthropic, OpenAI): Content prompts for AI generation — anonymized, without your personal identifiers. Anthropic Privacy Policy
  • Hosting provider (Hetzner, Germany/EU): Infrastructure provider — data processed within EU. Hetzner Privacy Policy
  • Law enforcement: Only when required by valid legal process (court order, subpoena, or binding legal obligation)

6a. Sub-processors

We use the following sub-processors:

Sub-processor Purpose Location Safeguards
Hetzner Cloud hosting Germany (EU) EU location
Stripe Payment processing USA EU SCCs + DPF
Anthropic AI content generation USA EU SCCs
OpenAI AI content generation USA EU SCCs + DPA

Connected social media platforms (Meta, LinkedIn, Google, etc.) are not our sub-processors — they act as independent controllers for data you publish to them. We recommend reviewing each platform's privacy policy.

7. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request restriction of processing in specific circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON/CSV)
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time, without affecting the lawfulness of prior processing
  • Right Not to be Subject to Automated Decision-Making (Art. 22): See Section 12

How to exercise your rights: Contact support@info-media.it. We will respond within 30 days. We may request identity verification before processing your request. If we cannot comply with your request, we will explain why within the same timeframe.

No fee: Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests.

8. Data Deletion

8.1 Account Deletion

You may delete your account at any time through Settings → Account → Delete Account. Upon deletion:

  • All personal data is permanently deleted within 30 days
  • All connected platform tokens are immediately revoked and deleted
  • All content, templates, and scheduling data is permanently deleted
  • Billing records are retained for 7 years as required by Croatian tax law (Opći porezni zakon)

8.2 Platform Disconnection

When you disconnect a specific platform:

  • OAuth tokens for that platform are immediately revoked and deleted
  • Platform-specific user IDs and metadata are deleted within 24 hours
  • Published content records remain for your reference but platform access is permanently revoked

8.3 Meta Data Deletion Callback

In compliance with Meta Platform Terms, we provide an automated data deletion endpoint at:

https://socilot.com/data-deletion

This endpoint processes signed deletion requests from Meta and:

  • Deletes all Facebook/Instagram/Threads tokens and platform data
  • Returns a confirmation URL and tracking code
  • Completes deletion within 24 hours

You can check the status of a deletion request at:
https://socilot.com/data-deletion/status?code={confirmation_code}

8.4 Manual Deletion Request

You may also request complete data deletion by contacting support@info-media.it. We will process your request within 30 days.

9. Cookies

We use the following categories of cookies:

  • Strictly Necessary Cookies: Session management (Laravel session), CSRF protection, authentication state. These are required for the Service to function and cannot be disabled.
  • Preference Cookies: Language preference, cookie consent status, UI settings. Set only after your consent.
  • Analytics Cookies: Anonymous usage statistics to improve the Service. Set only after your explicit consent via the cookie banner.

We do NOT use:

  • Tracking cookies or advertising cookies
  • Third-party marketing pixels (Facebook Pixel, Google Ads, etc.)
  • Cross-site tracking technologies

You can manage cookies through the cookie consent banner displayed on your first visit, or through your browser settings. Disabling essential cookies may prevent the Service from functioning.

10. Data Retention

Data Category Retention Period After Account Deletion
Account data While account is active Deleted within 30 days
Content data While account is active Deleted within 30 days
Platform tokens While connected Deleted immediately
Analytics data 24 months Deleted within 30 days
Server logs 30 days Auto-purged
IP addresses (analytics) Anonymized after 30 days N/A (anonymized)
Billing records 7 years (legal req.) Retained 7 years

11. Data Security

We implement appropriate technical and organizational security measures including:

  • Encryption in transit (TLS 1.2+) for all communications
  • Encryption at rest for all OAuth tokens (AES-256 application-level encryption)
  • Password hashing with bcrypt (cost factor 12)
  • CSRF protection on all forms
  • SQL injection prevention through parameterized queries
  • Regular security reviews and dependency updates
  • Access controls and least-privilege principles
  • Server-side input validation and output encoding

11a. Data Breach Notification

In accordance with GDPR Articles 33 and 34:

  • If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (AZOP) within 72 hours
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
  • Our notification will include: the nature of the breach, categories of data affected, likely consequences, and measures taken to address it
  • We maintain an internal data breach register documenting all incidents

12. Automated Decision-Making and Profiling (GDPR Article 22)

12.1 AI Content Generation

The Service uses artificial intelligence to generate content suggestions. This is NOT automated decision-making as defined by GDPR Article 22 because:

  • AI content is always presented as a suggestion, never automatically published
  • You must manually review and approve all AI-generated content before publication
  • You can edit, modify, or reject any AI suggestion
  • No decisions with legal or similarly significant effects are made automatically

12.2 Smart Scheduling

The Service may suggest optimal posting times based on general best practices. These suggestions are non-binding and you retain full control over scheduling.

12.3 No Profiling

We do not engage in profiling as defined by GDPR Article 4(4). We do not create profiles based on your personal characteristics, behavior, or preferences for the purpose of making automated decisions about you.

13. International Transfers

Your data is primarily stored and processed within the European Union (Hetzner, Germany).

When data is transferred outside the EU (e.g., to AI providers in the USA), we ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-U.S. Data Privacy Framework where applicable
  • Data Processing Agreements (DPAs) with all sub-processors

You may request a copy of the applicable safeguards by contacting us.

14. Children

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at support@info-media.it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The latest version is always available at https://socilot.com/privacy.

16. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority.

In Croatia:
AZOP — Agencija za zaštitu osobnih podataka
Fra Grge Martića 14, 10000 Zagreb, Croatia
https://azop.hr
Email: azop@azop.hr

17. Contact

For privacy-related questions or to exercise your data protection rights:

INFO MEDIA d.o.o.
Širolina ulica 9, 52100 Pula, Croatia
Email: support@info-media.it
Data Protection Officer: support@info-media.it