Spairc — Privacy Policy (TEMPLATE)
STATUS: template for solicitor review — not yet published. Bracketed items need decisions. GDPR applies: operator is Irish, customers are EU.
Last updated: [DATE] Controller: [Fahey Media legal entity], [address], Ireland — [privacy contact email].
1. What we process, and why
| Data | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account data | Name, email, password hash, workspace membership, role | Operate your account | Contract |
| Customer content | Brand profiles, briefs/submissions, photos, logos, generated posts | Provide the service | Contract |
| Connection data | Social account identifiers/tokens for scheduling | Publish approved posts | Contract |
| Usage & billing | Generation counts and costs, invoices, payment status | Billing, fair use | Contract / legitimate interest |
| Technical | IP address, logs, error reports, rate-limit counters | Security, debugging | Legitimate interest |
| Alerts, invitations, verification and reset messages | Operate the service | Contract |
We do not sell personal data or use it for advertising. Generated content is produced from the material you provide; our AI providers process it to generate your content and are contractually barred from training on it. [VERIFY at review.]
2. Subprocessors
| Subprocessor | Role | Location/notes |
|---|---|---|
| Vercel Inc. | Application hosting | EU deployment region; US company (SCCs) |
| Neon Inc. | Postgres database | Frankfurt, Germany |
| Vercel Blob | Image/file storage | [Confirm region] |
| Anthropic | AI copy generation (Claude) | US (SCCs) [confirm data residency options] |
| AI image generation (Gemini) | US/EU (SCCs) | |
| Freepik/Magnific | Stock imagery | Spain |
| Zoho Corporation | Social scheduling (founding period) | EU data centre (zoho.eu) |
| Resend | Transactional email | US (SCCs) |
| Sentry | Error monitoring | EU region |
| Stripe | Payments | EU entity |
| [Ayrshare or equivalent] | Social scheduling (from Stage 2) | [confirm on selection] |
We will update this list and notify workspace owners before adding subprocessors that process customer content.
3. Retention
- Account data: while your account exists; deleted [30] days after account deletion.
- Customer content: while the workspace exists; deleted [30] days after termination (export available on request first).
- Logs and error reports: [90] days. Backups: point-in-time recovery window of [7–30] days, after which deleted data ages out.
4. Your rights
You have GDPR rights of access, rectification, erasure, restriction, portability, and objection. Contact [privacy email]; we respond within one month. You may also complain to the Data Protection Commission (dataprotection.ie).
For personal data appearing inside customer content (e.g. a testimonial naming a person), the customer workspace is the controller and we act as processor on their instructions. [A separate DPA covering Art. 28 processor terms is available on request / to be appended at Stage 4.]
5. Security
Access to production systems is restricted and credentialed; passwords are hashed; tenant data is isolated per workspace at the query layer; transport is TLS throughout. We will notify affected customers without undue delay of any personal data breach as required by GDPR Art. 33/34.
6. Cookies
Spairc uses only strictly-necessary cookies (session authentication, theme). No analytics or advertising cookies. [Update if analytics are added; consent banner needed then.]