CanPostThis

Privacy Policy

This Privacy Policy explains how CanPostThis collects, uses, stores and protects your personal data when you use our platform, mobile app or API services.

Last updated: 23 May 2026 · Version 1.2

Contents

  1. Controller & Contact
  2. Scope of this Policy
  3. Data We Collect
  4. Purposes & Legal Bases
  5. Children's Privacy
  6. Third-Party Services
  7. International Data Transfers
  8. Data Retention
  9. Cookies & Tracking
  10. EUDI Wallet & Credentials
  11. Your Rights
  12. Security
  13. Changes to this Policy
  14. Contact & Complaints

1 Controller & Contact

The controller responsible for the processing of personal data in connection with the CanPostThis platform, mobile application and API services is:

Bastian Bechtle
operating as DieWebAgenten
Teichweg 8, 24119 Kronshagen, Germany
E-Mail: contact@canpostthis.com
Phone: +49 151 40404099
Website: https://www.canpostthis.com

For all data protection enquiries, requests to exercise your rights, or complaints, please contact us at the address above, including "Privacy Request" in the subject line.

2 Scope of this Policy

This Privacy Policy applies to all personal data processed through:

This policy is designed to comply with the EU General Data Protection Regulation (GDPR / Regulation EU 2016/679), the German Federal Data Protection Act (BDSG), the German Telecommunications-Telemedia Data Protection Act (TTDSG), and the applicable requirements of the Google Play Developer Programme Policies and Apple App Store Review Guidelines.

3 Data We Collect

3.1 Data You Provide Directly

Data CategoryExamplesWhen Collected
Account dataName, e-mail address, password (hashed)Registration
Profile dataAgency name, role, company websiteOnboarding
Payment dataBilling address, subscription tierCheckout (via Stripe)
Social handlesInfluencer usernames, profile URLs submitted for analysisDuring use
Support dataMessages, attachments sent to contact@canpostthis.comSupport requests

3.2 Data Collected Automatically

Data CategoryExamplesPurpose
Usage dataPages visited, features used, timestampsService improvement
Device dataDevice type, OS version, app version, languageCompatibility, crash reporting
Network dataIP address (anonymised), browser typeSecurity, fraud prevention
API usage logsAPI call timestamps, endpoints, response codes (no payload content)Rate limiting, billing, abuse detection
Crash logsStack traces, device state at time of crashBug fixing, app stability

3.3 Data from Third-Party Social Platforms

When you submit a social media profile or URL for analysis, CanPostThis retrieves publicly available data from that profile via authorised third-party APIs (see Section 6). This data is used exclusively to compute a trust score for that profile and is not linked to your personal account data unless you explicitly submit your own profile for the Verified Creator badge or EUDI Wallet credential.

We do not scrape, harvest or store personal data from social media profiles beyond what is strictly necessary to compute the requested trust score.

4 Purposes & Legal Bases

PurposeData UsedLegal Basis (GDPR)
Providing the platform and API servicesAccount data, usage data, submitted profilesArt. 6(1)(b) — contract performance
Processing payments and managing subscriptionsBilling data, account dataArt. 6(1)(b) — contract performance
Computing trust scores and generating reportsSubmitted social handles, public profile dataArt. 6(1)(b) — contract performance
Platform security, abuse prevention, fraud detectionIP address, usage logs, API logsArt. 6(1)(f) — legitimate interest
Service improvement and analyticsAnonymised usage dataArt. 6(1)(f) — legitimate interest
Sending transactional e-mails (invoices, alerts)E-mail addressArt. 6(1)(b) — contract performance
Sending marketing communications (newsletter)E-mail addressArt. 6(1)(a) — consent (opt-in only)
Issuing EUDI Wallet Trust Score AttestationsSocial handle, trust score, OAuth bindingArt. 6(1)(a) — consent (explicit)
Compliance with legal obligations (tax, accounting)Billing data, transaction recordsArt. 6(1)(c) — legal obligation

Where we process data based on legitimate interests (Art. 6(1)(f) GDPR), we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 11).

5 Children's Privacy

CanPostThis is not directed at children under the age of 13 (or under 16 in the European Union where applicable national law requires a higher age threshold).

We do not knowingly collect personal data from children under 13. Our services are B2B tools designed for adult professionals in marketing agencies and technology companies. The minimum age to create a CanPostThis account is 18.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at contact@canpostthis.com. We will delete such data promptly upon verification.

Our Android and iOS applications are rated for users aged 13 and above in app store listings, but account creation requires users to be at least 18. The app does not contain content directed at children and does not collect data in a manner designed to appeal to children.

6 Third-Party Services & Data Processors

We use the following third-party services to operate CanPostThis. Each acts as a data processor under a written Data Processing Agreement (DPA) or equivalent safeguard:

ServiceProviderPurposeData SharedLocation
Social platform APIsRapidAPI, Inc. (and connected providers)Retrieving public social profile data for scoringSocial handles submitted for analysisUSA (SCCs in place)
YouTube Data API v3Google LLCComment and channel data retrievalChannel/video identifiersUSA (Google SCCs)
StripeStripe, Inc.Payment processing, subscription managementBilling address, payment methodUSA/EU (SCCs + EU entities)
Web hosting & server infrastructureEU-based hosting providerRunning the platform, storing dataAll platform dataGermany 🇩🇪
Google AnalyticsGoogle LLCAnonymous website usage analyticsAnonymised IP, page visitsUSA (consent required)
EUDI Wallet SandboxSPRIND / BMDS (Germany)Credential conformance testingTest credentials onlyGermany 🇩🇪

We do not sell personal data to third parties. We do not share personal data with advertisers or data brokers.

A full Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag) is available as a self-service download for all API customers who process personal data through the CanPostThis API. This is required under Art. 28 GDPR where CanPostThis processes personal data on your behalf.

7 International Data Transfers

Our primary infrastructure is hosted in Germany. However, certain third-party service providers (including RapidAPI, Google LLC and Stripe, Inc.) are based in the United States.

Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

You may request a copy of the applicable transfer safeguards by contacting us at contact@canpostthis.com.

8 Data Retention

Data CategoryRetention PeriodLegal Basis
Account data (name, email)Duration of account + 30 days after deletionArt. 6(1)(b) GDPR / Art. 17 GDPR
Transaction and billing records10 years§ 147 AO (German Fiscal Code)
API usage logs90 days (rolling)Art. 6(1)(f) GDPR — abuse prevention
Crash logs and device data30 daysArt. 6(1)(f) GDPR — app stability
Trust score computation inputsNot stored beyond computation (ephemeral)Data minimisation principle
Issued EUDI Wallet credentialsRevoked on request or 6-month validity periodArt. 6(1)(a) GDPR / eIDAS 2.0
Support correspondence3 yearsArt. 6(1)(f) GDPR — legitimate interest
Anonymised analytics dataIndefinitely (no personal reference retained)Not personal data

After the applicable retention period, data is securely deleted or anonymised. You may request early deletion of your personal data at any time (see Section 11), subject to retention obligations imposed by law.

9 Cookies & Tracking Technologies

9.1 Types of Cookies Used

CategoryPurposeConsent Required
Strictly necessarySession management, authentication, security tokensNo — required for the service
Analytics (Google Analytics)Anonymous usage statistics with IP anonymisation enabledYes — opt-in via cookie banner
Preference cookiesLanguage, UI settingsNo — no personal data

9.2 Mobile App

The CanPostThis Android and iOS apps do not use advertising IDs (IDFA/AAID) and do not track users across third-party apps or websites. The app uses anonymous crash reporting (device state only, no personal identifiers) and anonymous usage analytics.

9.3 Opting Out of Analytics

You can opt out of Google Analytics tracking at any time by:

10 EUDI Wallet & Trust Score Credentials

CanPostThis operates as a voluntary, non-qualified Electronic Attestation of Attributes (EAA) Provider within the German EUDI Wallet ecosystem under eIDAS 2.0 (Regulation EU 2024/1183). The following specific privacy principles apply to this service:

10.1 Consent-Based Issuance

Trust Score Attestations are issued exclusively on the basis of explicit, informed consent (Art. 6(1)(a) GDPR). You initiate the process voluntarily by connecting your social media account via OAuth and requesting credential issuance. You may withdraw consent at any time by requesting credential revocation.

10.2 Selective Disclosure

All credential attributes support selective disclosure using the SD-JWT mechanism. You control which attributes (e.g. trust_score only, without revealing source_url or sub-scores) are shared with each Relying Party.

10.3 No Logging of Presentations

CanPostThis does not log, store or process the contents of credential presentations made by you to third-party Relying Parties. Presentation flows use the OpenID4VP protocol and occur directly between your EUDI Wallet and the Relying Party.

10.4 Revocation

You may request immediate revocation of any issued Trust Score Attestation by contacting contact@canpostthis.com. Credentials are also automatically revoked if the underlying trust score falls below a defined threshold or the associated social account is deleted.

Trust Score Attestations are non-qualified EAAs. They are not issued by a qualified trust service provider (QTSP) and do not carry the same legal equivalence as qualified attestations under Art. 45b eIDAS. They represent a voluntary, cryptographically signed trust signal.

11 Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

RightWhat it meansArticle
AccessObtain a copy of the personal data we hold about youArt. 15 GDPR
RectificationCorrect inaccurate or incomplete personal dataArt. 16 GDPR
ErasureRequest deletion of your personal data ("right to be forgotten")Art. 17 GDPR
RestrictionRestrict processing of your data in certain circumstancesArt. 18 GDPR
PortabilityReceive your data in a structured, machine-readable formatArt. 20 GDPR
ObjectionObject to processing based on legitimate interests or direct marketingArt. 21 GDPR
Withdraw consentWithdraw consent at any time without affecting prior processingArt. 7(3) GDPR
Not to be profiledObject to automated decision-making with legal or significant effectsArt. 22 GDPR

To exercise any of these rights, please contact us at contact@canpostthis.com with "Privacy Request" in the subject line. We will respond within 30 days as required by Art. 12 GDPR. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with the competent supervisory authority. The supervisory authority responsible for CanPostThis is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
www.datenschutzzentrum.de

12 Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or alteration. These measures include:

Despite these measures, no method of electronic transmission or storage is 100% secure. If you believe your account security has been compromised, please contact us immediately at contact@canpostthis.com.

13 Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the services we offer. We will notify you of material changes by:

Continued use of CanPostThis after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, please stop using the service and request account deletion.

The current version of this Privacy Policy is always available at: https://www.canpostthis.com/privacy

14 Contact & Complaints

Data Protection Contact

For all privacy-related requests, complaints or questions:

Bastian Bechtle · DieWebAgenten
Teichweg 8, 24119 Kronshagen, Germany
contact@canpostthis.com
Phone: +49 151 40404099

Please include "Privacy Request" or "Data Protection" in the subject line. We will respond within 30 days (Art. 12 GDPR). For urgent matters relating to account security, include "URGENT" in the subject line.

You may also contact the competent data protection supervisory authority: ULD Schleswig-Holstein · www.datenschutzzentrum.de