1. Data Controller and Owner

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws:
Data Controller: Draco Social (when determining the purposes and means of data processing)
Address: Odrowążów 83/31, 44-103 Gliwice, Poland.
Contact: support@draco.social
If you have any questions about this Policy or our data handling practices, please contact us.

2. Personal Data We Collect

We collect and process different types of information depending on how you interact with Draco Social:
1. Account Data: When you create an account, we collect your name, email address, login credentials, and (if applicable) organization or billing details.
2.Payment Information: For paid subscriptions, payments are processed by third-party payment processors. We do not store full credit card or payment details, though we may store transaction IDs or partial payment data for record-keeping.
3.Social Media Credentials: If you connect social media accounts (e.g., Facebook, Instagram, Twitter) to our Service, we collect tokens or credentials for authorized access, subject to each platform’s policies.
4.Usage Data: We collect data about how you use Draco Social, such as your IP address, browser type, device info, interaction times, and pages visited.
5.User-Generated Content: We may store the content (e.g., posts, comments, media) you create or manage via Draco Social.

3. Purpose and Legal Basis of Processing

3.1. Purposes of Processing

We use collected data for:

• Service Provision: Operating and maintaining Draco Social, including account management, post scheduling, analytics, etc.
• Customization: Personalizing content, features, and recommendations.
• Payment and Billing: Processing subscription fees, issuing invoices, administering relevant financial records.
• Communications: Sending updates, product information, or promotional materials (you can opt out of non-essential marketing messages).
• Analytics and Improvements: Monitoring usage trends to enhance functionality and user experience.
• Security and Fraud Prevention: Detecting and preventing unlawful or fraudulent activities.
• Legal Compliance: Complying with laws, regulations, or lawful requests by authorities.

3.2. Legal Basis (EEA/UK Users)

For Users in the European Economic Area (EEA) and United Kingdom (UK), our legal bases under the GDPR/UK GDPR may include:

• Contractual Necessity: Processing is necessary to provide the Service under our Terms & Conditions.
• Legitimate Interests: For improving our Service, preventing fraud, or ensuring IT security, unless overridden by your interests or fundamental rights.
• Consent: When we rely on your explicit consent for certain data processing activities (e.g., receiving marketing emails, certain cookies). You can withdraw your consent at any time.
• Legal Obligation: Where processing is required by applicable law (e.g., tax, accounting).

4. How We Share Your Data

We may share personal data with:

1. Third-Party Service Providers: We use the following third-party service providers who process data on our behalf under data protection agreements:

   • PostHog (Analytics): We use PostHog for product analytics and user behavior tracking. PostHog processes usage data, events, and user interactions to help us improve our Service. For more information, see PostHog's Privacy Policy.
   • Hosting Providers: Our Service is hosted on cloud infrastructure providers who process and store your data.
   • Payment Processors: Payment information is processed by third-party payment processors for billing and subscription management.
   • Customer Support Tools: We may use customer support platforms to manage and respond to your inquiries.

2. Social Media Platforms: Data is shared as needed to fulfill publishing or analytics (subject to each platform's privacy policy), including Facebook, Instagram, TikTok, LinkedIn, and other platforms you connect to our Service.

3. Business Transfers: In the event of merger, acquisition, or asset sale, user data may be transferred to the acquiring entity.

4. Legal or Regulatory Requirements: If required by law or in response to valid requests by public authorities.

We do not sell personal data to third parties for monetary consideration.

5. Cookies and Similar Technologies

We use cookies, web beacons, and other tracking technologies to:

• Recognize you across sessions
• Remember preferences
• Analyze traffic and usage patterns
• Track user behavior and product analytics (via PostHog)
• Maintain authentication and security

Types of Cookies We Use:

• Essential Cookies: Necessary for the Service to function (e.g., authentication, security). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with our Service (e.g., PostHog analytics cookies).
• Functional Cookies: Remember your preferences and settings.

Your Cookie Choices:

You can manage cookie settings in your browser or through our cookie consent banner (for EU/EEA/UK users). However, disabling essential cookies may prevent you from using certain features of Draco Social.

For EU/EEA/UK users, we obtain your consent before placing non-essential cookies on your device, as required by the ePrivacy Directive and GDPR.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this Policy or comply with legal obligations. Specific retention periods include:

• Account Data: Retained for the duration of your account plus 30 days after account deletion (to allow for account recovery).
• Usage and Analytics Data: Retained for up to 24 months for analytics and service improvement purposes.
• Financial Records: Retained for 7 years to comply with tax and accounting regulations.
• Marketing Consents: Retained until you withdraw consent or for 2 years of inactivity.
• Support Communications: Retained for up to 3 years for customer service quality and legal purposes.

Once there is no continuing legitimate business need or legal requirement, we will securely delete or anonymize personal data.

7. Security Measures

We employ commercially reasonable security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Monitoring for suspicious activities

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and (where required) the relevant supervisory authority within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33 and 34.

8. International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence, including the United States, which may have data protection laws different from those in your jurisdiction.

• When we transfer personal data from the Poland to other countries, we ensure safeguards (e.g., Standard Contractual Clauses) to protect your data in accordance with GDPR/UK GDPR requirements.

9. Your Rights (EEA/UK Users)

If you are located in the EEA or UK, you have certain rights under the GDPR/UK GDPR, subject to legal exemptions, including the right to:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure (“Right to be Forgotten”): Request deletion of your data under specific circumstances.
• Restriction: Ask us to restrict processing of your data.
• Portability: Obtain your data in a structured, commonly used, and machine-readable format.
• Objection: Object to our processing of your data if done on a legitimate interest basis.
• Withdraw Consent: Where we rely on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).

To exercise any of these rights, please contact us at support@draco.social. We will respond within a reasonable timeframe, typically 30 days for EEA/UK requests.

You also have the right to lodge a complaint with your local data protection authority.

10. Children’s Privacy

Draco Social is not intended for children under the age of 13 (or as defined by local law). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at support@draco.social so we can delete such information.

11. Complaints and Dispute Resolution

• Internal Resolution: Contact us at support@draco.social if you have questions or concerns.
• EU/EEA/UK Dispute: Users in the EEA/UK may lodge a complaint with their local supervisory authority if they believe our data processing is unlawful or violates GDPR/UK GDPR.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Your continued use of Draco Social after the changes become effective indicates your acceptance of the revised Policy.

13. Contact Us

Draco Social ul. Odrowążów 83/31 44-103 Gliwice, Poland Email: support@draco.social