GDPR & your data.

bbuddy.co is the data controller for the personal data you provide when you create an account, use the service, or contact us. You can reach the controller at [email protected].

All bbuddy data is hosted within the European Union, on infrastructure operated under EU data protection laws. We use encryption in transit (TLS) and at rest, and per-tenant isolation so one customer's brand data never crosses into another's account.

We process the categories listed below, and only what is necessary for the service:

• Account data: Email, name, login credentials managed via OAuth or password.
• Brand data: URLs, palette, copy, library items, and feeds you provide so bbuddy can write in your voice.
• Connection data: OAuth tokens issued by Meta, X, LinkedIn, Instagram so bbuddy can post on your behalf. We never see or store your provider passwords.
• Usage data: How you use the dashboard: clicks, posts created, approvals. Used to improve the product and not sold to third parties.
• Billing data: Limited to what our payment processor requires. Card numbers are never stored on bbuddy servers.

We rely on the following legal bases under GDPR Article 6:

• Contract: Processing necessary to provide the service you signed up for.
• Legitimate interest: Service improvement, security, fraud prevention. Always weighed against your rights.
• Consent: Marketing emails, cookies beyond what is strictly necessary. You can withdraw consent any time.
• Legal obligation: Tax, accounting, and regulatory reporting where required.

If you are in the EU or EEA, you have the following rights under GDPR:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct any inaccurate or incomplete data.
• Right to erasure: Request deletion of your account and personal data. Completed within 30 days, subject to legal retention requirements.
• Right to restrict processing: Ask us to limit what we do with your data while a dispute is resolved.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent: Withdraw any consent you previously gave, at any time.
• Right to lodge a complaint: File a complaint with your national data protection authority (e.g. CNIL in France).

To exercise any of these rights, write to [email protected] with the subject "GDPR request". We respond within one month, free of charge, in the language of your account.

We keep account and brand data while your account is active. When you delete your account, we wipe personal data within 30 days, except where retention is required by law (tax records, fraud investigations). Anonymised aggregates may be retained for analytics.

We use a small number of vetted sub-processors to operate the service (hosting, email delivery, payment processing, AI model providers). All sub-processors are bound by data protection agreements aligned with GDPR. The full list is available on request to [email protected].

When data leaves the EU (for example, certain AI model providers), we rely on the European Commission's Standard Contractual Clauses and additional technical safeguards. We disclose which transfers happen on request.

For any data protection question, reach our DPO at [email protected]. Mention "DPO" in the subject so it routes to the right person.

We update this page when our practices change. The "Last updated" date at the top reflects the most recent change. Material changes are notified by email to active accounts.