Privacy Policy

Last updated: April 27, 2026

This is a courtesy English translation. The legally binding version is the Spanish one at /privacy; in case of any discrepancy, the Spanish version prevails.

1. Who we are

Social Coworker (available at socialcoworker.com, hereinafter "the Service") is part of the Anycoworker family of applications.

The Service is operated by Comartinvi S.L. (comartinvi.com), a Spanish limited company with tax ID B56550833 and registered office at Avenida de Roma 153, ático 1, 08011 Barcelona, Spain. Comartinvi S.L. is the data controller of personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection.

For any privacy enquiry or to exercise your rights, write to us at hola@comartinvi.com.

2. What data we collect

We only collect the data strictly necessary to provide the Service:

Account data: your email address and a password you set yourself (stored hashed with bcrypt via Supabase Auth, never in plain text).
Connected social account data: when you link your Instagram, LinkedIn, X or TikTok account via OAuth, we store the access token (encrypted with AES-256-GCM), your public identifier on that network, your username and the granted permissions. We never access your passwords.
Generated or uploaded content: text, images and videos you generate or upload to publish.
Existing posts on your network when connecting: when you link Instagram or X (Twitter), we automatically import the latest 20 posts published on your account (text + public media URL + date) so the AI generator learns your style and adapts new content to your voice. Only posts already public on the network — we do not read direct messages, drafts, private posts, followers or analytics. You can delete this imported data at any time by disconnecting the account or writing to us for immediate deletion.
Project metadata: project name, configuration, scheduling, publishing history.
Minimal technical logs: execution errors, with no personal data beyond what is strictly necessary for diagnosis.

We do not use tracking cookies or third-party analytics tools. The only cookie we set in your browser is the Supabase session cookie (authentication), which is strictly necessary.

3. What we use your data for

We use the data exclusively to:

Provide the Service of generating and publishing content to your social networks.
Schedule and run automatic publications according to the configuration you define.
Show the history and status of your publications in the dashboard.
Send you operational notifications (errors, publication confirmations). We do not use your email for marketing unless you expressly authorize it.

We do not sell, rent or share your data with third parties for commercial purposes.

4. Data we receive from Meta (Instagram)

When you connect your Instagram Business account through Instagram Business Login, we request only the following permissions:

instagram_business_basic: lets us read your account identifier (user_id) and your public username (username). We use the user_id to direct publishing calls to your account and show the username in the dashboard so you can confirm which account is connected. We do not access your post list, profile picture, messages or comments.
instagram_business_content_publish: lets us publish content to your account. We only exercise it when you explicitly approve a post from the Service dashboard.

You can revoke access at any time from your Instagram account settings (Settings > Apps and websites) or from the Social Coworker dashboard. When you revoke, Meta notifies us via our Deauthorize Callback and we mark the token as revoked immediately; operational details are on the Data deletion page.

4 bis. Data we receive from TikTok

When you connect your TikTok account via the official Login Kit, we request only the following permissions:

user.info.basic: lets us read your identifier (open_id), an optional union_id, your display_name and your avatar URL. We use the open_id to direct video upload calls to your account and show the display_name and avatar in the dashboard so you can confirm which account is connected. We do not access your video list, followers, following, messages or comments.
video.publish (and video.upload as a fallback): lets us publish to your TikTok feed the videos you have previously approved in Social Coworker. We only publish the content and at the time you explicitly approve; we never modify the video or add watermarks or footers.

TikTok's access_token lasts 24h and the refresh_token 365 days; both are stored encrypted with AES-256-GCM and only decrypted in memory at the moment of uploading a video you approved.

You can revoke access at any time from the TikTok mobile app (Settings and privacy → Security and access → Manage app permissions) or from the Social Coworker dashboard (Project → Channels → Manage → Disconnect). Operational details are on the Data deletion page.

5. Where your data is stored

Your data is stored on infrastructure located in the European Union:

Supabase (database and image/video storage): Frankfurt, Germany.
Hetzner Cloud (n8n automation engine): Helsinki, Finland.
Render (web application hosting): Frankfurt, Germany.

6. Data processors (third parties)

We share strictly necessary data with the following providers, all subject to their own policies and GDPR-compliant:

Supabase Inc. — database, authentication, storage.
Render Services Inc. — web app hosting.
Hetzner Online GmbH — automation engine hosting.
Google LLC — AI model (Gemini) to generate text and images from your prompts.
Meta Platforms, Inc., LinkedIn Corp., X Corp., TikTok Pte. Ltd. — the social network APIs you publish to; we only send them the content you approve for publishing.
Cloudflare Inc. — registrar/CDN in some cases.

The AI models (Gemini) receive the prompts and context you write to generate content, subject to Google's policy.

7. How long we keep your data

We keep your data while your account remains active. When you request deletion of your account (by writing to hola@comartinvi.com), we will delete all your data within a maximum of 30 days, except for legal obligations requiring retention (for example, tax data if you made a payment).

8. Your rights (GDPR)

As a user in the EU you have the right to:

Access the data we hold about you.
Rectify inaccurate data.
Request erasure ("right to be forgotten").
Restrict or object to processing.
Portability: receive your data in a structured format.
Lodge a complaint with the Spanish Data Protection Agency (AEPD).

To exercise any of these rights, write to us at hola@comartinvi.com. We will respond within a maximum of 30 days.

9. Security

We apply reasonable technical and organizational measures: encryption in transit (HTTPS), encryption at rest of social network tokens (AES-256-GCM), per-user access control (Row Level Security in Supabase), and regular backups.

10. Changes to this policy

If we modify this policy we will notify you by email at least 14 days in advance. The last updated date appears above.

11. Contact

For any question related to privacy or data protection: hola@comartinvi.com.