Privacy Policy
Last updated: March 2026
1. Introduction
Share.cy (“we”, “our”, “us”) is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR). By using the Share.cy platform, you agree to the collection and use of information in accordance with this policy.
Share.cy is operated by Share.cy Ltd, a company registered in Cyprus. We help businesses and individuals schedule, publish, and analyse social media content across multiple platforms from a single dashboard.
2. Information We Collect
We collect the following categories of personal data:
- Account information — Your name, email address, and password hash provided during registration.
- Usage data — Anonymised information about how you interact with the platform, collected via Plausible Analytics (cookieless, no personal identifiers).
- Content you create — Social media posts, captions, images, and other media you draft or schedule through Share.cy.
- Payment information — Billing is processed securely by Stripe. We do not store your card number or full payment details on our servers.
- Connected account tokens — Encrypted OAuth tokens for social media platforms you connect to Share.cy.
- Support communications — Messages and tickets submitted through our help channels.
3. How We Use Your Data
We use your personal data to:
- Provide and maintain the Share.cy service, including scheduling and publishing content to your connected social media accounts.
- Improve the product through anonymised usage analytics and internal research.
- Communicate with you about your account, service updates, security alerts, and support requests.
- Process payments and manage your subscription via Stripe.
- Comply with legal obligations, including tax, financial, and regulatory requirements.
4. Legal Basis for Processing
Under the GDPR, we rely on the following legal bases:
Consent (Article 6(1)(a))
Marketing communications, newsletter subscriptions, and optional analytics cookies rely on your explicit consent, which you may withdraw at any time.
Contract Performance (Article 6(1)(b))
Account management, service delivery, and payment processing are necessary for the performance of our contract with you.
Legitimate Interests (Article 6(1)(f))
Security monitoring, fraud prevention, and service improvement are based on our legitimate interests, balanced against your rights and freedoms.
5. Data Sharing
We do not sell your personal data. We share data only with the following sub-processors who help us deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Stripe | Payment processing | US (EU SCCs) |
| Anthropic | AI content generation | US (EU SCCs) |
| Vercel | Application hosting & CDN | US (EU SCCs) |
| Resend | Transactional email | US (EU SCCs) |
| Plausible | Privacy-friendly analytics | EU |
6. Data Retention
We retain your personal data for as long as necessary to provide the service and comply with legal obligations:
- Active account data is retained for the duration of your subscription.
- Data is permanently deleted 30 days after account closure, unless a longer retention period is required by law.
- Payment records and invoices are retained for 7 years to comply with EU tax regulations.
- Security event logs are retained for 90 days.
7. Your Rights
Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data (“right to be forgotten”).
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests or direct marketing.
To exercise any of these rights, please contact our Data Protection Officer at dpo@share.cy.
9. International Transfers
Share.cy is headquartered in Cyprus and your data is primarily processed within the EU. Where personal data is transferred to sub-processors outside the European Economic Area (EEA), we ensure adequate protection through EU Standard Contractual Clauses (SCCs) as approved by the European Commission. You may request a copy of the relevant SCCs by contacting our Data Protection Officer.
10. Security
We take the security of your data seriously and implement industry-standard measures including:
- Encryption in transit and at rest — All data is encrypted using TLS 1.3 in transit and AES-256 at rest.
- Access controls — Strict role-based access controls limit who can access personal data internally.
- Regular audits — We conduct periodic security reviews and penetration tests.
- Incident response — We have procedures in place to detect, respond to, and notify you of data breaches within the 72-hour GDPR requirement.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email to the address associated with your account at least 30 days before changes take effect. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact our Data Protection Officer: