Privacy Policy

Wovea ("we", "our", "us") is a content-automation platform that helps creators and small businesses publish a single idea to multiple social networks. This Privacy Policy explains what personal data we collect when you use Wovea, why we collect it, how we protect it, and which rights you have under applicable data-protection laws (including the EU General Data Protection Regulation and the California Consumer Privacy Act).

1. Controller

Wovea is operated under Spanish law by a Sociedad Limitada (SL) registered in Spain. Full company details are available upon written request via [email protected].

2. Data we collect

2.1 Account data

When you sign up, we store your email address and a hashed password. If you sign up via a third-party identity provider (for example Google or GitHub), we store the basic profile information that provider returns (display name, email, avatar URL).

2.2 Connected social accounts

When you connect a social network (such as LinkedIn, Telegram, Pinterest, Reddit, X/Twitter, YouTube, TikTok, or Meta platforms — Facebook, Instagram, Threads), we store the access token and refresh token issued by that network. These tokens are encrypted at rest with industry-standard AES-256-GCM encryption before being written to our database. We also store basic public profile information needed to display the account inside Wovea (handle, display name, avatar, channel ID).

2.3 Content you create

Posts, drafts, scheduled publications, brand-voice samples, uploaded images, and any other content you create or upload inside Wovea. This content is used solely to provide the service to you and is never sold, licensed, or shared with third parties for advertising or model training.

2.4 Usage data

Standard server logs (IP address, browser user-agent, pages visited, timestamps) and product analytics events (which features you use, error reports). We use this data to operate, secure, and improve the service.

2.5 Billing data

If and when you subscribe to a paid plan, our payment provider collects your name, billing address, and payment method directly. We do not receive or store full card numbers. We receive only a customer reference and the metadata required to manage your subscription.

3. How we use your data

• To create and operate your account.
• To publish content on your behalf to the social networks you have explicitly connected.
• To generate AI-assisted drafts based on the brand voice you configure.
• To send transactional emails (e.g. account verification, payment receipts, security alerts).
• To detect and prevent fraud, abuse, and breaches of our Terms of Service.
• To comply with legal obligations.

We do not use your content to train artificial-intelligence models for any purpose other than personalising the assistant inside your own account.

4. Legal bases (GDPR)

We rely on the following legal bases under Article 6 GDPR:

• Contract performance — to provide the features you signed up for.
• Legitimate interest — to keep the service secure, detect abuse, and improve features.
• Consent — for optional analytics cookies and marketing communications.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

5. Third parties we share data with

To deliver the service, we rely on a small set of trusted infrastructure providers. All sub-processors are bound by data-processing agreements and are located in the European Union, the European Economic Area, or countries that provide an adequate level of protection under Article 45 GDPR (or where transfers are protected by Standard Contractual Clauses). Categories of sub-processors include:

• Secure cloud database hosted in the European Union.
• Encrypted cloud object storage hosted in the European Union.
• Managed virtual private server hosted in the European Union.
• Transactional email delivery service.
• Third-party AI processing partner that operates under standard data-processing terms and does not train models on customer content.
• Payment processor (for paid plans only).
• The social networks you explicitly connect — we transmit your OAuth tokens to those networks to publish content on your behalf.

The exact list of sub-processors is maintained in our Data Processing Agreement (DPA), which we make available to business customers upon request via [email protected].

6. International transfers

Where personal data is transferred outside of the European Economic Area, we rely on adequacy decisions, Standard Contractual Clauses, or your explicit consent. Where you explicitly choose to publish content to a social network whose servers are located outside the EEA (for example, the United States), you authorise that transfer through the act of connecting your account.

7. Retention

• Account data is retained for as long as your account is active and for up to 90 days after deletion to handle billing and abuse-investigation requirements.
• Connected social-account tokens are deleted within 24 hours of you disconnecting the channel or deleting your account.
• Content you create is deleted within 30 days of account deletion. Published posts on third-party networks are not affected by Wovea deletion — you must delete them on the network directly.
• Server logs are retained for up to 30 days.
• Billing records are retained for the period required by Spanish tax law (6 years).

8. Your rights

Under GDPR and equivalent laws you have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your account and associated data.
• Portability — receive your data in a structured, machine-readable format.
• Restriction — limit how we process your data.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — withdraw any consent you previously gave.
• Complaint — lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, aepd.es).

To exercise any of these rights, email [email protected]. We respond within 30 days.

9. Security

We protect your data with industry-standard measures, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields (AES-256-GCM for OAuth tokens), role-based access control, audit logging, and regular security reviews.

10. Children

Wovea is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Cookies

We use a small number of essential cookies to operate the service (authentication, session, security). We do not use third-party advertising cookies. Detailed information is available in our Cookie Notice, accessible from the site footer.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email and post the updated version with a new effective date. Continued use of Wovea after the change constitutes acceptance.

13. Contact

For any privacy-related question, request, or complaint:

• Privacy and data subject requests: [email protected]
• General contact: [email protected]