Privacy Policy

Last updated: March 25, 2026

1. Introduction

PilotSocials ("we", "our", or "us") is operated by CodeTix, a company based in Barcelona, Spain. We operate the PilotSocials platform at app.pilotsocials.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

Data Controller: CodeTix Barcelona, Spain Email: privacy@pilotsocials.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name and email address (via Google OAuth)
  • Organization/brand name you provide during onboarding
  • Industry and business information you provide

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) — required to provide you with the Service.

2.2 Social Media Data

When you connect social media accounts, we access:

  • Your social media profile information (username, profile picture, page name)
  • Post engagement metrics and analytics (likes, comments, reach, impressions)
  • Content you create and publish through our platform

We do NOT access your personal messages, private posts, followers lists, or data from accounts you don't explicitly connect.

Legal basis: Consent (Art. 6(1)(a) GDPR) — you explicitly authorize each social media connection. You may revoke access at any time from your dashboard.

2.3 Business Profile Data

Information you provide about your business for AI content generation:

  • Business description, industry, target audience
  • Brand tone, style preferences, unique selling points
  • Product and service descriptions
  • Competitor information

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) — required for the AI content generation features of the Service.

2.4 Usage Data

We automatically collect:

  • Log data (IP address, browser type, operating system, pages visited, timestamps)
  • Device information (screen size, device type)
  • Usage patterns within the platform (features used, session duration)
  • Error and performance data (via Sentry)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — necessary to maintain, secure, and improve the Service.

2.5 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card number, CVV, or bank account details. We only receive:

  • Last four digits of your card
  • Card brand and expiration date
  • Billing address
  • Transaction history

Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) — required to process your subscription.

3. How We Use Your Information

| Purpose | Data Used | Legal Basis | |---------|-----------|-------------| | Provide the Service | Account, business profile, social media data | Contractual necessity | | Generate AI content | Business profile, brand preferences | Contractual necessity | | Publish to social media | Social media tokens, content | Consent | | Process payments | Payment data (via Stripe) | Contractual necessity | | Send service communications | Email address | Contractual necessity | | Analyze and improve the Service | Usage data, error logs | Legitimate interest | | Ensure platform security | Log data, IP addresses | Legitimate interest | | Comply with legal obligations | As required | Legal obligation |

4. Data Sharing and Sub-Processors

We do NOT sell, rent, or trade your personal data. We share data only with the following categories of recipients, all bound by data processing agreements:

| Sub-Processor | Purpose | Location | Data Shared | |---------------|---------|----------|-------------| | Stripe, Inc. | Payment processing | USA (EU SCCs) | Payment & billing data | | Railway | Application hosting | EU (europe-west4) | All application data | | Neon, Inc. | Database hosting | EU | All database records | | Anthropic | AI content generation | USA (EU SCCs) | Business profiles, content prompts | | Resend | Transactional emails | USA (EU SCCs) | Email addresses, email content | | Sentry | Error monitoring | USA (EU SCCs) | Error logs, anonymized usage data | | Meta Platforms | Social media publishing | USA (EU SCCs) | Content, social account tokens | | Google | OAuth authentication | USA (EU SCCs) | Email, name (during login) | | Vercel | File storage (media uploads) | USA (EU SCCs) | Uploaded media files | | Pexels | Stock image search | Germany | Search queries only |

5. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processors' additional supplementary measures (encryption, access controls)

We ensure that all international transfers provide an adequate level of data protection as required by Chapter V of the GDPR.

6. Data Retention

| Data Type | Retention Period | |-----------|-----------------| | Account data | Duration of account + 30 days after deletion | | Business profile | Duration of account + 30 days after deletion | | Social media tokens | Until disconnected by you, or account deletion | | Published content records | Duration of account + 90 days | | Usage logs | 12 months | | Error logs (Sentry) | 90 days | | Payment records | 7 years (Spanish tax law requirement) | | Email communications | 24 months |

When you delete your account, we remove or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax/accounting records for 7 years under Spanish law).

7. Your Rights Under GDPR

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request limited processing of your data
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@pilotsocials.com. We will respond within 30 days as required by the GDPR.

Supervisory Authority

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority. For Spain:

Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6, 28001 Madrid Website: www.aepd.es

8. Cookies and Tracking

We use only strictly necessary cookies for:

  • Authentication and session management
  • Security (CSRF protection)
  • Language/locale preferences

We do NOT use:

  • Advertising cookies
  • Third-party tracking cookies
  • Analytics cookies (we use server-side analytics only)

Since we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

9. Automated Decision-Making

Our AI features generate content suggestions based on your business profile and preferences. This constitutes automated processing but does not involve automated decision-making with legal or similarly significant effects on you, as:

  • All AI-generated content requires your explicit review and approval before publication
  • You can edit, reject, or regenerate any content suggestion
  • The AI does not make decisions about your account, pricing, or access

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
  • Secure authentication via OAuth 2.0
  • Role-based access control with organization membership verification
  • Token encryption for stored social media credentials
  • Regular security audits and vulnerability assessments
  • Access logging and monitoring

11. Children's Privacy

PilotSocials is a B2B service not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@pilotsocials.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For significant changes:

  • We will notify you via email at least 30 days before the changes take effect
  • We will display a prominent notice within the Service
  • We will update the "Last updated" date

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Privacy Contact: Email: privacy@pilotsocials.com

General Contact: Email: hello@pilotsocials.com

Data Controller: CodeTix Barcelona, Spain