Privacy Policy

As a data controller

For information about our customers (account holders, API users, dashboard visitors), SocialRouter is the data controller. We decide why and how this data is processed.

As a data processor

For data extracted via the API on behalf of a customer (for example, public profile information returned by an extraction request), SocialRouter acts as a data processor. The customer is the controller and is responsible for establishing a lawful basis for the processing, providing notice to data subjects where required, and honoring data subject rights requests in respect of that data.

Account information

When you create a SocialRouter account, we collect:

• Email address (for authentication and essential communications)
• Name and optional organization name
• Password (hashed and encrypted, never stored in plain text) or OAuth provider identifier
• API keys generated by you (stored hashed; the plaintext value is shown once at creation)
• Account creation and last login timestamps
• User unique identifiers (UUIDs)

Usage and billing data

To operate the platform and bill usage accurately, we collect:

• Extraction logs (timestamp, target URL, extraction type, provider used, status, latency, credits consumed)
• Credit balance and ledger entries
• Stripe customer ID and subscription/payment metadata (we never store full card numbers)
• Invoice and tax records
• Rate-limit and abuse-prevention counters

Extraction data (processor role)

When you submit an extraction request, the URL you send is forwarded to a third-party data provider, which returns public profile information about the data subjects on that page. This data may include:

• Name, headline, job title, employer, location
• Public profile URL and avatar URL
• Counts of public interactions (likes, comments, follows)
• Other public fields exposed by the source platform

Extraction results are stored only for the time strictly necessary to deliver and cache them (see Data Retention). SocialRouter does not enrich this data, does not append contact information (email, phone), and does not use it for any purpose other than fulfilling and caching the customer's request.

Telemetry and security data

To maintain and protect the Services, we collect:

• IP address, user agent, and request metadata for security and rate limiting
• Error logs and stack traces
• Performance metrics and request tracing
• Product analytics events (page views, feature usage) via PostHog

Service delivery

Legal basis: Contract performance — Article 6(1)(b) GDPR

• Authenticate API requests and manage sessions
• Route extraction requests to the appropriate provider and return normalized results
• Cache results to deliver faster responses and lower costs
• Process subscription payments and credit purchases
• Provide the dashboard and account management tools

Service improvement

Legal basis: Legitimate interest — Article 6(1)(f) GDPR

• Monitor system performance, reliability, and provider health
• Identify and fix bugs and technical issues
• Develop new features, providers, and routing strategies
• Analyze aggregated usage patterns

Security and abuse prevention

Legal basis: Legitimate interest — Article 6(1)(f) GDPR

• Detect and prevent unauthorized access and credential abuse
• Enforce rate limits and detect anomalous extraction patterns
• Protect platform integrity and customer data
• Investigate violations of our Terms of Service

Communications

Legal basis: Legitimate interest — Article 6(1)(f) GDPR

• Send transactional emails (password resets, security alerts, billing notifications)
• Notify you of incidents, deprecations, or material changes to the Services
• Respond to support requests

Legal compliance

Legal basis: Legal obligation — Article 6(1)(c) GDPR

• Retain billing records for tax and accounting requirements (typically 10 years in France)
• Respond to lawful requests from authorities
• Comply with applicable data protection and consumer protection laws

Third-party service providers

We share information with trusted service providers who help us deliver the platform. All processors operate under GDPR-compliant Data Processing Agreements where applicable.

The full, up-to-date list of data providers is available at /providers. Each request is routed to one provider only; the providers not used for a given request never see the request data.

Legal requirements

We may disclose your information when required by law or to:

• Comply with legal processes (subpoenas, court orders)
• Respond to lawful requests from government authorities
• Protect our rights, property, or safety
• Prevent fraud or abuse of the platform

No sale of personal data

SocialRouter does not sell, rent, or trade your personal information to third parties for their marketing purposes.

Information we collect (CCPA categories)

• Identifiers: Email addresses, names, account IDs, IP addresses, API keys
• Commercial information: Subscription records, payment history, credit purchases
• Internet or network activity: Request logs, error logs, usage analytics
• Professional information: Public profile data extracted on behalf of customers

Your California privacy rights

• Right to know: Request disclosure of what personal information we collect, use, and share
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate personal information
• Right to non-discrimination: We will not discriminate against you for exercising your rights