Skip to main content

Spreenity

Privacy Policy – Spreenity

Last updated: 03/24/2026

1. Data Controller

The controller of personal data is:

  • JMSOFT Jarosław Maladyn
  • Sole proprietorship
  • VAT ID: 6443323082
  • Address: 41-200 Sosnowiec, ul. Sielecka 24/48, Poland
  • Contact email: support@spreenity.pl

The Controller has not appointed a Data Protection Officer (DPO).

For all matters related to personal data protection, please contact us by email.

Back to top

2. Scope

This Privacy Policy applies to the processing of personal data of users of the Spreenity SaaS platform, available at spreenity.pl, including user accounts, the application dashboard, and public informational pages.

Back to top

3. Categories of Personal Data Processed

Depending on how the platform is used, we may process the following categories of data:

3.1. User account data

  • e-mail address
  • password (stored only as a cryptographic hash)
  • account identifiers
  • account settings and preferences
  • consent history (consent version, acceptance date, change source)

3.2. Billing data

  • first and last name or company name
  • billing address
  • VAT ID (if applicable)
  • subscription, plan, and invoice information
  • payment identifiers (without payment card data – card data is processed solely by the payment operator Stripe)

3.3. Technical and operational data

  • IP address
  • session identifiers
  • system and security logs
  • device and browser data
  • event timestamps
  • security and brute-force protection data (anonymised IP addresses and failed login attempt counters linked to e-mail and IP address; stored as cryptographic hashes and used solely for account protection)
  • security audit logs (critical events recorded with hashed user identifiers and user-agent fingerprints or null, without storing request content or credentials)

3.4. User content

  • content published by the user (e.g. posts, descriptions)
  • media files uploaded to the platform
  • metadata related to content publication
  • scheduling metadata (e.g. scheduled publish time, cancellation, or reschedule events)

3.5. Integration-related data

  • account identifiers in external services (e.g. Facebook, Google, TikTok, OLX)
  • access tokens (stored in encrypted form)
  • information about connected accounts
  • Google Business Profile location metadata linked to the connected Google account (for example location and parent-account resource identifiers, location name, category, website, profile photo, language, region, and selection/publishing status)
  • minimum OLX import data scope: advert identifier, source URL, selected description fields, technical metadata, and attestation acceptance evidence for content rights
Back to top

4. Purposes and Legal Bases of Processing

Personal data are processed for the following purposes:

4.1. Performance of a contract

Processing is necessary to:

  • create and maintain a user account,
  • provide platform services,
  • handle subscriptions and billing.

Legal basis: Art. 6(1)(b) GDPR.

4.2. Legal obligations

Data are processed to comply with legal obligations, in particular:

  • tax and accounting regulations,
  • invoicing regulations (including requirements of the National e-Invoice System).

Legal basis: Art. 6(1)(c) GDPR.

4.3. Legitimate interests of the Controller

Processing is carried out in order to:

  • ensure platform security,
  • prevent abuse and attacks (including retention of brute-force control data),
  • maintain security logs and audits,
  • pursue or defend claims.

Legal basis: Art. 6(1)(f) GDPR.

4.4. User consent

Where data are processed for marketing or analytics purposes, they are processed only on the basis of user consent.

Legal basis: Art. 6(1)(a) GDPR.

Consent may be withdrawn at any time.

Data related to the OLX integration are processed solely for user-initiated advert import into the composer. For OLX import we process only the minimum data scope (advert identifier, source URL, selected description fields, technical metadata, and attestation acceptance evidence for content rights).

Back to top

5. Obligation to Provide Data

Providing personal data is:

  • a contractual requirement – to the extent necessary to create an account and use the platform,
  • a legal requirement – to the extent of billing data.

Failure to provide data may result in the inability to use the services.

Back to top

6. Recipients of Data and Transfers

6.1. Processors

The Controller uses external service providers that process personal data on its behalf under data processing agreements (DPAs) compliant with Art. 28 GDPR. Current processors:

Google LLC / Google Cloud Platform (USA)

  • Purpose: hosting infrastructure, media and file storage, asynchronous task execution
  • Data categories: account data, user content, system logs, media files
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)
  • Primary processing region: European Union (Frankfurt/Warsaw)

Stripe, Inc. (USA)

  • Purpose: payment processing, subscription management, invoicing
  • Data categories: billing data (name/company, address, VAT ID), subscription identifiers; payment card data is processed solely by Stripe and is not stored by the Controller
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)

Mailjet SAS (Sinch) (France, EU)

  • Purpose: sending transactional messages (account verification, notifications, invoices)
  • Data categories: e-mail address, transactional message content
  • Transfer mechanism: processing within the EEA (EU-based entity)

OpenAI OpCo, LLC (USA) – solely for the AI Marketing feature (Starter/Growth/Pro/Premium plans)

  • Purpose: AI-based marketing content generation (caption and hashtag suggestions)
  • Data categories: user-selected image (via signed URL), selected publication platforms, content generation instruction; generated content is not stored by the Controller after the request completes
  • Transfer mechanism: EU Standard Contractual Clauses (SCC)
  • Primary processing region: United States

6.2. Separate controllers

When integrating with external services (e.g. social platforms), data may be transferred to entities acting as separate controllers, in line with their own privacy policies. This applies in particular to: Meta Platforms (Facebook, Instagram), Google LLC (Google Business Profile), TikTok, and OLX as a content-import source.

6.3. Transfers outside the EU/EEA

As a rule, data are processed within the European Union. Providers listed in §6.1 that are based in the United States (Google LLC, Stripe, OpenAI) may process data outside the EEA. In each such case we apply EU Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) as the appropriate transfer safeguard. Information on applied safeguards can be provided upon request.

6.4. AI-Based Content Generation (details)

For the AI Marketing feature, we share with OpenAI only the data required to fulfil the request: the user-selected image, the indicated publication platforms, and the content generation instruction. The Controller does not maintain a separate AI query history. Processing is transient and limited solely to delivering the requested functionality. Queries and generated suggestions are not stored independently by the Controller unless the user chooses to apply the generated content to a post within the platform.

Back to top

7. Data Retention Periods

Personal data are retained for the following periods:

  • user account data – for the duration of the contract and up to 30 days after its termination (after which the account is anonymised and permanently deleted)
  • consent history (consent_history) – for the duration of the contract and for 5 years after its termination, for GDPR audit purposes
  • billing data and VAT invoices – for the period required by tax and accounting law (generally 5 years from the end of the tax year)
  • technical data and system logs – up to 12 months
  • security and brute-force control data (user_security_state) – up to 12 months or until the account is unblocked, whichever comes first
  • security audit logs (hashed events, including user-agent fingerprints when available) – up to 12 months
  • publish media files – according to cloud object retention policy – typically deleted within 24 hours after the retention marker (customTime) expires
  • AI Marketing input/output data – not retained as AI history; processing is transient
  • scheduling metadata – for the account data retention period and applicable publication-history/audit retention windows
  • data processed on the basis of consent – until consent is withdrawn or the contract ends

Processing by data processors takes place solely on the basis of data processing agreements (DPAs) compliant with Art. 28 GDPR and exclusively on the Controller's instructions.

Back to top

8. Rights of Data Subjects

Users have the right to:

  • access their data,
  • rectify their data,
  • erase their data (right to be forgotten),
  • restrict processing,
  • data portability,
  • object to processing,
  • withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).

Requests may be submitted by email to: support@spreenity.pl. The Controller responds without undue delay, no later than within 1 month of receipt.

Users have the right to lodge a complaint with the President of the Polish Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

Data export scope: the personal data export available via the API (POST /api/account/export) after sign-in and fresh MFA covers account data, connected account metadata, Google Business Profile location metadata linked to the user's Google accounts, consent history, publication history, and template metadata. Google location export includes only minimized fields needed for portability and verification; it does not include the internal google_location.id, tokens, raw provider responses, diagnostics, or locations not linked to the user's Google accounts. Data exports do not include VAT invoices – these are available exclusively in the billing history at /billing after signing in, due to legal obligations regarding tax document retention.

Back to top

9. Automated Decision-Making and Profiling

The Controller does not make decisions producing legal effects concerning users solely by automated means within the meaning of Art. 22 GDPR.

The platform may use limited statistical mechanisms to improve service quality (e.g. anonymous feature usage data). These mechanisms do not lead to profiling producing legal or similarly significant effects on users.

Back to top

10. Cookies and Tracking Technologies

The platform uses cookies in the following categories:

Necessary cookies (always active, no consent required):

These are required for the platform to function correctly, including user session management (NextAuth authentication), CSRF protection, and language preference storage. They are session cookies or have a limited lifetime and are deleted upon sign-out or browser closure.

Analytical and functional cookies (require consent):

Used to analyse how the platform is used in order to improve it. Only activated after the user grants explicit consent. Analytical data are processed in anonymised or pseudonymised form. The platform does not use third-party advertising cookies and does not share user data with advertising platforms.

Users can change cookie settings at any time via the cookie banner in the application or via browser settings. Preferences can be updated by reopening the cookie settings from the user panel.

Back to top

11. Changes to the Privacy Policy

The Privacy Policy may be updated in particular in the event of changes in legislation, organisational or technical changes, changes to the platform's functionality, changes in the use of External Services, changes to the list of recipients or processors, or the need to clarify information about data processing.

Editorial, organisational, technical, or security changes that do not materially affect the scope of data, the purposes or legal bases of processing, the categories of recipients or processors, or users' rights may apply from the moment of publication or from the date indicated in the Privacy Policy.

If changes materially affect the scope of processed data, the purposes or legal bases of processing, data categories, categories of recipients or processors, transfers outside the EEA, or users' rights, the Controller will inform users in the Application or by e-mail before the changes take effect where required by law or the nature of the change. To the extent required for continued use of the Application, the user may be asked at sign-in to accept the current version of the Privacy Policy before continuing to use the Account.

The current version of the policy is always available at: spreenity.pl/privacy-policy

Back to top

12. Contact

Email: support@spreenity.pl

Back to top