Privacy Policy

1.1 Data Controller

The data controller responsible for processing your personal data is the operator of CloutPilot, a company incorporated under Belgian law. As a Belgian entity, we are subject to the General Data Protection Regulation (GDPR) and Belgian data protection laws.

1.2 Contact Information

For any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us through the official support channels available on our website. We are committed to responding to your inquiries within the timeframes required by GDPR.

1.3 Data Protection Officer

In accordance with GDPR requirements, we have appointed a Data Protection Officer (DPO) to oversee our data protection practices. You may contact our DPO for any privacy-related concerns through our official support channels.

1.4 Supervisory Authority

As a Belgian company, our lead supervisory authority is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit). You have the right to lodge complaints with this authority or your local EU data protection authority.

2.1 Account and Registration Data

When you create an account with CloutPilot, we collect:

• Email address (required for account creation, authentication, and communication)
• Full name (for personalization and customer support)
• Password (securely hashed and encrypted)
• Account preferences and configuration settings
• Profile information you choose to provide
• Time zone and language preferences

2.2 Subscription and Billing Data

For paid services, we collect and process:

• Billing name and address
• Payment method information (processed securely through third-party payment processors)
• VAT/tax identification numbers where applicable
• Subscription tier and feature usage
• Transaction history and invoice records
• Currency and payment preferences

2.3 Technical and Usage Data

To provide, secure, and improve our Service, we automatically collect:

• IP addresses (processed for security and geographic compliance)
• Device information (operating system, device type, unique device identifiers)
• Browser information (type, version, language settings)
• Service usage analytics (features used, session duration, interaction patterns)
• Error logs and diagnostic information for troubleshooting
• General geographic location (country/region level for compliance)
• Cookies and similar tracking technologies (see Cookie Policy)
• Helper app connection status and performance metrics

2.4 Content and Configuration Data

To provide automation services, we store:

• Post templates and content you create
• Automation configurations and schedules you set up
• Media files you upload for posting (images, videos)
• AI persona configurations and custom instructions
• Account linking preferences (without storing credentials)
• Engagement rules and targeting parameters
• Historical automation performance data

2.5 Communication and Support Data

When you contact us for support or communicate with us:

• Support ticket content and correspondence
• Chat messages and communication history
• Feedback and survey responses
• Screenshots or diagnostic information you provide
• Phone call recordings (with consent, where applicable)
• Meeting recordings for support purposes (with consent)

2.6 Data We Explicitly Do NOT Collect

We explicitly DO NOT collect, store, or have access to:

• Social media account passwords, login credentials, or authentication tokens
• Private messages, direct communications, or personal conversations from social platforms
• Personal photos, videos, or content from your social media accounts (unless explicitly uploaded by you)
• Contact lists, follower information, or friend connections from your accounts
• Banking or financial account credentials
• Government identification numbers or sensitive personal identifiers
• Health information or medical data
• Biometric data or other sensitive personal information

2.7 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or data concerning sexual orientation) unless explicitly necessary for specific service features and with your explicit consent.

3.1 Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to perform our contract with you:

• Creating and managing your account
• Providing automation services and features
• Processing payments and managing subscriptions
• Delivering customer support and technical assistance
• Communicating about service-related matters
• Ensuring service security and preventing abuse

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

Processing based on our legitimate interests (balanced against your rights):

• Analyzing usage patterns to improve service functionality and user experience
• Detecting and preventing fraud, abuse, and security threats
• Conducting research and development for new features
• Ensuring network and information security
• Managing business operations and internal administration
• Exercising or defending legal claims
• Marketing our services to existing customers (subject to opt-out rights)

3.3 Consent (Article 6(1)(a) GDPR)

Processing based on your explicit consent:

• Marketing communications (promotional emails, newsletters)
• Non-essential cookies and tracking technologies
• Participation in surveys and feedback programs
• Processing special categories of data (where applicable)
• Sharing testimonials or case studies

You can withdraw your consent at any time through your account settings or by contacting us.

3.4 Legal Compliance (Article 6(1)(c) GDPR)

Processing required to comply with legal obligations:

• Tax reporting and financial record keeping
• Regulatory compliance and reporting
• Data breach notification requirements
• Law enforcement requests (where legally required)
• Anti-money laundering and sanctions compliance
• Retention of business records as required by law

3.5 Vital Interests (Article 6(1)(d) GDPR)

In exceptional circumstances, we may process data to protect someone's vital interests, such as in medical emergencies or to prevent serious harm.

3.6 Balancing Test for Legitimate Interests

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You can request details of these assessments by contacting us.

4.1 Service Providers and Processors

We share personal data with trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Cloud Infrastructure: AWS Europe (hosting, storage, backup services) - Data Processing Agreement in place
• Payment Processing: Stripe (PCI-DSS compliant payment processor) - EU data localization
• Email Services: Professional email providers for transactional and support communications
• Customer Support: Support ticket management and live chat providers
• Analytics: Privacy-focused analytics providers (with anonymization where possible)
• Security Services: Fraud detection and security monitoring services
• Backup and Recovery: Secure data backup and disaster recovery providers

All service providers are bound by Data Processing Agreements (DPAs) that require GDPR compliance, appropriate security measures, and restrictions on data use.

4.2 Legal and Regulatory Disclosure

We may disclose personal data when required by law or to protect legitimate interests:

• In response to valid legal requests from authorities (court orders, subpoenas)
• To comply with regulatory investigations or audits
• To protect our legal rights and defend against claims
• To prevent fraud, security breaches, or illegal activities
• In connection with the investigation of suspected violations of our Terms
• To protect the safety and security of our users and the public

We will challenge disproportionate or inappropriate requests and will notify affected users where legally permitted.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the new entity. Any such transfer will be subject to appropriate safeguards and notification requirements under GDPR. The receiving entity will be required to honor the commitments made in this Privacy Policy.

4.4 What We Do NOT Share

We never share or sell your personal data for:

• Advertising or marketing purposes by third parties
• Data brokerage or commercial data sales
• Social media targeting by external platforms
• Market research by third parties without your consent
• Any purpose unrelated to providing our Service

4.5 Group Companies and Affiliates

We may share data with other companies in our corporate group for internal administration, consolidated reporting, and service improvement, always under the same privacy protection standards as outlined in this policy.

4.6 Data Processor Oversight

We conduct regular audits and assessments of our data processors to ensure ongoing compliance with GDPR requirements. All processors are contractually required to implement appropriate technical and organizational measures to protect personal data.

5.1 Data Location and Processing

Your personal data is primarily processed and stored within the European Union. Our primary data centers are located in Germany and Ireland, providing enhanced data protection under EU law. We maintain data residency within the EU wherever possible to provide maximum privacy protection.

5.2 Third Country Transfers

In limited circumstances, some of our service providers may process data outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

• European Commission Adequacy Decisions (for countries with adequate protection)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) for multinational corporations
• Certification schemes and Codes of Conduct
• Additional contractual safeguards and technical measures

5.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) to evaluate the level of protection in destination countries and implement supplementary measures where necessary. These assessments consider local laws, surveillance practices, and available legal remedies.

5.4 US-Based Service Providers

For any US-based processors, we ensure compliance with applicable frameworks and implement additional safeguards including encryption, pseudonymization, and strict contractual limitations on data access and use.

5.5 Your Rights Regarding Transfers

You have the right to request information about international transfers of your data and to obtain copies of the safeguards we have put in place. Contact us if you have specific concerns about data transfers.

6.1 Technical Security Measures

We implement industry-leading technical security measures to protect your personal data:

• End-to-end encryption for data in transit (TLS 1.3 and higher)
• AES-256 encryption for data at rest
• Secure password hashing using bcrypt with salt
• Multi-factor authentication (MFA) for all accounts
• Regular security vulnerability assessments and penetration testing
• Automated security monitoring and intrusion detection systems
• Secure backup systems with encryption and access controls
• Network segmentation and firewall protection
• Data loss prevention (DLP) systems

6.2 Organizational Security Measures

We maintain strict organizational controls to protect personal data:

• Role-based access controls with principle of least privilege
• Regular employee security training and awareness programs
• Background checks for employees with data access
• Confidentiality agreements and data protection obligations
• Incident response procedures and breach notification protocols
• Regular audits and compliance assessments
• Secure disposal procedures for data and equipment
• Vendor security assessments and due diligence

6.3 Privacy by Design and Default

We implement privacy by design principles in all our systems and processes, including data minimization, purpose limitation, and privacy-friendly default settings. Our local processing architecture ensures that sensitive data remains on your devices wherever possible.

6.4 Security Certifications and Standards

Our security practices align with international standards including ISO 27001, SOC 2, and other industry frameworks. We undergo regular independent security audits and maintain compliance certifications.

6.5 Data Breach Response

In the unlikely event of a personal data breach, we have comprehensive incident response procedures in place. We will notify the relevant supervisory authority within 72 hours as required by GDPR and will inform affected data subjects without undue delay when the breach is likely to result in high risk to rights and freedoms.

6.6 Security Limitations

While we implement robust security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continuously work to improve our security posture and respond to emerging threats.

7.1 How to Exercise Your Rights

To exercise any of these rights, contact us through our official support channels. We will respond to your request within one month (extendable by two additional months for complex requests). We may require identity verification to protect your data security.

7.2 Limitations on Rights

These rights are not absolute and may be limited by law or where necessary for important public interests, legal compliance, or the protection of rights and freedoms of others. We will explain any limitations when responding to your requests.

7.3 No Charge for Requests

We will not charge fees for reasonable requests to exercise your rights. However, we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests, or provide further copies of information already provided.

8.1 General Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. We regularly review our data retention needs and delete data when it is no longer required.

8.2 Specific Retention Periods

• Account data: Retained while your account is active and for 30 days after closure
• Billing and transaction data: Retained for 7 years for tax and legal requirements
• Usage analytics: Aggregated data retained for 2 years, identifiable data for 13 months
• Support communications: Retained for 3 years for quality assurance and training
• Content templates and configurations: Retained until deletion by user or account closure
• Security logs: Retained for 1 year for security monitoring and incident response
• Marketing communications: Retained until unsubscribe or consent withdrawal
• Legal compliance data: Retained as required by applicable laws and regulations

8.3 Account Deletion Process

When you close your account or request data deletion, we will delete your personal data within 30 days, except for data we are legally required to retain. You will have the opportunity to export your data before deletion. Some data may be retained in anonymized form for statistical purposes.

8.4 Backup and Archival Data

Deleted data may remain in encrypted backups for up to 90 days for disaster recovery purposes. This backup data is not accessible for normal business operations and is subject to the same security measures as live data.

8.5 Legal Hold and Litigation

In case of legal proceedings, regulatory investigations, or potential claims, we may need to retain relevant data beyond normal retention periods. Such data will be securely stored and access will be limited to authorized personnel.

8.6 Retention Schedule Reviews

We regularly review our data retention schedules to ensure they remain appropriate and compliant with evolving legal requirements. We may update retention periods based on business needs, legal changes, or technological developments.

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We also use similar technologies such as local storage, session storage, and web beacons. These technologies help us provide and improve our Service.

9.2 Types of Cookies We Use

9.3 Cookie Consent Management

We use a cookie consent management platform that allows you to control which cookies you accept. You can change your preferences at any time through our cookie settings or by clearing your browser cookies.

9.4 Third-Party Cookies

Some cookies are set by third-party services we use. These are governed by the privacy policies of those third parties. We carefully select partners and require them to comply with privacy regulations.

9.5 Managing Cookies

You can control cookies through your browser settings, our cookie preference center, or by using browser extensions. Note that disabling certain cookies may affect website functionality.

10.1 Age Restrictions

Our Service is not intended for children under 16 years of age (or the minimum age specified by local law in your jurisdiction). We do not knowingly collect personal information from children under this age without appropriate parental consent.

10.2 Parental Rights

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take steps to remove such information and terminate the child's account if necessary.

10.3 Enhanced Protection

Where we do process children's data with appropriate consent, we apply enhanced privacy protections including additional security measures, limited data collection, and special retention policies.

10.4 Educational Use

If our Service is used in educational settings involving minors, we work with schools and educational institutions to ensure appropriate safeguards and parental notifications are in place.

11.1 DPIA Process

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35. These assessments help us identify and mitigate privacy risks before implementing new systems or processes.

11.2 High-Risk Processing

We have identified and assessed potential high-risk processing activities including automated decision-making, large-scale processing of personal data, and any new technologies that may affect individual privacy.

11.3 Risk Mitigation

Based on our DPIAs, we implement appropriate technical and organizational measures to reduce identified risks, including privacy by design principles, data minimization, and enhanced security controls.

11.4 Consultation and Review

Where required, we consult with supervisory authorities on high-risk processing activities and regularly review our DPIAs to ensure they remain current and effective.

12.1 Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will provide appropriate notice of material changes as required by law.

12.2 Notification Methods

For significant changes that affect your rights, we will notify you through email, prominent notices in our Service, or other appropriate communication methods at least 30 days before the changes take effect.

12.3 Version Control

Each version of this Privacy Policy is dated and archived. You can request previous versions of this policy to understand how our practices have evolved over time.

12.4 Continued Use

Your continued use of our Service after we publish or send a notice about changes to this Privacy Policy means that you consent to the updated Privacy Policy to the extent permitted by law.

13.1 Data Protection Inquiries

For any questions about this Privacy Policy, our data practices, or to exercise your rights under GDPR, please contact us through our official support channels available on our website. We are committed to responding promptly and thoroughly to all privacy-related inquiries.

13.2 Supervisory Authority Complaints

You have the right to lodge a complaint with a data protection supervisory authority if you believe we have violated your privacy rights:

13.3 Response Timeframes

We will acknowledge receipt of your inquiry within 2 business days and provide a substantive response within 30 days (or 3 months for complex requests, with explanation of the delay).