Privacy policy.

This Privacy Policy describes how bbuddy (the “Service”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you visit bbuddy.co, create an account, use the product, or otherwise interact with us. It applies to all visitors, users, and customers of the Service.

The Service is provided from the European Union and is primarily designed for users located in the European Economic Area (EEA), the United Kingdom, and Switzerland. We process personal data in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”), the ePrivacy Directive 2002/58/EC as transposed into Belgian law, the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and the applicable provisions of the EU AI Act (Regulation 2024/1689).

A complementary, user-friendly summary of your rights under GDPR is available on our GDPR page. In case of any difference between that summary and this Privacy Policy, this Privacy Policy prevails.

The data controller responsible for processing your personal data is bbuddy, operating the website bbuddy.co. For any request relating to this Privacy Policy or to the way your personal data is processed, write to [email protected].

Data-protection requests can be sent to the same address with the subject “GDPR request”. We have not formally appointed a Data Protection Officer (Article 37 GDPR) as the conditions for mandatory designation are not met. We have nevertheless designated a single point of contact for data-protection matters, reachable at [email protected].

The terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “recipient”, and “consent” have the meaning set out in Article 4 GDPR. In this document, “you” refers to any identified or identifiable natural person whose personal data we process.

We collect and process the categories of personal data listed below. We apply data minimisation: we only collect what is needed for the purposes set out in section 6.

4.1 Account and identification data

• Email address (always required to create an account).
• Display name and, where you choose to provide it, profile image.
• Hashed password (only when you sign up with email and password; we never store passwords in clear text).
• OAuth identifier and basic profile fields shared by Google when you sign in with Google.
• Account creation date, last sign-in time, locale, and timezone.

4.2 Brand and content data

• Brand inputs you provide so the Service can write in your voice: URLs, palette, copy snippets, library items, RSS feeds, uploaded reference media.
• Draft posts, scheduled posts, and published posts created within the Service, including their text, media, hashtags, and metadata.
• Approvals, edits, rejections, and feedback you provide on drafts.
• Files you upload to the media library, stored on encrypted EU-region object storage (Cloudflare R2 in EU jurisdiction).

4.3 Social platform connection data

• OAuth access tokens and refresh tokens issued by Meta (Facebook, Instagram), X (Twitter), LinkedIn, and, where enabled, TikTok and YouTube, so the Service can publish on your behalf.
• The public identifiers, handles, page IDs, account IDs, and the scopes you granted at the time of connection.
• Limited profile and content metadata returned by each platform (for example, your handle, follower count where it is part of the standard response, and analytics on posts you publish via the Service).
• We never see or store your password for any third-party platform. Tokens are encrypted at rest with AES-256-GCM.

4.4 Usage and technical data

• Pages and screens you visit, features you use, drafts you create, posts you approve, and other in-product events needed to operate and improve the Service.
• Device and browser information: user agent, operating system, viewport size, language, and approximate region inferred from your IP address.
• IP address, used in transit for security, fraud prevention, and abuse detection.
• Log files including request timestamps, error codes, and identifiers needed to diagnose incidents.

4.5 Communication data

• The content of messages you send us by email or through any contact form.
• Subscription status for product updates or newsletters, if you opted in.
• Customer support history attached to your account.

4.6 Billing data

• Subscription plan, billing cycle, and consumption of BBT credits against your monthly allowance.
• Invoice metadata: invoice number, issue date, amount, VAT details, and the billing email or name you provided.
• Payment is processed by Polar (see section 7). We never store card numbers, CVV, or full payment instruments on bbuddy servers.

4.7 Cookies and similar technologies

We use a limited set of cookies, local storage entries, and similar technologies. See our Cookie Policy for a full list with purposes and lifetimes.

We receive personal data from the following sources:

• Directly from you: When you sign up, complete onboarding, connect a social account, write a draft, contact us, or pay for a subscription.
• From the social platforms you connect: Meta, X, LinkedIn, Instagram, and any other connected platform return profile, page, and content data through their official APIs once you grant OAuth permission.
• Automatically through your use of the Service: Usage and technical data are collected automatically when you interact with the Service.
• From our service providers: Authentication, analytics, payment, and email providers transmit limited metadata back to us so we can operate the Service.

We process your personal data only when we have a valid legal basis under Article 6 GDPR. The table below maps each purpose to its legal basis.

• Provide and operate the Service: Account creation, authentication, draft generation, scheduling and publishing of posts, brand-voice learning, library and feed management. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Bill you and manage subscriptions: Subscription management, BBT consumption metering, invoicing, refunds, and tax obligations. Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for accounting and tax law.
• Secure the Service and prevent abuse: Detect fraud, enforce rate limits, mitigate brute-force attacks, run CAPTCHA challenges, investigate incidents. Legal basis: legitimate interest (Art. 6(1)(f)), namely keeping the Service safe for users, balanced against your fundamental rights.
• Improve the Service: Diagnose bugs, measure feature adoption, prioritise the roadmap. Legal basis: legitimate interest (Art. 6(1)(f)).
• Communicate with you: Service emails (security alerts, billing notices, material updates to the Service or these terms). Legal basis: performance of a contract (Art. 6(1)(b)).
• Send marketing communications: Newsletters, product news, promotional offers. Legal basis: your explicit consent (Art. 6(1)(a) GDPR and Article XII.13 of the Belgian Code of Economic Law). You can withdraw consent at any time using the unsubscribe link in every message.
• Provide AI features: Generate drafts, summarise content, generate images, run automations. Legal basis: performance of a contract (Art. 6(1)(b)). Inputs you submit may be transmitted to AI sub-processors strictly to produce the requested output (see section 7 and section 12).
• Comply with legal obligations: Respond to lawful requests from authorities, retain tax and accounting records, handle data-protection requests, comply with EU AI Act transparency duties. Legal basis: legal obligation (Art. 6(1)(c)).
• Defend or establish legal claims: Use data as evidence to defend our rights or respond to disputes. Legal basis: legitimate interest (Art. 6(1)(f)).

Where processing relies on legitimate interest, we have carried out a balancing test. You have the right to object at any time (see section 11).

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purposes set out in section 6. Each sub-processor is bound by a written data-processing agreement (Article 28 GDPR) and is subject to confidentiality obligations.

7.1 Infrastructure and storage

• PostgreSQL database: Primary application database, hosted on EU-region infrastructure. Stores account, brand, content, and billing data.
• Cloudflare R2: EU-jurisdiction object storage for uploaded media and generated images.
• Cloudflare: Edge network, DDoS protection, CAPTCHA (Turnstile). May process IP addresses in transit for security.

7.2 AI model providers

• Anthropic: Provides large-language-model inference for chat, drafting, planning, and automations. Inputs are transmitted to Anthropic strictly to return a response. Per Anthropic Commercial Terms, customer inputs and outputs are not used to train Anthropic models.
• OpenAI: Provides text-embedding inference for semantic search across your library and brand inputs. Per OpenAI API data usage policy, API inputs are not used to train OpenAI models.

7.3 Connected social platforms

• Meta Platforms Ireland Ltd. (Facebook, Instagram), when you connect a Meta page or Instagram account.
• X Corp., when you connect an X (Twitter) account.
• LinkedIn Ireland Unlimited Company, when you connect a LinkedIn profile or page.
• TikTok Technology Limited and YouTube (Google Ireland Ltd.), when enabled and connected by you.
• These platforms become independent controllers for any data they process on their own platforms. Their own privacy notices apply.

7.4 Payment and finance

• Polar Software Inc.: Payment processing, subscription management, customer portal, tax handling. Polar acts as a merchant of record and processor as applicable.

7.5 Analytics and product insight

• Google Analytics 4 (Google Ireland Ltd.): Aggregate analytics. We use IP anonymisation and short data-retention settings where available. Set only with your consent.
• Hotjar Ltd.: Session recording and heatmaps to understand user-experience issues. Recordings mask form inputs by default. Set only with your consent.

7.6 Email and marketing

• Klaviyo, Inc.: Newsletter and waiting-list email delivery. Used only when you opt in.

7.7 Other recipients

• Professional advisers (lawyers, accountants, auditors) bound by professional confidentiality.
• Public authorities and courts, where a legal obligation applies (for example, a duly issued order from a competent authority).
• Acquirers or successors, in the context of a merger, acquisition, or sale of assets. We will notify you and update this Policy if such a transfer occurs.

We do not sell your personal data. We do not trade your personal data with advertising brokers.

A current list of sub-processors can be requested at [email protected].

Our primary infrastructure (database, object storage, application servers) is located in the European Union. Some sub-processors are based outside the EEA, in particular AI model providers and certain analytics and payment providers established in the United States.

When personal data is transferred outside the EEA, we rely on one or more of the following safeguards in line with Articles 44 to 49 GDPR:

• An adequacy decision adopted by the European Commission, where one applies (for example, the EU-U.S. Data Privacy Framework, where the recipient is certified).
• Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical, organisational, and contractual measures as identified in a transfer-impact assessment.
• Your explicit informed consent for a specific transfer, where appropriate and where no other safeguard applies.

You can request a copy of the safeguards in place for a specific transfer by writing to [email protected].

We keep personal data only for as long as necessary for the purposes for which it was collected, plus any retention required by law. Indicative retention periods are:

• Account data: For the lifetime of the account. Deleted within 30 days after account closure, subject to legal retention obligations.
• Brand and content data: For the lifetime of the account. Deleted within 30 days after account closure.
• Social connection tokens: Until you revoke the connection in the Service or in the third-party platform. Refresh tokens are rotated and stale tokens are purged.
• Usage and log data: Up to 24 months for security and product analytics, after which it is aggregated or deleted.
• Billing and invoice records: Seven years from issue, as required by Belgian tax and accounting law (Article III.86 of the Belgian Code of Economic Law).
• Marketing consent records: For the duration of consent plus three years after withdrawal, for evidentiary purposes.
• Support correspondence: Three years after the last interaction, unless a dispute requires longer retention.
• Backups: Encrypted backups are rotated on a defined schedule and are fully purged within 90 days.

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, in line with Article 32 GDPR. These measures include:

• Encryption in transit (TLS 1.2+) for all traffic between you, the Service, and our sub-processors.
• Encryption at rest for the database, object storage, and backups, including AES-256-GCM encryption of social platform OAuth tokens with keys held outside the database.
• Per-tenant isolation in the application layer so one customer’s brand data is never visible inside another customer’s account.
• Hashed and salted passwords (we do not store passwords in clear text). Passwords are never logged.
• Least-privilege access controls and audit logs on production systems. Access to production data is limited to a narrow set of authorised personnel.
• Secure software development practices, dependency scanning, automated tests, and review-mode-by-default for AI-generated outputs so a human approves what is published.
• Regular review of sub-processor security posture and data-protection commitments.
• A documented incident-response process for security and personal-data breaches.

Under Articles 12 to 22 GDPR, and subject to the conditions set out in those articles, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether we process personal data about you, a copy of that data, and the information required by Article 15 GDPR.
• Right to rectification (Art. 16): Correct inaccurate data and complete incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data where one of the grounds in Article 17 applies. We complete erasure requests within 30 days, subject to the retention obligations listed in section 9.
• Right to restrict processing (Art. 18): Ask us to limit processing while a dispute is resolved.
• Right to data portability (Art. 20): Receive personal data you provided to us in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object (Art. 21): Object at any time to processing based on legitimate interest, including profiling, and to direct marketing without further justification.
• Right to withdraw consent (Art. 7(3)): Withdraw any consent at any time without affecting the lawfulness of processing before the withdrawal.
• Right not to be subject to automated decision-making (Art. 22): See section 12 for details. The Service is designed so that a human approves every published post by default.
• Right to lodge a complaint (Art. 77): File a complaint with the data-protection authority of your country of residence or work, or where the alleged breach occurred. In Belgium, this is the Autorité de protection des données / Gegevensbeschermingsautoriteit (autoriteprotectiondonnees.be).

To exercise any of these rights, write to [email protected]with the subject “GDPR request”. We will respond within one month and may extend the period by two further months for complex or numerous requests, in which case we will inform you within the first month. The response is free of charge unless the request is manifestly unfounded or excessive, in particular because of its repetitive character. We may request reasonable proof of identity before acting.

The Service uses AI features to assist you: it drafts post copy, generates images, proposes schedules, classifies your library, and produces analytics summaries. These outputs are suggestions for you to review.

By default, the Service operates in “Review” mode: no post is published to a connected social platform without your explicit approval. Optional autonomous modes, where available, are activated only by your express opt-in and can be paused at any time.

As a result, the Service does not take decisions based solely on automated processing that produce legal effects on you or that significantly affect you in a similar way (Article 22(1) GDPR). Where you choose to enable an autonomous mode for a specific workflow, you remain free to pause, modify, or withdraw that authorisation, and a human (you or someone you authorise) retains effective control.

In accordance with Article 50 of the EU AI Act, we mark content generated or substantially altered by AI features within the Service interface so you can identify it before approving publication. Outputs you choose to publish to public social platforms remain your responsibility (see our Terms of Service).

We do not use your inputs, drafts, brand data, or outputs to train our own AI models. Our AI sub-processors (Anthropic, OpenAI) are bound by their respective enterprise or API terms not to use customer API content to train their foundation models. Where these terms change, we will update this section.

We send marketing communications (newsletters, product news, promotional offers) only with your prior, freely given, specific, informed, and unambiguous consent. Every marketing message includes a one-click unsubscribe link. You can also opt out at any time by writing to [email protected]. Withdrawing marketing consent does not affect transactional emails strictly necessary to provide the Service (security alerts, billing notices, material changes to the terms).

The Service is not directed to, and is not intended to be used by, children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data without parental consent, please contact us at [email protected] and we will delete it.

A detailed description of every cookie and similar technology we use, including name, purpose, provider, and lifetime, is set out in our Cookie Policy.

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay in accordance with Article 34 GDPR.

We may update this Privacy Policy when our practices, our sub-processors, or applicable law change. The “Last updated” date at the top reflects the most recent change. Material changes are notified to active accounts by email at least 30 days before they take effect, where reasonably possible. Continued use of the Service after the effective date constitutes acceptance of the updated Policy, subject to your rights under applicable law.

For any question about this Privacy Policy or about how we process your personal data, write to [email protected]. We aim to acknowledge data-protection requests within five business days.

You also have the right to lodge a complaint with the data-protection authority of your country of residence or work, or where the alleged breach occurred. In Belgium, this is the Autorité de protection des données / Gegevensbeschermingsautoriteit, Rue de la Presse 35, 1000 Brussels, [email protected], autoriteprotectiondonnees.be.