capty Logo
Features
Solutions
By Role Agencies Social Media Managers Corporate Influencers Marketing Teams
By Platform Instagram LinkedIn Facebook TikTok
Pricing Blog
EN DE
Join Waitlist
Features Solutions Agencies Social Media Managers Corporate Influencers Marketing Teams Instagram LinkedIn Facebook TikTok Pricing Blog Join Waitlist

Privacy Policy

Last updated: June 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

capty.ai
Frömmgen und Wintjens GbR
KWL Büro 0.05, Lothringer Str. 38
44805 Bochum, Germany
Email: info@capty.ai

2. Scope of this Privacy Policy

This privacy policy applies to the use of our website at capty.ai and to the use of our SaaS platform capty (hereinafter "Platform" or "Service"). It informs you about the nature, scope, and purposes of the processing of personal data.

capty is directed exclusively at companies, agencies, freelancers acting in a professional or commercial capacity, and other organisations (B2B). Natural persons acting outside their professional or commercial capacity are not the intended audience of this service.

3. Website Hosting and Server Logs

Our website is hosted by Hostinger International Ltd. When you visit our website, the hosting provider automatically collects information in server log files:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the accessed file
  • Website from which access is made (referrer URL)
  • Browser and operating system used
  • Hostname of the accessing device

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the website). Server log files are automatically deleted after 30 days.

Hostinger processes data in data centres within the EU. More information: Hostinger Privacy Policy.

4. SSL/TLS Encryption

This site uses SSL/TLS encryption for security reasons. An encrypted connection is indicated by the browser address bar changing from "http://" to "https://" and the lock icon in the address bar.

5. Waitlist and Contact Requests

When you sign up for our waitlist or use our contact form, we collect the following data:

  • First and last name
  • Email address
  • Company (optional)
  • Message (optional)

Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (pre-contractual measures). The data is used to process your enquiry and to contact you regarding the product launch. We do not share this data with third parties without your explicit consent.

Waitlist and contact data is retained for up to 24 months from collection, unless a contractual relationship arises or earlier deletion is requested.

6. Newsletter and Product Emails (Brevo)

We use Brevo (formerly Sendinblue), Brevo SAS, 106 boulevard Haussmann, 75008 Paris, France, for sending newsletters and product-related emails.

When you subscribe to our newsletter, your email address is stored and processed by Brevo. Brevo also collects technical data such as open rates and click behaviour to optimise our email communications.

Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time by unsubscribing from the newsletter (link in every email) or by contacting us at info@capty.ai. Email addresses are retained until consent is withdrawn. Upon an unsubscribe request, deletion from active mailing lists occurs within 30 days.

Brevo is certified under the EU-US Data Privacy Framework. More information: Brevo Privacy Policy.

7. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device by your browser.

7.1 Strictly Necessary Cookies

These cookies are required for the operation of the website and cannot be disabled:

  • capty_cookie_consent: Stores your cookie preferences (duration: 365 days)
  • capty_lang: Stores your language setting (duration: 365 days)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality of the website).

7.2 Analytics Cookies (Google Analytics)

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies that enable an analysis of website usage.

We have implemented the following privacy measures:

  • IP anonymisation is enabled (your IP address is truncated within the EU)
  • A data processing agreement has been concluded with Google
  • Data sharing with Google is disabled
  • Google Signals is disabled

Legal basis: Art. 6(1)(a) GDPR (consent). Analytics cookies are only set after your explicit consent via our cookie banner. You can revoke your consent at any time via the cookie settings.

More information: Google Privacy Policy. You can also prevent collection by Google Analytics with the browser add-on.

7.3 Managing Cookie Settings

You can adjust your cookie settings at any time via our cookie settings page. Additionally, you can manage or delete cookies in your browser settings.

8. Google Fonts

We use Google Fonts for the uniform display of fonts. When you access a page, your browser loads the required fonts from Google servers. In doing so, your IP address is transmitted to Google.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a uniform presentation). Google is certified under the EU-US Data Privacy Framework.

More information: Google Privacy Policy.

9. Account Creation and Account Management

Use of the capty Platform requires the creation of a user account. During registration and account management, we process the following data:

  • First and last name
  • Email address
  • Company name (required for invoicing)
  • Password (stored encrypted, not readable in plain text)
  • Team assignments and role permissions (depending on the selected plan)
  • Registration timestamp and most recent login data (for security purposes)

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Account data is retained for the duration of the contractual relationship. After cancellation, the 30-day export window set out in the Terms applies. Account data is then deleted, unless statutory retention obligations apply.

10. Uploaded Content and Generated Outputs

In the course of using the Platform, customers upload media content and receive AI-generated outputs. The following data is processed:

  • Uploaded images and videos
  • Text inputs (instructions, brand descriptions, and other inputs)
  • AI-generated captions, copy, and other outputs
  • Approval statuses and comments within approval workflows
  • Usage metadata (e.g. upload timestamps, processing status)

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Uploaded and generated content is retained for the duration of the contractual relationship. After cancellation, the 30-day export window set out in the Terms applies. Content is then irrevocably deleted, unless statutory retention obligations apply.

Uploaded content is not shared with third parties for advertising, analytics, or other secondary purposes.

11. Connected Social Media Accounts and API Integration

11.1 General

capty allows users to connect their social media accounts via OAuth 2.0 to publish and schedule content automatically. When using these integrations, both capty and the respective platforms process personal data. capty and each social media platform act as independent data controllers (separate controllers) for the processing carried out within their respective spheres.

The legal basis for all processing in this section is Art. 6(1)(b) GDPR (performance of contract). Access tokens and refresh tokens are stored exclusively server-side, encrypted and secured in accordance with current industry standards. They are not shared with any third party other than processors supporting capty in operating the Platform. Users may disconnect their accounts and request deletion of all related data at any time.

11.2 Meta (Facebook and Instagram)

Data controller at Meta:
Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (for EU/EEA users); Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA (global parent).

Data processed by capty via the Meta Graph API:

  • Facebook Page IDs and names, and the user's administrative role on each Page
  • Instagram Business or Creator Account ID and basic profile information (display name, avatar URL)
  • Page Access Tokens (for Facebook Pages; do not expire on a fixed schedule; invalidated upon password change or access revocation) and User Access Tokens (valid approx. 60 days; stored server-side as Long-Lived Tokens)
  • Metadata relating to scheduled and published posts (publish time, Post ID, publish status)

API permissions (scopes) used: pages_show_list, pages_manage_posts, pages_read_engagement, instagram_business_basic, instagram_business_content_publish.

Data transmitted to Meta when publishing: Post content (text, image or video file), visibility settings, and scheduled publish time are transmitted to Meta via the Graph API. capty processes this data exclusively on instruction from and on behalf of the user.

Programme and terms: capty uses the Meta Graph API under the Meta Platform Terms (Meta for Developers Platform) and the Meta Business Tools Terms. Use is compliant with Meta's current Platform Policies. capty participates in Meta's App Review process for all permissions requiring Advanced Access.

Data deletion and revocation: Access tokens are deleted as soon as a user disconnects their account in capty's account settings, cancels their capty account, or upon request from Meta. Users can also revoke access directly with Meta at any time:

  • Facebook/Meta: Settings → Apps and Websites
  • Alternatively: auth.meta.com/settings/apps_websites/

capty additionally provides an in-platform option to disconnect accounts and request data deletion. Requests sent to info@capty.ai will be processed and all platform-related data deleted promptly.

Data processing by Meta: For information on Meta's own data processing, please refer to:
Facebook: facebook.com/privacy/policy/
Instagram: privacycenter.instagram.com/policy/

11.3 LinkedIn

Data controller at LinkedIn:
LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (for EU/EEA users); LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, California 94085, USA (global parent).

Data processed by capty via the LinkedIn API:

  • LinkedIn Member URN (pseudonymised identifier) for user authentication
  • Organisation/Company Page URNs and names where the user holds an administrative role (Administrator, Content Admin, or Direct Sponsored Content Poster)
  • Access Token (valid 60 days) and Refresh Token (valid 365 days), stored exclusively server-side
  • Metadata relating to published posts (Post URN, publish time, status)

API permissions (scopes) used: w_member_social (for personal profiles), w_organization_social, r_organization_social (for company pages). Only the data necessary for the publishing function is processed; LinkedIn profile data beyond the URNs required for authentication is not stored.

Data transmitted to LinkedIn when publishing: Post content (text, media URN), author URN (member or organisation), visibility settings, and distribution parameters are transmitted via the LinkedIn Posts API.

Programme and terms: capty uses the LinkedIn API under the LinkedIn API Terms of Use. Prior to a user's first authentication, capty informs users about the purpose of data processing, the categories of data collected, and their right to withdraw — as required by LinkedIn's API Terms (six-element pre-authentication disclosure).

Data deletion and revocation: Access tokens are deleted immediately upon account disconnection or capty account cancellation. Upon request, all previously transferred data is fully deleted within 10 days. Users can also revoke access directly with LinkedIn at any time:

  • Settings → Data Privacy → Permitted Services

Data processing by LinkedIn: linkedin.com/legal/privacy-policy

11.4 TikTok

Data controller at TikTok:
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (for EU/EEA users); TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, EC1A 9HP, United Kingdom (for UK users). capty and TikTok act as independent data controllers (controller-to-controller) pursuant to the TikTok Developer Data Sharing Agreement (effective 22 January 2026).

Data processed by capty via the TikTok Content Posting API:

  • TikTok Open ID (pseudonymised user identifier) and display name
  • Access Token (valid 24 hours) and Refresh Token (valid 365 days), stored exclusively server-side
  • Creator information (available privacy levels, comment/duet/stitch permissions) retrieved via API prior to each video upload
  • Metadata relating to published videos (Video ID, publish time, status)

API permissions (scopes) used: video.publish, video.upload, user.info.basic.

Data transmitted to TikTok when publishing: The video file, caption (max. 2,200 characters), privacy level setting, branded content flags, AI-generated content disclosure (as required by TikTok's Community Guidelines), and comment/duet/stitch settings are transmitted via the TikTok Content Posting API. The privacy level is always actively selected by the user; capty does not pre-set this value.

Programme and terms: capty uses the TikTok API under the TikTok for Developers programme, governed by the TikTok Developer Terms of Service and the TikTok Developer Data Sharing Agreement. The video.publish scope is subject to full App Review by TikTok before content can be posted publicly.

Data deletion and revocation: Access tokens are deleted immediately upon account disconnection or capty account cancellation; capty may also programmatically revoke tokens via TikTok's OAuth revocation endpoint. Users can revoke access directly in the TikTok app at any time:

  • TikTok app: Profile → Menu → Settings and Privacy → Security → Manage app permissions → [Remove access]

Further information: TikTok Support – Third-Party Apps

Note on TikTok's data transfer history: In May 2025, the Irish Data Protection Commission (DPC) fined TikTok Technology Limited €530 million for the unlawful transfer of EEA user data to servers in the People's Republic of China. TikTok has committed to storing EEA user data exclusively in European data centres under its "Project Clover" initiative. The data processed by capty (API tokens and posting metadata) is structurally separate from the personal data subject to that enforcement action; TikTok's data processing as an independent controller is governed solely by TikTok's own policies. For information on TikTok's data processing, please refer to:
tiktok.com/legal/page/eea/privacy-policy/en

12. Payment Processing (Stripe)

We use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland) for payment processing.

The following data is transmitted to Stripe during payment processing:

  • Name, email address
  • Payment information (credit card number, expiry date, CVC)
  • Billing address and company details
  • Transaction amount and plan information

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Payment data is processed exclusively by Stripe and is not stored on our servers. Stripe is PCI DSS Level 1 certified. Billing and transaction records subject to tax or commercial law retention obligations are retained for 10 years (§ 147 AO / § 257 HGB).

More information: Stripe Privacy Policy.

13. AI-Supported Processing

capty uses one or more AI service providers to deliver and improve the functionality of the Service. Depending on the feature, use case, availability, quality, and technical requirements, capty may use different AI providers and processing infrastructures.

These providers may process submitted content solely for the purpose of providing the requested service to capty. Where required, capty enters into appropriate contractual arrangements with such providers. If personal data is transferred to countries outside the EU or EEA, capty relies on the safeguards provided by applicable data protection law (e.g. SCCs, adequacy decisions), where available and applicable.

capty does not guarantee that any specific AI provider, model, or processing location will be used for a particular request unless explicitly agreed otherwise in writing.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

14. Recipients and Processors

We engage the following service providers in the operation of our website and Platform. Data processing agreements pursuant to Art. 28 GDPR have been concluded, or will be concluded prior to the activation of the respective processing activity:

Provider Purpose Role Location
Hostinger International Ltd. Web hosting and infrastructure Processor EU (Lithuania)
Brevo SAS Email delivery (newsletter, product emails) Processor EU (France)
Stripe Payments Europe, Ltd. Payment processing Processor EU (Ireland)
Google Ireland Ltd. (Analytics) Website analytics (consent-based only) Processor EU (Ireland) / potentially USA
AI service providers AI-assisted processing of uploaded content and text generation Processor EU and/or third countries (depending on provider)
Meta Platforms Ireland Limited Social media API (Facebook, Instagram) — content publishing Independent controller EU (Ireland) / USA
LinkedIn Ireland Unlimited Company Social media API (LinkedIn) — content publishing Independent controller EU (Ireland) / USA
TikTok Technology Limited Social media API (TikTok) — content publishing Independent controller (controller-to-controller) EU (Ireland) / international

The AI service providers currently in use will be disclosed on request at info@capty.ai.

15. International Data Transfers

Some of our service providers are based outside the European Union (EU) or European Economic Area (EEA), or may access data from third countries. The following safeguards are in place:

  • Brevo is certified under the EU-US Data Privacy Framework (DPF).
  • Stripe processes data primarily through its EU entity (Ireland). Transfers to third countries are safeguarded by Standard Contractual Clauses (SCCs).
  • Meta Platforms: Meta Platforms Ireland Limited is designated as the data exporter for EEA transfers. Transfers to the USA are based on Standard Contractual Clauses (Module 1, controller-to-controller, Decision 2021/914) and the EU-US Data Privacy Framework, for which Meta Platforms, Inc. is certified.
  • LinkedIn: LinkedIn Ireland Unlimited Company processes data primarily within the EU. Transfers to the USA (LinkedIn Corporation) are safeguarded by Standard Contractual Clauses (Module 2, controller-to-processor, pursuant to LinkedIn's Business Development DPA).
  • TikTok: TikTok Technology Limited (Ireland) acts as the data controller for EU/EEA users. Transfers to third countries are based on Standard Contractual Clauses (Art. 46 GDPR). Note: In May 2025, TikTok was fined €530 million by the Irish DPC for unlawful transfers of EEA user data to China. TikTok has committed to remediation measures (Project Clover). The data processed by capty (API tokens, posting metadata) is structurally distinct from the personal data at issue in that enforcement action; TikTok's own processing as an independent controller is governed solely by TikTok's policies.
  • AI service providers: Where AI processing involves transfers to third countries, capty relies on safeguards provided by applicable law (e.g. SCCs, adequacy decisions), where available and applicable.

16. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about your personal data stored by us.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided no legal retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR): You can request that we provide your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data at any time if processing is based on legitimate interest.
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw consent at any time with effect for the future.
  • Right to deletion of platform-connected data: You may request deletion of all data processed by capty in connection with your connected social media accounts (tokens, posting metadata) at any time. Deletion will be carried out within 10 days of the request.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Germany, www.ldi.nrw.de.

To exercise your rights, please contact: info@capty.ai

17. Retention Periods

We retain personal data only for as long as necessary for the respective processing purpose or as required by applicable law:

Data category Retention period
Server log files 30 days
Waitlist and contact data Up to 24 months from collection, or until deletion is requested
Newsletter subscriber data Until consent is withdrawn; deletion from active lists within 30 days of unsubscribe request
Account and user data Duration of the contractual relationship + 30-day export window after cancellation
OAuth tokens (Meta, LinkedIn, TikTok) Duration of the active account connection; deleted immediately upon disconnection or cancellation, within 10 days at the latest
Posting metadata (social media channels) Duration of the contractual relationship + 30-day export window after cancellation, then deletion
Uploaded and generated content Duration of the contractual relationship + 30-day export window after cancellation, then deletion
Billing and payment records 10 years pursuant to § 147 AO / § 257 HGB (German commercial and tax law)

18. Data Processing on Behalf of Customers (DPA)

Where customers process personal data of third parties via the Platform (e.g. employee data, client data), customers act as data controllers and capty acts as data processor. In such cases, the parties are required to conclude a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. capty provides a standard DPA template, available at capty.ai/legal/dpa/.

19. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to our service. The current version is always available on this page. For material changes, we will inform you by email if your email address is available to us.

We use cookies

We use cookies to improve your experience. Some are essential, others help us understand how you use our site. Privacy Policy

capty

The AI layer between your content and your channels. Upload once, publish everywhere.

Product

Features Pricing Join Waitlist Blog

Solutions

For Agencies Social Media Managers Marketing Teams Corporate Influencers Photographers & Videographers

Platforms

Instagram LinkedIn Facebook TikTok
© 2026 capty. All rights reserved. Made with in Germany
Contact Imprint Privacy Policy Terms Refund Policy Cookie Settings