Privacy Policy

Effective Date: October 14, 2025

We, Semesterkur UG (haftungsbeschränkt), take the protection of your personal data very seriously. In this Privacy Policy, we inform you comprehensively about how we, as the controller, process your data in the context of our social media automation and scheduling services (Software as a Service) for planning, creating, and publishing content on platforms such as Facebook, Instagram, LinkedIn, Google Business, Twitter/X, TikTok, YouTube, Mastodon, and Bluesky. The processing is carried out in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.

1. Controller and Contact Information

The controller within the meaning of the GDPR is:
Semesterkur UG (haftungsbeschränkt)
Ernst-Weyden-Straße 15
51105 Köln
E-Mail: [email protected]

Managing Director: Andrés Mora

Local Court: Cologne (further details to be provided)

We have not appointed an external data protection officer. For questions regarding data protection, requests for information, or complaints, please contact the email address provided above. All inquiries related to data protection, including the exercise of your rights, should be directed to [email protected].

Further information about our company can be found in our Terms of Service supplement this Privacy Policy.

2. Collection and Processing of Personal Data

2.1 Nature and Scope of Data

In the context of our platform postmaschine.com (including all subdomains), we collect and process the following personal data to the extent necessary for providing our services:

  • Registration and Account Data: Name, email address, password (encrypted), company name, address, and payment information (for subscriptions).
  • Access Data for Social Media Accounts: API keys, authentication tokens, and access credentials for your linked accounts (e.g., for Facebook, Instagram, LinkedIn, Google Business, Twitter/X, TikTok, YouTube, Mastodon, Bluesky) to schedule and publish posts on your behalf.
  • Content Data: Data provided by you for creating and scheduling social media content, including company data (e.g., logos, texts, images) and potentially personal information (e.g., employee names in posts).
  • Usage Data: IP address, date and time of login, used features (e.g., scheduled posts, analyses), device information (browser, operating system), session data.
  • Communication Data: Content from support requests, emails, or chats.
  • Payment Data: Bank details, billing address (processed via third-party providers).
  • Server Log Files: Automatically recorded: Visited pages, access time, data volume transferred, referrer URL, browser used, IP address (anonymized where possible).

Data is only collected to the extent necessary for the functionality of the service. We do not collect sensitive data such as health data or biometric information. All data transmissions are securely conducted via HTTPS/TLS, and data is encrypted at rest.

Processing is based on the following legal bases under Art. 6 GDPR:

  • Art. 6(1)(b) GDPR (Contract Performance): To provide the service, e.g., storage of API keys, scheduling and publishing posts, account management, and support.
  • Art. 6(1)(a) GDPR (Consent): For optional marketing communications or extended analyses (e.g., detailed usage data after accepting this Privacy Policy upon login). Consent can be withdrawn at any time, e.g., by email to [email protected].
  • Art. 6(1)(f) GDPR (Legitimate Interests): To ensure system stability, prevent abuse, optimize the service (e.g., anonymized analyses), and troubleshoot errors. Our interests prevail, as anonymization and minimization are applied, and no protectable rights of data subjects are violated.
  • Art. 6(1)(c) GDPR (Legal Obligation): For accounting, tax purposes, and invoicing.

Purposes include:

  • Provision and improvement of the social media scheduling tool, including analysis and storage of provided content.
  • Customer support, assistance, and payment processing.
  • Ensuring the security and functionality of the platform (e.g., DDoS protection).
  • Anonymized analyses for service optimization.

We do not conduct profiling or automated decision-making within the meaning of Art. 22 GDPR.

2.3 Storage Duration

Data is stored only as long as necessary for the stated purposes or as required by statutory retention periods (e.g., 6–10 years for tax-related data under the German Commercial Code (HGB)). Upon termination of the contract (e.g., cancellation of the subscription), we delete personal data within 30 days, unless subject to retention obligations or permissions (e.g., for ongoing legal disputes). Server log files are deleted after 7 days. API keys and content data are deactivated and deleted upon cancellation, unless otherwise agreed.

3. Disclosure to Third Parties and Transfers to Third Countries

We do not disclose your data to unauthorized third parties. Transfers occur only:

  • To processors (Art. 28 GDPR), who are contractually obligated to data security and GDPR compliance. These include:
    • Publer (for scheduling; USA, with Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF) as safeguards).
    • Cloudflare (Network for DDoS protection, Pages for hosting, Analytics; EU-compliant with Data Localization Suite).
    • Posthog (for analytics and frontend error/session recording; EU hosting options, GDPR-compliant).
    • Axiom.co (for logs; GDPR-compliant).
    • Hetzner (for VPS server hosting; Germany/EU).
    • Backblaze.com (for file and object storage; USA, with DPF certification).
    • Stripe.com (for payments; EU servers, GDPR-compliant).
    • Github/Google/Apple (for OAuth authentication; EU-compliant with SCCs/DPF).
  • To social media platforms (e.g., Meta, X), to the extent you consent to linking (Art. 6(1)(a) GDPR); only minimal authentication data is transferred here.
  • In case of legal obligations (e.g., to authorities).

For transfers to third countries (e.g., USA), we apply appropriate safeguards such as SCCs, DPF, or adequacy decisions to ensure an adequate level of protection. A copy of the safeguards is available upon request by email.

4. Your Rights under the GDPR

You have the following rights regarding your personal data (Art. 15–22 GDPR and § 34 BDSG):

  • Access (Art. 15 GDPR): Right to information about stored data, processing purposes, and recipients.
  • Rectification (Art. 16 GDPR): Correction of inaccurate or incomplete data.
  • Erasure (“Right to be Forgotten”, Art. 17 GDPR): Deletion, provided no retention obligations exist.
  • Restriction of Processing (Art. 18 GDPR): In cases of disputes or uncertain accuracy.
  • Objection (Art. 21 GDPR): Against processing based on legitimate interests; withdrawal of consent at any time (without retroactive effect).
  • Data Portability (Art. 20 GDPR): Receipt of your data in a machine-readable format (e.g., for API keys and content).
  • Right to Lodge a Complaint (Art. 77 GDPR): With the competent supervisory authority, e.g., the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (https://ldi.nrw.de/).

Contact us at [email protected] for this purpose. We process requests within one month (extendable in case of complexity). We may request additional proof for identity verification.

5. Cookies and Similar Technologies

We do not use cookie banners. Instead, we track:

  • Essential/anonymized analytics (e.g., via Cloudflare Analytics and Posthog) at all times to ensure functionality and security (legal basis: Art. 6(1)(b)/(f) GDPR). These include pseudonymized IP addresses, session data, and basic usage metrics.
  • Extended/detailed tracking (e.g., session recording, detailed error analyses) only if you are logged into our app and have accepted this Privacy Policy (and thus consented) (Art. 6(1)(a) GDPR). Withdrawal is possible via logout or by email.

Types of cookies/technologies:

  • Necessary Cookies: For authentication, session management, and basic functions (e.g., storage of API keys). Storage duration: Until end of session.
  • Functional Cookies: For storing settings (e.g., dashboard preferences). Storage duration: Up to 1 year.
  • Analytics Cookies: Pseudonymized usage analysis (e.g., Posthog). IP anonymization enabled; storage duration: Up to 14 months.

You can disable cookies in your browser at any time, though this may limit service usage. Further information on third-party providers: Cloudflare Privacy, Posthog Privacy.

6. Data Security

We implement technical and organizational measures to protect your data from unauthorized access, loss, or misuse (Art. 32 GDPR), including:

  • Encryption of data transmission (HTTPS/TLS) and storage at rest.
  • Access restrictions, two-factor authentication, and regular security audits.
  • Employee training and use of tools like Cloudflare for DDoS protection.
  • Data processing agreements with all processors.

Despite all measures, absolute security cannot be guaranteed; we continuously minimize risks and report incidents in accordance with Art. 33/34 GDPR.

7. Minors

Our service is not directed at persons under 16 years of age. If we become aware of processing data of minors, we will delete it immediately.

8. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy in case of legal or operational changes. The current version is always available at (/privacy)[./privacy]. In case of material changes, we will inform you by email or in the login area.

Effective Date: October 14, 2025