Back to home
MindBeamer|

Privacy Policy

This English version is a non-binding translation. In case of dispute, the Spanish original ("Aviso Legal" / "Política de Privacidad" / "Términos" / "Política de Cookies") prevails.

This privacy policy follows the EU General Data Protection Regulation (GDPR - Regulation 2016/679) and the Spanish LOPDGDD (Organic Law 3/2018).

In one sentence: We store your data on servers in Germany (Hetzner). Facebook/Instagram tokens are encrypted (Fernet/AES-128) before storage. AI processing runs via Anthropic (USA) under EU Standard Contractual Clauses per Art. 46 GDPR. No tracking cookies, no selling of data to third parties.

1. Controller

Martin Schenk S.L.
C/ Claudio Coello 14, 5g · 28001 Madrid, Spain
CIF: B84645654
Email: legal@martin-schenk.es

2. What data we process

2.1 Account data

  • Name, email, password (bcrypt hash). Email is the unique identifier.
  • Preferred language (de/es/en) and locale.
  • Technical data: IP address, User-Agent, timestamp of each login (technical logs, 90 days).

2.2 Project data

Each project contains data you enter + data the AI derives from it:

  • Explicit inputs: project name, website URL, free- form description.
  • AI analysis result (business_analysis): industry, target audience, tone of voice, value proposition, products/services. Generated by Claude from the inputs above.
  • Content categories (3 per project): name + description, editable by you.
  • Generated posts (articles): theme, title, body, hashtags, CTA, Unsplash image URL, approval/publish status, IDs of published FB/IG posts.

2.3 Facebook / Instagram tokens

To allow MindBeamer to publish on your behalf, you provide a Facebook Page Access Token. It is encrypted immediately with Fernet (AES-128-CBC + HMAC-SHA256, key as server environment variable) and stored only in encrypted form. The token is NEVER returned to the client or logged. It is decrypted only at the exact moment of a Graph API call (verify, publish).

3. Legal basis

  • Art. 6(1)(b) GDPR (performance of contract): to provide the service.
  • Art. 6(1)(c) GDPR (legal obligation): accounting and tax obligations.
  • Art. 6(1)(f) GDPR (legitimate interest): technical logs, fraud prevention, platform security.
  • Art. 6(1)(a) GDPR (consent): AI analysis + automated social media publishing — confirmed by your explicit approval of each post before publication.

4. Where your data lives

4.1 Primary storage

The entire database (PostgreSQL) and all files are on servers of Hetzner Online GmbH in Germany (data centre in Falkenstein or Nuremberg). No copies outside the EU.

4.2 AI processing

Claude calls currently go directly to the Anthropic API (api.anthropic.com, US region) under EU Standard Contractual Clauses per Art. 46 GDPR. Data is not used to train the models (zero-retention agreement with Anthropic). Migration to an EU region (via AWS Bedrock Frankfurt) is planned for a later phase — update here when implemented.

5. Sub-processors (Art. 28 GDPR)

Sub-processorService · Location · Legal basis
Hetzner Online GmbHHosting (servers, database, files). Germany (EU) ✅
Anthropic PBCAI model (Claude) used for brand analysis + post generation. Processes user inputs. USA — SCCs per Art. 46 GDPR (migration to EU region planned, see §4.2).
Unsplash Inc.Image search and delivery for posts. USA — the CDN serves the image directly to the user's browser.
Meta Platforms Ireland Ltd.Facebook + Instagram API to publish to the user's own connected pages. USA — SCCs per Art. 46 GDPR. The user provides their own Page token.
Cloudflare Inc.DNS, TLS certificates, attack mitigation. USA — SCCs per Art. 46 GDPR.
Google LLCTransactional email delivery (registration, confirmations). Own Plesk SMTP server + Gmail sending account. USA — SCCs + EU-US Data Privacy Framework.
Stripe Payments Europe Ltd.Payment processing (once paid subscription is enabled). Ireland + USA — SCCs per Art. 46 GDPR.

If we add a new sub-processor, this list is updated here.

6. Retention periods

  • Account: as long as you keep using the service. If you delete your account, your data is deleted within 30 days, subject to legal retention obligations.
  • Projects and posts: until you delete them or delete your account.
  • Technical logs: 90 days.
  • Accounting and tax data: minimum 6 years (Art. 30 Spanish Commercial Code).
  • FB/IG tokens: deleted immediately on disconnect of the channel or deletion of the project.

7. Your rights

As a data subject you have the right to:

  • Access, rectification, erasure and data portability.
  • Restriction of processing and objection.
  • Withdraw consent at any time.
  • Lodge a complaint with the Spanish Data Protection Authority (AEPD) or your local supervisory authority.

To exercise your rights: legal@martin-schenk.es.

8. Cookies and local storage

MindBeamer does not set first-party HTTP cookies and does not use tracking cookies. We use localStorage for your session and language preference — all strictly necessary. Details: Cookie Policy.

9. Automated decisions

Automated post generation is a suggestion with no legal effect of its own. Actual publication only occurs after your explicit approval. There are no automated decisions with legal effect within the meaning of Art. 22 GDPR.

Last updated: June 2026