This Privacy Policy explains how CanPostThis collects, uses, stores and protects your personal data when you use our platform, mobile app or API services.
Last updated: 23 May 2026 · Version 1.2The controller responsible for the processing of personal data in connection with the CanPostThis platform, mobile application and API services is:
Bastian Bechtle
operating as DieWebAgenten
Teichweg 8, 24119 Kronshagen, Germany
E-Mail: contact@canpostthis.com
Phone: +49 151 40404099
Website: https://www.canpostthis.com
For all data protection enquiries, requests to exercise your rights, or complaints, please contact us at the address above, including "Privacy Request" in the subject line.
This Privacy Policy applies to all personal data processed through:
This policy is designed to comply with the EU General Data Protection Regulation (GDPR / Regulation EU 2016/679), the German Federal Data Protection Act (BDSG), the German Telecommunications-Telemedia Data Protection Act (TTDSG), and the applicable requirements of the Google Play Developer Programme Policies and Apple App Store Review Guidelines.
| Data Category | Examples | When Collected |
|---|---|---|
| Account data | Name, e-mail address, password (hashed) | Registration |
| Profile data | Agency name, role, company website | Onboarding |
| Payment data | Billing address, subscription tier | Checkout (via Stripe) |
| Social handles | Influencer usernames, profile URLs submitted for analysis | During use |
| Support data | Messages, attachments sent to contact@canpostthis.com | Support requests |
| Data Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, timestamps | Service improvement |
| Device data | Device type, OS version, app version, language | Compatibility, crash reporting |
| Network data | IP address (anonymised), browser type | Security, fraud prevention |
| API usage logs | API call timestamps, endpoints, response codes (no payload content) | Rate limiting, billing, abuse detection |
| Crash logs | Stack traces, device state at time of crash | Bug fixing, app stability |
When you submit a social media profile or URL for analysis, CanPostThis retrieves publicly available data from that profile via authorised third-party APIs (see Section 6). This data is used exclusively to compute a trust score for that profile and is not linked to your personal account data unless you explicitly submit your own profile for the Verified Creator badge or EUDI Wallet credential.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Providing the platform and API services | Account data, usage data, submitted profiles | Art. 6(1)(b) — contract performance |
| Processing payments and managing subscriptions | Billing data, account data | Art. 6(1)(b) — contract performance |
| Computing trust scores and generating reports | Submitted social handles, public profile data | Art. 6(1)(b) — contract performance |
| Platform security, abuse prevention, fraud detection | IP address, usage logs, API logs | Art. 6(1)(f) — legitimate interest |
| Service improvement and analytics | Anonymised usage data | Art. 6(1)(f) — legitimate interest |
| Sending transactional e-mails (invoices, alerts) | E-mail address | Art. 6(1)(b) — contract performance |
| Sending marketing communications (newsletter) | E-mail address | Art. 6(1)(a) — consent (opt-in only) |
| Issuing EUDI Wallet Trust Score Attestations | Social handle, trust score, OAuth binding | Art. 6(1)(a) — consent (explicit) |
| Compliance with legal obligations (tax, accounting) | Billing data, transaction records | Art. 6(1)(c) — legal obligation |
Where we process data based on legitimate interests (Art. 6(1)(f) GDPR), we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 11).
We do not knowingly collect personal data from children under 13. Our services are B2B tools designed for adult professionals in marketing agencies and technology companies. The minimum age to create a CanPostThis account is 18.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at contact@canpostthis.com. We will delete such data promptly upon verification.
Our Android and iOS applications are rated for users aged 13 and above in app store listings, but account creation requires users to be at least 18. The app does not contain content directed at children and does not collect data in a manner designed to appeal to children.
We use the following third-party services to operate CanPostThis. Each acts as a data processor under a written Data Processing Agreement (DPA) or equivalent safeguard:
| Service | Provider | Purpose | Data Shared | Location |
|---|---|---|---|---|
| Social platform APIs | RapidAPI, Inc. (and connected providers) | Retrieving public social profile data for scoring | Social handles submitted for analysis | USA (SCCs in place) |
| YouTube Data API v3 | Google LLC | Comment and channel data retrieval | Channel/video identifiers | USA (Google SCCs) |
| Stripe | Stripe, Inc. | Payment processing, subscription management | Billing address, payment method | USA/EU (SCCs + EU entities) |
| Web hosting & server infrastructure | EU-based hosting provider | Running the platform, storing data | All platform data | Germany 🇩🇪 |
| Google Analytics | Google LLC | Anonymous website usage analytics | Anonymised IP, page visits | USA (consent required) |
| EUDI Wallet Sandbox | SPRIND / BMDS (Germany) | Credential conformance testing | Test credentials only | Germany 🇩🇪 |
We do not sell personal data to third parties. We do not share personal data with advertisers or data brokers.
A full Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag) is available as a self-service download for all API customers who process personal data through the CanPostThis API. This is required under Art. 28 GDPR where CanPostThis processes personal data on your behalf.
Our primary infrastructure is hosted in Germany. However, certain third-party service providers (including RapidAPI, Google LLC and Stripe, Inc.) are based in the United States.
Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:
You may request a copy of the applicable transfer safeguards by contacting us at contact@canpostthis.com.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data (name, email) | Duration of account + 30 days after deletion | Art. 6(1)(b) GDPR / Art. 17 GDPR |
| Transaction and billing records | 10 years | § 147 AO (German Fiscal Code) |
| API usage logs | 90 days (rolling) | Art. 6(1)(f) GDPR — abuse prevention |
| Crash logs and device data | 30 days | Art. 6(1)(f) GDPR — app stability |
| Trust score computation inputs | Not stored beyond computation (ephemeral) | Data minimisation principle |
| Issued EUDI Wallet credentials | Revoked on request or 6-month validity period | Art. 6(1)(a) GDPR / eIDAS 2.0 |
| Support correspondence | 3 years | Art. 6(1)(f) GDPR — legitimate interest |
| Anonymised analytics data | Indefinitely (no personal reference retained) | Not personal data |
After the applicable retention period, data is securely deleted or anonymised. You may request early deletion of your personal data at any time (see Section 11), subject to retention obligations imposed by law.
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Session management, authentication, security tokens | No — required for the service |
| Analytics (Google Analytics) | Anonymous usage statistics with IP anonymisation enabled | Yes — opt-in via cookie banner |
| Preference cookies | Language, UI settings | No — no personal data |
The CanPostThis Android and iOS apps do not use advertising IDs (IDFA/AAID) and do not track users across third-party apps or websites. The app uses anonymous crash reporting (device state only, no personal identifiers) and anonymous usage analytics.
You can opt out of Google Analytics tracking at any time by:
CanPostThis operates as a voluntary, non-qualified Electronic Attestation of Attributes (EAA) Provider within the German EUDI Wallet ecosystem under eIDAS 2.0 (Regulation EU 2024/1183). The following specific privacy principles apply to this service:
Trust Score Attestations are issued exclusively on the basis of explicit, informed consent (Art. 6(1)(a) GDPR). You initiate the process voluntarily by connecting your social media account via OAuth and requesting credential issuance. You may withdraw consent at any time by requesting credential revocation.
All credential attributes support selective disclosure using the SD-JWT mechanism. You control which attributes (e.g. trust_score only, without revealing source_url or sub-scores) are shared with each Relying Party.
CanPostThis does not log, store or process the contents of credential presentations made by you to third-party Relying Parties. Presentation flows use the OpenID4VP protocol and occur directly between your EUDI Wallet and the Relying Party.
You may request immediate revocation of any issued Trust Score Attestation by contacting contact@canpostthis.com. Credentials are also automatically revoked if the underlying trust score falls below a defined threshold or the associated social account is deleted.
Under the GDPR, you have the following rights with respect to your personal data:
| Right | What it means | Article |
|---|---|---|
| Access | Obtain a copy of the personal data we hold about you | Art. 15 GDPR |
| Rectification | Correct inaccurate or incomplete personal data | Art. 16 GDPR |
| Erasure | Request deletion of your personal data ("right to be forgotten") | Art. 17 GDPR |
| Restriction | Restrict processing of your data in certain circumstances | Art. 18 GDPR |
| Portability | Receive your data in a structured, machine-readable format | Art. 20 GDPR |
| Objection | Object to processing based on legitimate interests or direct marketing | Art. 21 GDPR |
| Withdraw consent | Withdraw consent at any time without affecting prior processing | Art. 7(3) GDPR |
| Not to be profiled | Object to automated decision-making with legal or significant effects | Art. 22 GDPR |
To exercise any of these rights, please contact us at contact@canpostthis.com with "Privacy Request" in the subject line. We will respond within 30 days as required by Art. 12 GDPR. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the competent supervisory authority. The supervisory authority responsible for CanPostThis is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
www.datenschutzzentrum.de
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or alteration. These measures include:
Despite these measures, no method of electronic transmission or storage is 100% secure. If you believe your account security has been compromised, please contact us immediately at contact@canpostthis.com.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or the services we offer. We will notify you of material changes by:
Continued use of CanPostThis after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, please stop using the service and request account deletion.
The current version of this Privacy Policy is always available at: https://www.canpostthis.com/privacy
For all privacy-related requests, complaints or questions:
Bastian Bechtle · DieWebAgenten
Teichweg 8, 24119 Kronshagen, Germany
contact@canpostthis.com
Phone: +49 151 40404099
Please include "Privacy Request" or "Data Protection" in the subject line. We will respond within 30 days (Art. 12 GDPR). For urgent matters relating to account security, include "URGENT" in the subject line.
You may also contact the competent data protection supervisory authority: ULD Schleswig-Holstein · www.datenschutzzentrum.de