A
ArchySocialBack

Legal

Privacy Policy

Last updated: 25 April 2025

This Privacy Policy explains how ArchySocial, operated by Architech d.o.o. (Ulica Lea Mullera II. odvojak 10, 10000 Zagreb, Croatia), processes your personal data when you use our Service. We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable national data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Architech d.o.o.
Ulica Lea Mullera II. odvojak 10, 10000 Zagreb, Croatia
Email: privacy@archysocial.com

If you have questions about this Policy or wish to exercise your rights, contact us at the address above.

2. Personal Data We Collect

We collect and process the following categories of personal data:

CategoryDataSource
Account dataName, email address, password hashProvided by you
Billing dataPayment method token, subscription status, transaction historyPaddle (Merchant of Record)
Social account dataOAuth tokens, profile metadata for LinkedIn / XThird-party OAuth providers
User contentCampaign briefs, AI-generated posts, uploaded images/videosProvided by you
Usage dataPages visited, features used, errors, timestampsCollected automatically
Device dataIP address, browser type, operating systemCollected automatically

We do not process special categories of personal data (e.g. health, racial/ethnic origin, biometric data) and ask that you do not upload such data to the Service.

3. Purposes & Legal Bases for Processing

Under GDPR, we must identify a valid legal basis for each processing activity. The table below sets out our processing purposes and the legal basis relied upon.

PurposeLegal Basis (GDPR Art. 6)
Providing and maintaining the Service, including user authenticationPerformance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptionsPerformance of a contract (Art. 6(1)(b))
Sending transactional emails (receipts, password resets)Performance of a contract (Art. 6(1)(b))
Complying with legal obligations (tax, accounting, fraud prevention)Legal obligation (Art. 6(1)(c))
Analysing Service usage to improve features and fix bugsLegitimate interests (Art. 6(1)(f)) — our interest in improving the Service
Sending product updates and marketing emailsConsent (Art. 6(1)(a)) — you may withdraw at any time
Security monitoring and fraud detectionLegitimate interests (Art. 6(1)(f)) — our interest in protecting users and our systems

4. Recipients & Sub-processors

We share personal data with the following categories of recipients:

  • Supabase, Inc. — cloud database, authentication, and real-time infrastructure. Data processed on servers within the EU/EEA or under EU Standard Contractual Clauses (SCCs). Privacy policy
  • Paddle.com Market Limited — Merchant of Record for payment processing. Paddle is the data controller for payment-related personal data it processes in connection with transactions. Privacy policy
  • Cloudflare, Inc. — edge network and Workers deployment. Processes IP addresses and request metadata to deliver the Service. Privacy policy
  • AI content generation provider — your campaign briefs and preferences are transmitted to generate posts and visuals. Data is used solely for content generation and is not retained for model training without consent.
  • LinkedIn / X (Twitter) — when you connect social accounts, OAuth tokens are stored and used to publish content on your behalf. Each platform's own privacy policy governs their processing.

We do not sell personal data to third parties. Any sub-processor we engage is bound by data processing agreements that require at least equivalent protections to those in this Policy.

5. International Data Transfers

Some of our sub-processors are based outside the European Economic Area. Where personal data is transferred to third countries, we ensure appropriate safeguards are in place, including:

  • European Commission Standard Contractual Clauses (SCCs) adopted under GDPR Art. 46(2)(c); or
  • an adequacy decision by the European Commission confirming the recipient country provides equivalent protection.

You may request a copy of the relevant safeguards by contacting us at privacy@archysocial.com.

6. Data Retention

We retain personal data for as long as necessary for the purposes set out in this Policy:

  • Account and content data: retained while your Account is active and for 30 days after deletion, after which it is permanently erased.
  • Billing records: retained for 7 years in line with EU tax and accounting obligations.
  • Usage and analytics data: retained for up to 24 months in aggregated or pseudonymised form.
  • Marketing consent records: retained until you withdraw consent, plus a further period to evidence the consent.

7. Your Rights Under GDPR

You have the following rights regarding your personal data under GDPR (Arts. 15–22):

  • Right of access (Art. 15) — obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16) — have inaccurate data corrected without undue delay.
  • Right to erasure (Art. 17) — request deletion of your data in certain circumstances ("right to be forgotten").
  • Right to restriction (Art. 18) — request that processing be limited while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format and have it transferred to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing at any time.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decisions (Art. 22) — we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any right, contact us at privacy@archysocial.com. We will respond within one month (extendable by two further months for complex requests). You will not be charged a fee unless requests are manifestly unfounded or excessive.

8. Right to Lodge a Complaint

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with your national supervisory authority. If you are based in the EU/EEA, you can find a list of national authorities at https://azop.hr.

Our lead supervisory authority is the Agencija za zaštitu osobnih podataka (AZOP).

We encourage you to contact us first so we can address your concern directly.

9. Cookies & Similar Technologies

We use strictly necessary cookies and browser storage (localStorage, sessionStorage) to operate the Service, including for authentication session management and user preferences (language, theme).

We do not currently use advertising or behavioural tracking cookies. If this changes, we will update this Policy and obtain any required consent.

10. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@archysocial.com and we will delete it promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure.

12. Changes to This Policy

We may update this Policy periodically. We will notify you of material changes by email or by a prominent notice within the Service before they take effect. The updated date at the top of this page reflects the latest revision.

13. Contact & DPO

For privacy-related questions, rights requests, or concerns, contact our privacy team:

Architech d.o.o.
Attn: Privacy / Data Protection
Ulica Lea Mullera II. odvojak 10, 10000 Zagreb, Croatia
Email: privacy@archysocial.com

Related policies: Terms of Service · Refund Policy