Privacy Policy

The data controller is:

AX SOLUTIONS Jakub Górski
ul. kpt. pilota Żwirki 1C, lok. 4D
90-448 Łódź, Poland
NIP: 9820391754
Email: privacy@socialnira.com

We collect three kinds of data, all the minimum needed to run the Service:

2.1 Account data

• Your email address (used for sign-in and notifications);
• A bcrypt hash of your password (we never store passwords in plain text);
• Your display name, timezone, locale, notification preferences;
• Account timestamps (created at, last updated).

2.2 Facebook data

When you connect a Facebook account via OAuth, we receive and store:

• Your Facebook user ID, name, email (if you grant email scope), and profile picture URL;
• Long-lived user access tokens (encrypted at rest);
• Page IDs, names, categories, follower counts, and Page-scoped access tokens for every Page you choose to connect;
• Records of what we publish or attempt to publish on your behalf (timestamp, content, Page targeted, Facebook’s response).

We use this data only to operate the Service. We do not mine your Facebook activity, do not read your messages, do not build behavioral profiles, and do not share Facebook data with third parties. Use of information received from Facebook adheres to Facebook’s Platform Terms including the Limited Use requirements.

2.3 Content you create

• Captions, schedules, and images you upload or compose (stored as files on our server);
• Operational logs of publish attempts (level, message, HTTP status, Facebook post ID).

Under the GDPR, our legal bases are:

• Performance of a contract (Art. 6(1)(b)) — we need your account and Facebook data to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — operational logs, security monitoring, and abuse prevention.
• Consent (Art. 6(1)(a)) — non-essential cookies (currently none) and marketing emails (opt-in only).
• Legal obligation (Art. 6(1)(c)) — accounting/invoicing records as required by Polish law.

• Account data: for as long as your account exists. Deleted within 30 days after you delete your account.
• Facebook tokens: until you disconnect the Facebook account, delete your SocialNira account, or the token expires (typically 60 days for long-lived user tokens).
• Posts and media you create: until you delete them, or 30 days after you delete your account.
• Publish logs: 90 days, then auto-purged.
• Invoices and billing records: 5 years (Polish accounting law).

We are a small operation. We share data only with carefully selected service providers needed to run the Service:

• Facebook (Meta Platforms, Ireland Ltd.) — to publish your posts on your behalf, as you instruct.
• Our hosting provider — where the application and database run. We use providers in the EEA where possible.
• Email delivery provider — when transactional emails are sent (e.g. password reset).

We do not sell your personal data. We do not share it for advertising or analytics with third parties.

Workspace sharing. If you invite another SocialNira user to your workspace, they will be able to see the Facebook Pages and post drafts you explicitly grant them access to, along with their associated metadata (caption, scheduled time, media files, publishing history). Their email address becomes visible to you as the workspace owner. You can revoke their access at any time in Settings → Team — this immediately stops their visibility into your workspace.

Where data is processed outside the European Economic Area (EEA) — for example by Facebook — transfers are made under appropriate safeguards such as the Standard Contractual Clauses and any applicable adequacy decisions.

We use industry-standard measures to protect your data:

• HTTPS in transit;
• Password hashing with bcrypt;
• Session tokens signed with HS256 and stored in HttpOnly, SameSite cookies;
• Database access restricted to the application;
• Limited employee access (currently: only the data controller has access).

No system is 100% secure. If a personal data breach occurs that's likely to result in risk to your rights, we'll notify the relevant supervisory authority within 72 hours and you without undue delay, as required by the GDPR.

Under the GDPR you have the right to:

• Access — request a copy of your data (Settings → Export my data);
• Rectification — correct inaccurate data (Settings → Profile);
• Erasure (“right to be forgotten”) — delete your account in Settings, or follow the data deletion instructions;
• Restriction — ask us to limit processing;
• Portability — receive your data in a machine-readable format (we provide JSON);
• Object — to processing based on legitimate interests;
• Withdraw consent — where consent is the legal basis, at any time.

To exercise these rights, email privacy@socialnira.com. You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

Meta Platform compliance: when you remove SocialNira from your Facebook account, Facebook sends us a deletion request via the callback URL https://socialnira.com/api/auth/facebook/data-deletion. We delete your account within 30 days. Full instructions: data deletion instructions.

We use only strictly necessary cookies:

• socialnira_session — keeps you signed in. HttpOnly, SameSite=Lax, 30 days.
• fb_oauth_state — anti-CSRF token during the Facebook OAuth flow. Lifetime: 10 minutes.

We do not use analytics, advertising, or tracking cookies. Because all of our cookies are strictly necessary, we don’t require a cookie consent banner.

The Service is not intended for people under 18. We don't knowingly collect data from children. If you believe we have, contact us at privacy@socialnira.com and we will delete it.

If we change this policy materially we’ll notify you by email or in-app at least 14 days before the change takes effect.

For any privacy-related question or request, email us at privacy@socialnira.com.