This Privacy Policy describes how Darkalitics collects, uses and protects your personal information. We comply with the EU General Data Protection Regulation (GDPR) and apply the same standards globally.
1. Data We Collect
1.1 Account Data
- Email, name, hashed password
- Agency name, timezone, logo (optional)
- Billing information managed by Stripe (we do not store card data)
1.2 Analytics Data
- Public Instagram data (handles, posts, reels, metrics) via HikerAPI
- OnlyFans data (subs, revenue) via Infloww — only when you connect your account
- Link click data (countries, devices, referrers) via GetMySocial
1.3 Technical Data
- Access logs (IP, user agent, timestamps) for security
- Usage events (which pages you visit, which features you use) to improve the product
2. Legal Basis for Processing (GDPR)
- Performance of contract — to provide the Service.
- Legitimate interest — security, fraud prevention, product improvement.
- Legal obligations — invoicing, AML, response to judicial requests.
- Consent — marketing emails (explicit opt-in).
3. Subprocessors
We share data with the following providers strictly to deliver the Service:
- Supabase (DB + Auth) — US/EU
- Vercel (hosting) — Global
- Stripe (pagos) — US/EU
- Resend (email) — US/EU
- Anthropic (IA / Ask Claude) — US
- HikerAPI (scraping Instagram) — EU
- Infloww (analytics OnlyFans, opcional) — EU
- GetMySocial (link tracking, opcional) — Global
DPA details and security measures for each subprocessor are at /dpa.
4. Retention
We retain your data while your account is active. After cancellation, data is kept for 30 days for reactivation. After that it is permanently deleted, except records we must retain by legal obligation (billing, tax: up to 6 years in Spain).
5. Your GDPR Rights
You have the right to:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate data.
- Erasure ("right to be forgotten"): request deletion.
- Portability: export your data in structured format (JSON).
- Objection: object to processing based on legitimate interest.
- Restriction: request restriction while a dispute is resolved.
- Withdraw consent: at any time for consent-based processing.
To exercise any of these rights, email privacy@darkalitics.com. We respond within 30 days.
6. Cookies
We use strictly necessary cookies (session, language preference, theme) and internal analytics (anonymised via Vercel Analytics and Speed Insights). We do not use third-party advertising tracking cookies.
7. Security
- Encryption in transit (TLS 1.3) and at rest (AES-256 on Supabase).
- Multi-tenant Row-Level Security: no agency can see another's data.
- Bcrypt-hashed passwords; never stored in clear text.
- Admin panel access restricted by 2FA.
8. International Transfers
Some subprocessors are based in the US. For EU → US transfers we rely on Standard Contractual Clauses (SCC) approved by the European Commission, or on the Data Privacy Framework where the subprocessor is certified.
9. Minors
The Service is not directed at children under 18 and we do not knowingly collect their data. If we identify an account belonging to a minor, we will delete it immediately.
10. Updates
We may update this Policy. Material changes will be notified by email at least 14 days before they take effect.
11. Contact & DPO
General email: privacy@darkalitics.com
For complaints you can contact the Spanish Data Protection Agency (AEPD) or your local data protection authority.