Privacy Policy

1. Introduction and Controller

Welcome to FeedMansion ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our service.

This privacy policy applies in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

By using FeedMansion, you agree to the collection and use of information in accordance with this privacy policy. If you do not agree with our policies and practices, please do not use our service.

2. Type, Scope and Purpose of Data Collection

2.1 Data You Provide

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

• Account Information: Email address, name (optional), social media usernames (when you connect platforms for posting)
• Content Data: RSS feed URLs, AI ghost configurations (personality descriptions, tones), generated post drafts, brand voice examples
• Payment Information: Payment details processed securely through Stripe (we do not store credit card numbers)
• Communication Data: Emails and messages to our support team, bug reports

2.2 Automatically Collected Data

Legal Basis: Art. 6(1)(f) GDPR (legitimate interests: security, fraud prevention, service improvement)

• Usage Data: Features used, posts generated/published, AI credits used, login times, interaction patterns
• Device Information: Browser type, operating system, device name (derived from user agent)
• Session Data: IP address at login (for security and fraud prevention), session timestamps
• Referral Data: Referral codes used at signup (if applicable)

2.2.1 Browser Storage and Cookies

Legal Basis: Art. 6(1)(b) GDPR (necessary for contract performance) and Art. 6(1)(f) GDPR (legitimate interests for analytics)

Essential Storage (No Consent Required)

We use browser localStorage for essential authentication:

• Authentication Tokens: JWT tokens to keep you logged in (2 items: access_token, refresh_token)
• Purpose: Essential for the service to function - keeps you authenticated between sessions
• Security: Tokens are sent via secure HTTPS and expire automatically
• Control: You can clear these at any time by logging out or clearing browser data

Analytics Cookies (Consent Required)

Legal Basis: Art. 6(1)(f) GDPR (legitimate interests: service improvement, user experience optimization)

Third-Party Data Transfer: Google Analytics processes data in the USA and EU. Google is GDPR-compliant and uses Standard Contractual Clauses (SCCs) for EU data transfers.

• Google Privacy: https://policies.google.com/privacy
• Google Analytics Terms: https://marketingplatform.google.com/about/analytics/terms/
• Opt-Out: Google Analytics Opt-out Browser Add-on

Your Control: You can reject analytics cookies via our cookie banner, adjust your browser settings to block cookies, or use the Google Analytics opt-out browser add-on. Rejecting analytics cookies does not affect your ability to use FeedMansion.

Change cookie settings

• Ahrefs Privacy Policy: https://ahrefs.com/legal/privacy-policy

2.2.2 Email Communications

Legal Basis: Art. 6(1)(a) GDPR (consent for marketing) and Art. 6(1)(b) GDPR (transactional emails)

Data Residency: Email delivery uses AWS SES in the Frankfurt (eu-central-1) region, ensuring your email data remains within Germany.

• AWS GDPR: https://aws.amazon.com/compliance/gdpr-center/
• AWS DPA: https://aws.amazon.com/service-terms/

Your Rights: You can withdraw consent and unsubscribe at any time by clicking "unsubscribe" in any email, or by emailing privacy@feedmansion.com to request immediate deletion of your data. We will process your request within 30 days.

2.4 Third-Party Data

Legal Basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract performance)

• Google OAuth (Login): Google user ID, email address, profile information (for account creation and login)
• Social Media Platforms (for posting): When you connect social accounts for publishing, we receive and store platform user IDs, usernames, and OAuth tokens for: Twitter/X, LinkedIn, Pinterest, YouTube, Facebook, Instagram, TikTok, Mastodon, and Bluesky
• RSS Feeds: Content from RSS feeds you add
• AI Provider: Text data sent to Anthropic Claude API for content generation

3. Purpose of Data Processing

We use your data for the following purposes:

• Service Provision: Operating, maintaining, and improving our services (Art. 6(1)(b) GDPR)
• AI Content Generation: Creating AI-assisted content based on your RSS feeds and Ghost configurations (Art. 6(1)(b) GDPR)
• Payment Processing: Processing payments and managing subscriptions (Art. 6(1)(b) GDPR)
• Notifications: Sending notifications about new posts, system updates, and account activities (Art. 6(1)(b) GDPR, Art. 6(1)(a) GDPR for marketing)
• Customer Support: Responding to your support inquiries (Art. 6(1)(b) GDPR)
• Service Analytics: Monitoring usage patterns and analyzing service performance (Art. 6(1)(f) GDPR)
• Security: Detecting, preventing, and addressing technical issues and security vulnerabilities (Art. 6(1)(f) GDPR)
• Legal Obligations: Fulfilling legal requirements and enforcing our Terms of Service (Art. 6(1)(c) GDPR)

All processing is based on the legal bases indicated in parentheses pursuant to GDPR.

4. Data Sharing and Recipients

We only share your information in the following cases:

4.1 Data Processors (Art. 28 GDPR)

We work with the following service providers with whom Data Processing Agreements pursuant to Art. 28 GDPR have been concluded:

• Anthropic (USA): AI content generation (Claude API) - Standard Contractual Clauses per Art. 46(2)(c) GDPR
• Stripe (USA/EU): Payment processing - Standard Contractual Clauses and adequacy decision
• AWS SES (Germany): Email delivery - Data stays in Frankfurt (eu-central-1), AWS GDPR DPA
• netcup (Germany): Cloud hosting - Data stays in Germany, DPA signed
• Social Media Platforms: For content publishing (with your explicit consent):
  • Twitter/X (USA), LinkedIn (USA), Pinterest (USA), YouTube (USA), Facebook (USA), Instagram (USA), TikTok (Singapore/USA), Mastodon (varies by instance), Bluesky (USA)
• Google LLC / Google Ireland Limited (USA/EU): Website analytics (Google Analytics) - Standard Contractual Clauses per Art. 46(2)(c) GDPR
• Ahrefs Pte. Ltd. (Singapore): Website analytics (Ahrefs Analytics) - aggregated data

All service providers are contractually obligated to process your data only in accordance with our instructions and to implement appropriate technical and organizational measures to protect your data.

If you have a Data Processing Agreement (DPA) with us, you will be notified by email when this list changes.

4.2 Legal Obligations

We may disclose your information when required by law, by court order or government authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others (Art. 6(1)(c) and (f) GDPR).

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring company. We will notify you of any such change in ownership and you have the right to object to the transfer (Art. 6(1)(f) GDPR).

5. Data Storage and Retention Periods

We store your personal data only as long as necessary for the purposes described in this privacy policy, unless a longer retention period is required by law.

Statutory Retention Obligations (Germany): Under §§ 147 AO (German Fiscal Code) and 257 HGB (German Commercial Code), we are required to retain certain records for legally specified periods:

• Accounting records and invoices: 10 years (§ 147(1) AO, § 257(1) HGB)
• Commercial and business correspondence: 6 years (§ 257(1) No. 2-3 HGB)
• Tax-relevant documents: 10 years (§ 147(3) AO)

Operational Retention Periods:

• Account data: During account activity and 90 days after deletion (except billing data, see above)
• Generated content: During account activity
• Usage logs: 12 months
• Payment receipts and invoices: 10 years per § 147 AO and § 257 HGB
• Contract documents (subscriptions): 10 years per § 257 HGB
• Email correspondence (business): 6 years per § 257 HGB

After expiration of the statutory and operational retention periods, your data will be deleted or anonymized, unless you have expressly consented to further use.

6. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures (TOMs) to protect your personal data:

Technical Measures:

• Encryption in transit: HTTPS with TLS encryption for all connections
• Encryption at rest: Encryption of sensitive data in the database (AES-256)
• Secure authentication: JWT tokens, OAuth 2.0 with PKCE (Proof Key for Code Exchange)

Organizational Measures:

• Regular security audits
• Documentation: Records of processing activities per Art. 30 GDPR
• Data processing agreements: With all service providers per Art. 28 GDPR

Despite all security measures, no transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of security incidents, we will promptly notify you and the relevant authorities per Art. 33 and 34 GDPR.

7. Your Rights as a Data Subject (GDPR)

You have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

You have the right to obtain information about the personal data we process about you. You can view, download, and export your data at any time through your account settings.

7.2 Right to Rectification (Art. 16 GDPR) and Erasure (Art. 17 GDPR)

You can update or delete your account information, RSS feeds, and AI Ghosts through your account dashboard. To delete your entire account, use the function in your account settings under Privacy & Data. Please note the statutory retention obligations (see Section 5).

7.3 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your data if the accuracy of the data is contested, the processing is unlawful, or you have objected to processing.

7.4 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7.5 Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions.

7.6 Withdrawal of Consent (Art. 7(3) GDPR)

• Email notifications: Manage your preferences in account settings
• Push notifications: Disable in your browser or device settings
• Browser storage: Clear browser storage or log out to remove authentication tokens
• Analytics cookies: Adjust your cookie settings via our cookie banner or use the Google Analytics opt-out browser add-on

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

7.7 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates GDPR. The competent supervisory authority is the data protection authority of your state. A list of supervisory authorities can be found at: www.bfdi.bund.de

8. Children's Privacy

FeedMansion is intended for users 16 years of age and older. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately at privacy@feedmansion.com.

9. International Data Transfers (Art. 44-49 GDPR)

Your data may be transferred to and processed in countries outside the European Union/European Economic Area. These countries may have different data protection laws.

Safeguards for third-country transfers:

• USA (Anthropic, Stripe, Google): Standard Contractual Clauses per Art. 46(2)(c) GDPR and supplementary measures to ensure an adequate level of data protection
• Social media platforms: When you connect your social media accounts (Twitter/X, LinkedIn, Pinterest, YouTube, Facebook, Instagram, TikTok, Mastodon, Bluesky), data is transferred to these platforms, which are predominantly based in the USA
• Germany (AWS SES, netcup): Data remains within Germany - no international transfer required
• Contractual guarantees: All third-party providers are contractually obligated to maintain a level of data protection equivalent to GDPR

You have the right to request a copy of the Standard Contractual Clauses. Contact us at privacy@feedmansion.com.

10. Third-Party Links

Our service may contain links to third-party websites and services (RSS feeds, Twitter, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a prominent notice in our service. The "Last updated" date at the top of this policy indicates when it was last revised. Your continued use of FeedMansion after changes constitutes acceptance of the updated policy.

12. Data Protection Contact

For data protection inquiries, please contact us:

13. Legal Bases for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

• Art. 6(1)(a) GDPR (Consent): Processing with your explicit consent (e.g., marketing emails, social media integration)
• Art. 6(1)(b) GDPR (Contract Performance): Processing for the performance of our contract to provide our services
• Art. 6(1)(c) GDPR (Legal Obligation): Processing to comply with legal obligations (e.g., retention requirements under §§ 147 AO, 257 HGB)
• Art. 6(1)(f) GDPR (Legitimate Interests): Processing for our legitimate interests (e.g., service improvement, fraud prevention, IT security), unless your interests or fundamental rights override