Legal
Privacy Policy
Last updated: May 7, 2026 · Version 1.0
Dutch version is legally authoritative.
1. Who are we?
Short-Post is a trade name of Biz-View, a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce (KVK) under number 99865017.
Address: Professor Holwerdalaan 70, 2672 LG Naaldwijk, Nederland
Email: info@short-post.com
We are the data controller under the GDPR for all personal data processed through the Short-Post app and website.
Data Protection Officer (DPO): We are not required to appoint a DPO given the scale of our processing. For all privacy questions please contact us at info@short-post.com.
2. What data do we collect?
2.1 Account data
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Identification, communication, billing | Contract performance |
| Name (optional) | Profile personalisation, only processed if you fill it in | Consent |
| Profile photo (optional) | Display in the app, only processed if you upload it | Consent |
| Plan (Free / Pro / Max) | Service delivery, access control | Contract performance |
| Stripe customer ID | Payment linkage, payment data itself is not stored by us | Contract performance |
| Language preference | Show correct language version | Legitimate interest |
| Onboarding status | Track setup progress | Contract performance |
2.2 Workspace data
Name, description, plan type, creation date, and owner reference. Everything is permanently deleted when your account or workspace is deleted (cascade delete).
2.3 Connected social media accounts
We do not store OAuth tokens or login credentials. We only store the reference ID that Bundle Social assigns to the connected account. Authentication credentials are managed entirely by Bundle Social.
2.4 Scheduled and published posts
Caption, hashtags, media URL (file stored in Supabase Storage), scheduled time, platform, status, and Bundle Social post ID after publishing. Media files remain in Supabase Storage until you delete them or your account is deleted.
2.5 Post analysis results
When you use the pre-publish analysis feature we store: the media path, analysis feedback (text), and platform scores. This data is linked to your account, is only accessible to you via Row Level Security, and is retained until you delete it or your account is deleted.
2.6 Content ideas and scraped posts
Via Apify we scrape publicly visible social media posts (URL, views, likes, caption, thumbnail) to generate content ideas for you. This processing is based on legitimate interest: it is necessary for a core feature of the service, the data is publicly available, and we only process non-sensitive statistics without private user data. The data is linked to your workspace and deleted when the workspace or account is deleted.
2.7 AI processing via MindStudio
Content ideas are generated via MindStudio. The input (scraped post data) and output (ideas) are not used for AI model training, as per our data processing agreement with MindStudio. There is no automated decision-making with legal effects or significant impact within the meaning of GDPR Art. 22.
2.8 Usage and analytics
Number of AI feature uses per billing period (for plan limits). Analytics snapshots of post statistics for performance insights.
2.9 Website analytics (Google Analytics 4)
On our marketing website we use Google Analytics 4. IP anonymisation is enabled by default in GA4. Data sharing with Google for advertising purposes is disabled. Cookies are only placed after you have given consent via the cookie banner (prior consent). See section 5 for cookie details.
3. How do we use your data?
- Providing and improving the Short-Post service
- Managing your account and subscription
- Processing payments via Stripe
- Sending transactional emails (confirmations, password resets)
- Technical support and customer service
- Compliance with legal obligations
- Anonymous website usage analysis (Google Analytics 4)
We never sell your personal data to third parties and do not use it for profiling or automated decision-making with legal effects.
4. Who do we share your data with? (incl. transfers outside the EU)
We use the following sub-processors. Where data is transferred outside the EEA, we specify the applicable safeguard mechanism:
| Party | Location | Purpose | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | US + EU (Frankfurt) | Database, authentication, file storage | EU-US Data Privacy Framework (DPF) + SCCs; EU region configured |
| Stripe Inc. | US + IE | Payment processing | EU-US Data Privacy Framework (DPF) |
| Google LLC | US + EU | Google Analytics 4 (website) | EU-US Data Privacy Framework (DPF) |
| Bundle Social | EU | Publishing to social media platforms | Within EEA, no transfer |
| Apify Technologies s.r.o. | Czech Republic (EU) | Scraping public posts for content ideas | Within EEA, no transfer |
| MindStudio (YouAI Inc.) | US | AI content idea generation | Standard Contractual Clauses (SCCs, GDPR Art. 46(2)(c)) |
All sub-processors have entered into a Data Processing Agreement (DPA) with us, or have a published DPA that applies to the use of their services.
5. Cookies
| Cookie | Category | Retention | Purpose |
|---|---|---|---|
| Supabase auth session | Necessary | Session / 1 year | Login and session management, required for the app to function |
| _ga | Analytical | 2 years | Google Analytics 4, distinguish users |
| _ga_* | Analytical | 2 years | Google Analytics 4, session state |
Analytical cookies are only placed after you have given consent via the cookie banner (prior consent). Necessary cookies are active as soon as you use the app. You can withdraw analytical consent at any time via the cookie settings in the website footer.
GA4 is configured with: IP anonymisation enabled (GA4 default), data sharing with Google for advertising purposes disabled.
6. Retention periods
| Data | Retention period |
|---|---|
| Account data (profile, settings) | Until account deletion, then immediately removed |
| Posts and media files | Until account or workspace deletion |
| Post analysis results | Until account deletion |
| Content ideas / scraped posts | Until workspace or account deletion |
| Payment data (Stripe) | Retained by Stripe per their policy (typically 7 years for tax obligations) |
| Google Analytics | Default 14 months (anonymised) |
| Log files | Maximum 90 days |
7. Your rights (GDPR)
- Right of access – Request a copy of the data we hold about you.
- Right to rectification – Request correction of inaccurate data.
- Right to erasure – Request deletion of your data. You can also delete your account directly in the app settings, after which all data is immediately removed.
- Right to restriction – Request that processing be temporarily restricted.
- Right to data portability – Request an export of your data.
- Right to object – Object to processing based on legitimate interests (such as Apify scraping).
- Right to withdraw consent – Withdraw consent for optional data (name, profile photo, analytical cookies) at any time without affecting the service.
Send your request to info@short-post.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).
8. Security
We implement the following technical and organisational measures:
- Encryption of data in transit (HTTPS/TLS 1.2+)
- Encryption of data at rest via Supabase (AES-256)
- Row Level Security (RLS) on all database tables, users can only access their own data
- No storage of payment data or OAuth tokens on our own servers
- API keys stored exclusively server-side in Supabase Secrets, never in client code
- Restricted access to production environments (least-privilege principle)
- Periodic review of security settings and access rights
9. Data breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours, in accordance with GDPR Art. 33. If the breach is likely to result in a high risk to individuals, we will also notify affected individuals as soon as possible, in accordance with GDPR Art. 34.
If you suspect a security issue, please contact us immediately at info@short-post.com.
10. Minors
Short-Post is not intended for persons under the age of 16. We do not knowingly collect personal data from minors. If you believe we have received data from a minor, please contact us at info@short-post.com and we will delete it immediately.
11. Changes
We may update this privacy policy. For material changes we will send an email notification to registered users and/or show a notice in the app. The "Last updated" date at the top of this document indicates the current version.
12. Contact
Biz-View trading as Short-Post
Professor Holwerdalaan 70, 2672 LG Naaldwijk, Nederland
KVK: 99865017
Email: info@short-post.com