Skip to main content

Spreenity

Privacy Policy – Spreenity

Last updated: 03/24/2026

1. Data Controller

The controller of personal data is:

  • JMSOFT Jarosław Maladyn
  • Sole proprietorship
  • VAT ID: 6443323082
  • Address: 41-200 Sosnowiec, ul. Sielecka 24/48, Poland
  • Contact email: support@spreenity.pl

The Controller has not appointed a Data Protection Officer (DPO).

For all matters related to personal data protection, please contact us by email.

Back to top

2. Scope

This Privacy Policy applies to the processing of personal data of users of the Spreenity SaaS platform, available at spreenity.pl, including user accounts, the application dashboard, and public informational pages.

Back to top

3. Categories of Personal Data Processed

Depending on how the platform is used, we may process the following categories of data:

3.1. User account data

  • e-mail address
  • password (stored only as a cryptographic hash)
  • account identifiers
  • account settings and preferences
  • consent history (consent version, acceptance date, change source)

3.2. Billing data

  • first and last name or company name
  • billing address
  • VAT ID (if applicable)
  • subscription, plan, and invoice information
  • payment identifiers (without payment card data – card data is processed solely by the payment operator Stripe)

3.3. Technical and operational data

  • IP address
  • session identifiers
  • system and security logs
  • device and browser data
  • event timestamps
  • security and brute-force protection data (anonymised IP addresses and failed login attempt counters linked to e-mail and IP address; stored as cryptographic hashes and used solely for account protection)
  • security audit logs (critical events recorded with hashed user identifiers, without storing request content or credentials)

3.4. User content

  • content published by the user (e.g. posts, descriptions)
  • media files uploaded to the platform
  • metadata related to content publication
  • scheduling metadata (e.g. scheduled publish time, cancellation, or reschedule events)

3.5. Integration-related data

  • account identifiers in external services (e.g. Facebook, Google, TikTok, OLX)
  • access tokens (stored in encrypted form)
  • information about connected accounts
  • minimum OLX import data scope: advert identifier, source URL, selected description fields, technical metadata, and attestation acceptance evidence for content rights
Back to top

4. Purposes and Legal Bases of Processing

Personal data are processed for the following purposes:

4.1. Performance of a contract

Processing is necessary to:

  • create and maintain a user account,
  • provide platform services,
  • handle subscriptions and billing.

Legal basis: Art. 6(1)(b) GDPR.

4.2. Legal obligations

Data are processed to comply with legal obligations, in particular:

  • tax and accounting regulations,
  • invoicing regulations (including requirements of the National e-Invoice System).

Legal basis: Art. 6(1)(c) GDPR.

4.3. Legitimate interests of the Controller

Processing is carried out in order to:

  • ensure platform security,
  • prevent abuse and attacks (including retention of brute-force control data),
  • maintain security logs and audits,
  • pursue or defend claims.

Legal basis: Art. 6(1)(f) GDPR.

4.4. User consent

Where data are processed for marketing or analytics purposes, they are processed only on the basis of user consent.

Legal basis: Art. 6(1)(a) GDPR.

Consent may be withdrawn at any time.

Data related to the OLX integration are processed solely for user-initiated advert import into the composer. For OLX import we process only the minimum data scope (advert identifier, source URL, selected description fields, technical metadata, and attestation acceptance evidence for content rights).

Back to top

5. Obligation to Provide Data

Providing personal data is:

  • a contractual requirement – to the extent necessary to create an account and use the platform,
  • a legal requirement – to the extent of billing data.

Failure to provide data may result in the inability to use the services.

Back to top

6. Recipients of Data and Transfers

6.1. Processors

The Controller uses external service providers that process personal data on its behalf under data processing agreements (DPAs) compliant with Art. 28 GDPR. Current processors:

Google LLC / Google Cloud Platform (USA)

  • Purpose: hosting infrastructure, media and file storage, asynchronous task execution
  • Data categories: account data, user content, system logs, media files
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)
  • Primary processing region: European Union (Frankfurt/Warsaw)

Stripe, Inc. (USA)

  • Purpose: payment processing, subscription management, invoicing
  • Data categories: billing data (name/company, address, VAT ID), subscription identifiers; payment card data is processed solely by Stripe and is not stored by the Controller
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)

Mailjet SAS (Sinch) (France, EU)

  • Purpose: sending transactional messages (account verification, notifications, invoices)
  • Data categories: e-mail address, transactional message content
  • Transfer mechanism: processing within the EEA (EU-based entity)

OpenAI OpCo, LLC (USA) – solely for the AI Marketing feature (Starter/Growth/Pro/Premium plans)

  • Purpose: AI-based marketing content generation (caption and hashtag suggestions)
  • Data categories: user-selected image (via signed URL), selected publication platforms, content generation instruction; generated content is not stored by the Controller after the request completes
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)
  • Primary processing region: United States

6.2. Separate controllers

When integrating with external services (e.g. social platforms), data may be transferred to entities acting as separate controllers, in line with their own privacy policies. This applies in particular to: Meta Platforms (Facebook, Instagram), Google LLC (Google Business Profile), TikTok, and OLX as a content-import source.

6.3. Transfers outside the EU/EEA

As a rule, data are processed within the European Union. Providers listed in §6.1 that are based in the United States (Google LLC, Stripe, OpenAI) may process data outside the EEA. In each such case we apply EU Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) as the appropriate transfer safeguard. Information on applied safeguards can be provided upon request.

6.4. AI-Based Content Generation (details)

For the AI Marketing feature, we share with OpenAI only the data required to fulfil the request: the user-selected image, the indicated publication platforms, and the content generation instruction. The Controller does not maintain a separate AI query history. Processing is transient and limited solely to delivering the requested functionality. Queries and generated suggestions are not stored independently by the Controller unless the user chooses to apply the generated content to a post within the platform.

Back to top

7. Data Retention Periods

Personal data are retained for the following periods:

  • user account data – for the duration of the contract and up to 30 days after its termination (after which the account is anonymised and permanently deleted)
  • consent history (consent_history) – for the duration of the contract and for 5 years after its termination, for GDPR audit purposes
  • billing data and VAT invoices – for the period required by tax and accounting law (generally 5 years from the end of the tax year)
  • technical data and system logs – up to 12 months
  • security and brute-force control data (user_security_state) – up to 12 months or until the account is unblocked, whichever comes first
  • security audit logs (hashed events) – up to 12 months
  • publish media files – according to cloud object retention policy – typically deleted within 24 hours after the retention marker (customTime) expires
  • AI Marketing input/output data – not retained as AI history; processing is transient
  • scheduling metadata – for the account data retention period and applicable publication-history/audit retention windows
  • data processed on the basis of consent – until consent is withdrawn or the contract ends

Processing by data processors takes place solely on the basis of data processing agreements (DPAs) compliant with Art. 28 GDPR and exclusively on the Controller's instructions.

Back to top

8. Rights of Data Subjects

Users have the right to:

  • access their data,
  • rectify their data,
  • erase their data (right to be forgotten),
  • restrict processing,
  • data portability,
  • object to processing,
  • withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).

Requests may be submitted by email to: support@spreenity.pl. The Controller responds without undue delay, no later than within 1 month of receipt.

Users have the right to lodge a complaint with the President of the Polish Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

Data export scope: the personal data export available via the API (POST /api/account/export) covers account data, connected account metadata, consent history, publication history, and template metadata. Data exports do not include VAT invoices – these are available exclusively in the billing history at /billing after signing in, due to legal obligations regarding tax document retention.

Back to top

9. Automated Decision-Making and Profiling

The Controller does not make decisions producing legal effects concerning users solely by automated means within the meaning of Art. 22 GDPR.

The platform may use limited statistical mechanisms to improve service quality (e.g. anonymous feature usage data). These mechanisms do not lead to profiling producing legal or similarly significant effects on users.

Back to top

10. Cookies and Tracking Technologies

The platform uses cookies in the following categories:

Necessary cookies (always active, no consent required):

These are required for the platform to function correctly, including user session management (NextAuth authentication), CSRF protection, and language preference storage. They are session cookies or have a limited lifetime and are deleted upon sign-out or browser closure.

Analytical and functional cookies (require consent):

Used to analyse how the platform is used in order to improve it. Only activated after the user grants explicit consent. Analytical data are processed in anonymised or pseudonymised form. The platform does not use third-party advertising cookies and does not share user data with advertising platforms.

Users can change cookie settings at any time via the cookie banner in the application or via browser settings. Preferences can be updated by reopening the cookie settings from the user panel.

Back to top

11. Changes to the Privacy Policy

The Privacy Policy may be updated in the event of changes to legislation, changes to the platform's functionality, or changes to the list of processors. Users will be notified of changes affecting the scope of data processed, the purposes of processing, or the list of processors via the application or by email before the changes take effect. Continued use of the platform after the effective date of changes constitutes acceptance thereof, subject to applicable consumer protection law.

The current version of the policy is always available at: spreenity.pl/privacy-policy

Back to top

12. Contact

Email: support@spreenity.pl

Back to top