Privacy Policy

Definitions

Company means BUNDLE SP. Z O.O., UL. HOŻA 86 / 410, 00-682 WARSZAWA, POLSKA, referred to as "we", "us", or "our" in this Privacy Policy.

Service means the bundle.social website, dashboard, API, OAuth flows, platform integrations, media upload and hosting features, publishing, scheduling, analytics, support, billing, and related services provided by BUNDLE SP. Z O.O.

Personal data means any information that relates to an identified or identifiable individual.

Customer content means content uploaded, submitted, scheduled, published, imported, or processed through the Service.

Our role

For personal data related to your bundle.social account, billing, support, website usage, security, and our own business operations, BUNDLE SP. Z O.O. generally acts as the data controller.

For customer content, connected social account data, OAuth tokens, post data, analytics data, comments, reviews, replies, and other data processed through the Service on behalf of a customer, the customer generally acts as the data controller and BUNDLE SP. Z O.O. acts as a data processor.

Where we act as a processor, our processing may be governed by a Data Processing Agreement or another written agreement between the parties.

Information we process

Depending on how you use bundle.social, we may process:

• account information, such as name, email address, organization, team membership, and account settings.
• authentication information, including login metadata and session information.
• billing information, such as subscription plan, invoice data, payment status, and payment processor customer ID.
• connected social account information, such as social account identifiers, profile names, avatars, permissions, and OAuth tokens.
• customer content, such as captions, media files, links, comments, reviews, replies, scheduling data, and platform-specific post fields.
• publishing and analytics data, such as post status, platform post IDs, errors, engagement metrics, and account analytics.
• API and usage data, such as API requests, response status, endpoint, timestamps, IP address, user agent, logs, and rate-limit metadata.
• support data, such as messages, attachments, and issue details shared with support.

Third-party authentication

You may create an account or log in to the Service using third-party authentication providers, such as Google or GitHub, where available.

If you use a third-party authentication provider, we may receive account information such as your name, email address, profile image, authentication identifier, and related login metadata, depending on the permissions granted by that provider.

How we use personal data

We use personal data to provide, operate, secure, support, bill for, and improve the Service, including to:

• create and manage accounts, organizations, teams, permissions, sessions, and dashboard access;
• connect social accounts through OAuth and platform authorization flows;
• upload, store, schedule, publish, and process customer content;
• retrieve post status, errors, engagement metrics, account analytics, comments, reviews, and replies;
• provide API access, rate limiting, monitoring, logging, debugging, support, and security controls;
• manage subscriptions, invoices, payments, tax records, and customer communication;
• comply with legal obligations, enforce agreements, prevent abuse, and protect the Service.

Legal basis for processing

Where GDPR applies, we process personal data under the following legal bases:

• performance of a contract: to provide accounts, dashboard access, API access, publishing, scheduling, media upload, analytics, billing, and support.
• legitimate interests: to secure, monitor, debug, improve, and protect the Service, prevent abuse, enforce rate limits, and communicate with business users.
• legal obligation: to comply with tax, accounting, legal, and regulatory requirements.
• consent: where consent is required, for example for certain cookies, marketing communication, or platform authorization flows.

Sharing personal data

We do not sell personal data. We do not use customer content, uploaded media, social account data, or OAuth data to train third-party AI models.

We may share personal data with trusted service providers where necessary to provide, secure, support, improve, or bill for the Service. These may include providers of hosting, infrastructure, authentication, storage, payments, analytics, customer support, email delivery, monitoring, security, and similar operational services.

We may also share data with connected third-party platforms when needed to connect accounts, publish or schedule content, retrieve analytics, manage comments or reviews, or otherwise provide the platform integrations requested by the customer.

Service providers that process personal data on our behalf are required to process it only for the purposes described in our agreements with them.

Legal and business disclosures

We may disclose personal data where we reasonably believe it is necessary to comply with law, legal process, court orders, government requests, or regulatory obligations.

We may also disclose personal data where necessary to protect the rights, property, security, or safety of BUNDLE SP. Z O.O., our users, customers, third-party platforms, or the public.

If BUNDLE SP. Z O.O. is involved in a merger, acquisition, financing, reorganization, asset sale, or similar business transaction, personal data may be transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards.

Connected third-party platforms

bundle.social integrates with third-party platforms and APIs where available. Supported integrations may change over time depending on platform API access, app review, permissions, technical availability, and third-party platform requirements.

When you connect a social account or request a platform integration, we process data according to your instructions, the permissions granted through that platform, and the applicable platform terms.

• Google: Our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
• YouTube: Our use and transfer of information received from YouTube APIs to any other app will adhere to YouTube Terms of Service, including the Limited Use requirements.
• Meta (Instagram/Facebook): Our use and transfer of information received from Meta Platforms to any other app will adhere to Meta Platform Terms, including the Limited Use requirements.
• Threads: Our use and transfer of information received from Threads APIs to any other app will adhere to Meta Platform Terms, including the Limited Use requirements.
• Google Business Profile: Our use and transfer of information received from Google Business Profile APIs to any other app will adhere to Google Business Profile API Terms of Service.
• LinkedIn: Our use and transfer of information received from LinkedIn APIs to any other app will adhere to LinkedIn API Terms of Use.
• Twitter: Our use and transfer of information received from Twitter APIs to any other app will adhere to Twitter Developer Agreement and Policy.
• TikTok: Our use and transfer of information received from TikTok APIs to any other app will adhere to TikTok Developer Terms of Service.
• Pinterest: Our use and transfer of information received from Pinterest APIs to any other app will adhere to Pinterest Developer and API Terms of Service.
• Reddit: Our use and transfer of information received from Reddit APIs to any other app will adhere to Reddit Data API Terms.
• Discord: Our use and transfer of information received from Discord APIs to any other app will adhere to Discord Developer Terms of Service.
• Slack: Our use and transfer of information received from Slack APIs to any other app will adhere to Slack Developer Agreement and Policy.
• Bluesky: Our use and transfer of information received from Bluesky services to any other app will adhere to Bluesky Terms of Service.
• Mastodon: Our use and transfer of information received from Mastodon-compatible services to any other app will be subject to the applicable server terms and policies.

Revoking platform access and deleting data

You may revoke platform access through the relevant third-party platform settings.

You may delete your account, organization, team, connected social account, posts, or media where the Service provides this functionality. You may also request deletion of stored data associated with your account by contacting us at [email protected].

If you delete a team, account, connected social account, post, or media object, the associated data is targeted for deletion from active systems, subject to retention needed for legal, billing, security, abuse-prevention, debugging, backup, or dispute reasons.

Revoking access from a third-party platform may stop future access to that platform, but it may not automatically delete data already stored in bundle.social. To request deletion of stored data, contact us at [email protected].

Cookies and similar technologies

We may use cookies and similar technologies to operate the Service, authenticate users, remember preferences, secure sessions, analyze usage, monitor performance, and improve the Service.

Where required by law, we request consent for non-essential cookies. You can control cookies through your browser settings, but disabling some cookies may affect Service functionality.

Payments

If you purchase a paid plan, payments are processed by a third-party payment processor.

We do not store full payment card details on our servers. Payment information is provided directly to the payment processor and is handled according to that provider's privacy policy and security practices.

We may store billing-related information such as subscription plan, invoice data, payment status, billing email, tax details, and payment processor customer identifiers where needed for billing, accounting, support, fraud prevention, and legal compliance.

Marketing communications

We may contact business users with product updates, service information, and marketing communications where permitted by law.

You can opt out of marketing communications at any time by using the unsubscribe link in the email or by contacting us at [email protected].

Even if you opt out of marketing communications, we may still send transactional, security, billing, support, and service-related messages.

Data retention

We retain personal data only for as long as needed to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and operate our business.

• Account, organization, and team data is kept for the life of the account, organization, or team.
• Connected social account data and OAuth tokens are kept while the social account remains connected, unless earlier deletion is requested or required.
• Customer content, post data, analytics, and uploaded media are kept for as long as needed to provide publishing, scheduling, post history, analytics, debugging, and support.
• Uploaded media may be stored using global media storage and CDN infrastructure for performance and reliability.
• Application logs and API logs are retained for 7 days, unless longer retention is required for security, abuse prevention, debugging, legal, billing, or dispute reasons.
• Database backups are retained for 7 days. Deleted data may remain in encrypted backups until the backup expires.
• Billing, tax, and accounting records are kept for the period required by applicable law.
• Deleted customer data is targeted to be deleted from active systems within 30 days, unless retention is required for legal, billing, security, abuse-prevention, or dispute reasons.

International transfers

We are based in Poland and primarily operate from the European Economic Area where our infrastructure allows it.

Some service providers, infrastructure providers, and third-party platforms may process data outside the EEA. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, Data Privacy Framework certification where applicable, or another lawful transfer mechanism under GDPR.

Because bundle.social integrates with third-party platforms, data submitted to or received from those platforms may also be processed according to the privacy policies, developer terms, and infrastructure practices of those platforms.

Data Processing Agreement

Where we act as a processor, we process personal data on behalf of the customer in accordance with the customer's instructions, applicable data protection laws, and the applicable agreement between the parties.

Our standard Data Processing Agreement is available upon request. To request it, contact us at [email protected] and include your company name, workspace or billing email, and a short description of how you use bundle.social so we can provide the correct version.

Your privacy rights

Depending on where you are located and subject to applicable law, you may have the right to access, correct, delete, restrict, object to the processing of, or request portability of your personal data.

Where processing is based on consent, you may withdraw consent at any time.

You may also have the right to object to direct marketing and to lodge a complaint with a data protection authority.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.

Security

We use technical and organizational measures designed to protect personal data. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

Children's privacy

The Service is intended for business users and is not intended for individuals under 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from an individual under 18, we will take reasonable steps to delete it, unless we are legally required to retain it.

Links to other websites

The Service may contain links to websites or services that we do not operate. We are not responsible for the content, privacy policies, or practices of those third-party websites or services.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes that significantly affect your rights or how we process personal data, we will provide reasonable notice before the changes become effective, such as by email, dashboard notice, in-product notice, or another prominent notice.

For non-material updates, clarifications, formatting changes, or updates that better describe existing practices, the updated Privacy Policy will be effective when posted, unless stated otherwise.

Contact us

If you have questions about this Privacy Policy, contact us at [email protected].