Privacy Policy

Last Updated: November 27, 2025

1. Introduction

Welcome to JustPost.AI ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered social media content creation service.

This Privacy Policy is governed by Dutch law and complies with the General Data Protection Regulation (GDPR), the Dutch GDPR Implementation Act (UAVG), and other applicable EU and international data protection laws. We process personal data as a Data Controller under the GDPR.

2. Information We Collect

2.1 Account Information

• Name, email address, and password when you create an account
• Profile information, business details, and preferences
• Account settings and configuration data
• Communication preferences and language settings

2.2 Payment Information

• Billing address and payment method details
• Transaction history and subscription status
• Payment processing information (handled securely by Stripe; we do not store full card numbers)
• VAT identification numbers (for EU business customers)

2.3 Social Media Connections

• Social media account credentials and OAuth access tokens
• Profile information from connected social media accounts (Facebook, Instagram, TikTok, Pinterest, LinkedIn, Twitter/X, YouTube, Google Business)
• Content and engagement data from your social media profiles
• Analytics data from connected platforms

2.4 Website Analysis Data

• Website URLs you provide for content generation
• Publicly available content from your website (text, images, metadata)
• Brand keywords, tone of voice, and visual style information
• Facts and information extracted from your website for AI content creation

2.5 AI-Generated Content

• Prompts and instructions you provide to our AI systems
• AI-generated social media posts, captions, and hashtags
• AI-enhanced and AI-generated images
• Content refinement history and editing sessions

2.6 Usage Data

• Service usage patterns and preferences
• Content creation history and interactions
• Technical information (IP address, browser type, device information)
• Log data and error reports

3. How We Use Your Information

We process your personal information based on the following lawful bases under GDPR Article 6:

3.1 Contract Performance (Art. 6(1)(b))

• Providing and maintaining our services
• Processing payments and managing subscriptions
• Connecting to your social media accounts
• Generating and scheduling AI-powered content
• Analyzing your website to create personalized content
• Providing customer support

3.2 Legitimate Interests (Art. 6(1)(f))

• Improving our services and user experience
• Analyzing usage patterns and trends (anonymized)
• Preventing fraud and ensuring security
• Debugging and fixing service issues
• Business analytics and reporting (aggregated data)

3.3 Consent (Art. 6(1)(a))

• Marketing communications (with your explicit consent)
• Non-essential cookies and tracking technologies
• Processing of special categories of data (if applicable)
• Sharing testimonials or case studies

3.4 Legal Obligations (Art. 6(1)(c))

• Compliance with applicable laws and regulations
• Responding to legal requests and court orders
• Maintaining financial and tax records (Dutch fiscal requirements)
• VAT compliance for EU transactions

4. AI Processing and Automated Decision-Making

4.1 AI Content Generation

We use AI systems (powered by OpenAI) to:

• Analyze your website content, images, and brand identity
• Generate social media posts, captions, and hashtags
• Create and enhance images for your posts
• Suggest optimal posting times and content strategies

4.2 Website Scraping and Analysis

When you provide a website URL, our AI systems:

• Access and analyze publicly available content on your website
• Extract text, images, metadata, and brand information
• Identify facts, keywords, and brand tone for content creation
• Process this information to generate personalized social media content

Important: We only analyze websites you explicitly provide to us. We do not scrape websites without your authorization.

4.3 Your Data and AI Training

4.4 Automated Decision-Making Rights (GDPR Art. 22)

Our AI content generation does not constitute "automated decision-making with legal or similarly significant effects" under GDPR Article 22, as:

• You always have the ability to review, edit, or reject AI-generated content before publishing
• AI suggestions are advisory and require your approval
• You maintain full control over what content is published to your social media accounts

If you have concerns about automated processing, you have the right to request human review of any AI-generated content decisions. Contact us at [email protected].

5. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

After these periods, we will securely delete or anonymize your data using industry-standard methods.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information in accordance with GDPR Article 32:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for staff
• Infrastructure: Secure cloud hosting with SOC 2 Type II certified providers
• Token Security: Social media access tokens encrypted and stored securely
• Regular Audits: Security assessments and penetration testing
• Incident Response: Documented procedures for data breach notification (within 72 hours as per GDPR)
• Employee Training: Regular data protection and security training

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through the following mechanisms:

7.1 Transfer Mechanisms

• EU-US Data Privacy Framework: Where applicable, we rely on certified providers under the EU-US Data Privacy Framework
• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs with all non-EEA processors
• Adequacy Decisions: For transfers to countries with EU adequacy decisions
• Supplementary Measures: Additional technical measures including encryption and pseudonymization

7.2 Transfer Destinations

Your data may be processed in:

• European Union: Primary data processing and storage (Netherlands, Germany)
• United States: AI processing (OpenAI), payment processing (Stripe), email delivery (Mailgun)
• Globally: Content delivery networks for performance optimization

You can request information about the specific safeguards in place for transfers by contacting [email protected].

8. Data Sharing and Sub-processors

We share your information with trusted third-party service providers (sub-processors) who assist us in providing our services. All sub-processors are bound by GDPR-compliant Data Processing Agreements.

8.1 Sub-processor Categories

8.2 Complete Sub-processor List

For a complete, up-to-date list of our sub-processors with detailed information about data categories processed and transfer mechanisms, please contact us at [email protected].

8.3 Sub-processor Changes

We will notify you of any intended changes to our sub-processors at least 30 days in advance, giving you the opportunity to object to such changes.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For detailed information about the cookies we use, including a complete cookie table with names, purposes, and durations, please see our Cookie Policy.

10. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal information:

11. Exercising Your Rights

To exercise any of your GDPR rights, please contact us:

11.1 Response Timeline

• We will acknowledge your request within 3 business days
• We will respond to your request within 30 days (as required by GDPR)
• If we need more time (complex requests), we will inform you within 30 days and may extend by up to 60 additional days
• If we cannot fulfill your request, we will explain the reasons

11.2 Identity Verification

To protect your privacy, we may ask you to verify your identity before processing your request. This helps ensure we do not disclose personal data to unauthorized parties.

12. Complaints and Supervisory Authority

If you have concerns about our data processing practices, we encourage you to contact us first at [email protected]. We take all complaints seriously and will work to resolve your concerns.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

If you are located in another EU Member State, you may also contact your local supervisory authority.

13. Children's Privacy

Our services are intended for business use and are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 18. In accordance with Dutch law (UAVG), the digital age of consent is 16, but our service requires users to be at least 18 years old.

If you become aware that a child has provided us with personal information, please contact us immediately at [email protected], and we will take steps to delete such information.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about data collection practices
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Note: We do not sell personal information as defined under the CCPA/CPRA.

To exercise your California privacy rights, contact us at [email protected].

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or our services. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address (for material changes)
• Displaying a prominent notice on our service when you next log in

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you may close your account.

16. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us: