Privacy Policy

The data controller is Plynky, a personal project in free beta, run on an individual non-profit basis. For any request relating to your personal data, the controller's identity, or to exercise your GDPR rights, write to [email protected]. We will respond within 30 days.

We collect only the data strictly necessary to run the service:

• Registration data: email, name, password (stored encrypted via Appwrite Auth), role, preferred language.
• Data about managed clients: if you use Plynky as a freelancer or agency, you can create profiles of your clients (name, industry, optional logo). You are the controller of that data; Plynky acts as data processor (see section 8).
• Content and uploaded media: posts, images, videos, captions you upload to the feed planner. They may contain images of people: it is your responsibility to have the rights to upload them.
• Social network access tokens: when you connect Instagram/Facebook via OAuth, we store the tokens needed to publish on your behalf. We do not read your private messages.
• Comments from your end clients: those who receive an approval link only enter a name and a comment. We do not collect email, IP or user-agent of visitors.
• Waitlist signups: only email and language, with consent timestamp.
• Minimal technical data: session and language cookies (see Cookie Policy).

We process your data for the following purposes and on these legal bases:

• Performance of the service (Art. 6.1.b GDPR): to create and manage your account, let you use the feed planner, publish posts on social media on your behalf, show the grid to your clients.
• Consent (Art. 6.1.a GDPR): for optional update emails (waitlist, newsletter) and analytics cookies. You can revoke consent at any time.
• Legitimate interest (Art. 6.1.f GDPR): for service security, fraud prevention and protection against abuse.
• Legal obligation (Art. 6.1.c GDPR): in case of requests from competent authorities.

We retain data only for the time strictly necessary:

• User account and content: while the account is active. On account deletion, all associated data (clients, posts, media, social tokens) are cascade-deleted, typically within 30 days.
• End-client comments: as long as the related post exists.
• Share links (share tokens): persist while the account exists; can be manually revoked at any time.
• Waitlist signups: until you request deletion or use the unsubscribe link.
• Technical logs and backups: maximum 30 days from sub-processors (Appwrite, Vercel).

To run the service we rely on qualified external providers. All have signed data processing agreements and adopt adequate security measures. Extra-EU transfers are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (DPF) where applicable.

At any time you can exercise the following rights provided by the GDPR (Articles 15-22):

• Access: get confirmation of processing and a copy of your data.
• Rectification: correct inaccurate or incomplete data.
• Erasure (right to be forgotten): you can delete your account directly from settings, or write to [email protected].
• Portability: download your data in JSON format from your account settings.
• Objection and restriction: object to processing based on legitimate interest or restrict its purposes.
• Withdrawal of consent: you can change or withdraw consent for analytics cookies via the "Cookie preferences" button in the footer.
• Complaint: you can file a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or your local DPA.

We adopt reasonable technical and organizational measures to protect data: HTTPS connections, encrypted passwords, JWT-based access with expiration, separation of data across clients, hosting on qualified providers. However, no system is 100% secure: in case of a breach posing risks to your rights, we will notify you without undue delay as required by Art. 34 GDPR.

If you use Plynky as a freelancer or agency to manage your clients' social media, two layers of processing overlap:

• You are the controller of your end clients' data (names, content, possible media). You must have a legal basis to process them (typically the contract with them).
• Plynky acts as data processor under Art. 28 GDPR: it processes that data only to provide you the service, does not use it for other purposes, applies adequate security measures and deletes it upon account deletion or your request.
• For visitors of share links (end clients receiving the approval link): we only collect the name you enter and your comment. No tracking cookies, no IP, no email. If you arrived here through a shared link and want your comments removed, contact the SMM who shared the link with you, or write to [email protected].

We may update this notice when services, providers or applicable law change. The last-updated date at the top of the page indicates the current version. Material changes will be notified by email or via in-app notice.

For any question, request or to exercise your rights write to [email protected]. We will respond within 30 days as required by GDPR.