Privacy Policy

1. Who operates this service

Social Hub ("the Service", "we", "us") is a private, multi-tenant social media management workspace accessible at app.smm-post.com. The Service is operated by Marcus Altenburg (Switzerland) as a sole proprietor for internal use and select invited clients. Marcus Altenburg acts as the data controller under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR). Contact: altenburg.swiss@gmail.com.

2. Account and authentication data

When a workspace administrator creates a Social Hub login, we store the user’s email address and a salted Argon2id hash of the chosen password. We never store passwords in plain text. Session cookies (sh_at, sh_rt, sh_csrf) are signed with HS256 and scoped to .smm-post.com with the Secure and HttpOnly flags. Sessions expire automatically after a period of inactivity.

3. Connected social accounts

To publish on a user’s behalf, Social Hub asks the user to authorize a third-party provider through a standard OAuth 2.0 authorization-code flow. Supported providers are LinkedIn, Facebook, Instagram, Pinterest, and Threads; not every deployment configures every provider. The provider returns access and refresh tokens, which we store encrypted at rest using authenticated symmetric encryption (Fernet/AES-128-CBC with HMAC-SHA256). The encryption key is derived from a server-side master key that is not stored in the database. We retain only the minimum data needed to publish: the encrypted tokens, the provider’s account identifier, the granted scope, and the token expiry timestamp.

Tokens are never transmitted to any party other than the original provider, and only when sending a publishing request you have explicitly initiated. You can revoke Social Hub’s access at any time, either inside the provider’s settings or by deleting the corresponding account in Social Hub, which cascades to a permanent deletion of the encrypted tokens.

4. Content data

Social Hub stores the content you create or import:

• Post drafts, scheduled posts, and published posts associated with each connected account.
• News inbox items fetched from RSS feeds and HTML pages that you register as content sources, including titles, summaries, source URLs, and timestamps.
• Per-account configuration such as language, timezone, system prompt, custom playbook, and brand-voice description.

Content data is retained until the user or workspace administrator deletes it, or until the entire account is deleted, in which case all associated rows are removed by database-level cascade.

5. Operational logs

We keep an internal audit log of administrative actions (account creation, source changes, post lifecycle transitions, OAuth connects and disconnects). Each row contains the actor user identifier, the action verb, the affected entity, a small JSON payload describing the change, the request IP address, and a timestamp. Audit rows are retained for service operation and security review and are not shared with third parties.

Application servers may also log standard request metadata (path, HTTP method, status code, duration) for diagnostic purposes. These logs are not correlated with content data and are rotated regularly.

6. Hosting and data location

Application data (PostgreSQL database and Redis cache) is hosted on servers physically located in Switzerland. Static assets and the frontend bundle are delivered through Cloudflare’s global edge network. Backup snapshots, where retained, are stored in Cloudflare R2 with at-rest encryption.

7. Third parties

• Social media providers— LinkedIn, Meta Platforms (Facebook, Instagram, Threads), and Pinterest receive the OAuth-authorized requests you initiate for publishing posts and reading the public profile data needed to display the connected account. Each provider’s own privacy policy applies to data processed on their side. We do not send any provider data outside the scope of an explicit user-initiated action.
• Cloudflare— serves the frontend and terminates TLS at the edge. Cloudflare may temporarily process request headers for routing and security purposes.
• RSS / HTML source publishers— we fetch the URLs you register as sources. The User-Agent identifies the request as Social-Hub/0.1.

8. Your rights

Subject to the FADP and the GDPR (where applicable), you have the right to access the personal data we hold about you, to request correction or deletion, to object to or restrict our processing of it, and to receive a portable copy. Please direct requests to altenburg.swiss@gmail.com and we will respond within 30 days.

9. Cookies

Social Hub uses three first-party cookies (sh_at, sh_rt, sh_csrf) strictly for session management and CSRF protection. We do not use advertising, analytics, or third-party tracking cookies.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated to active users and will be reflected in the “Last updated” date at the top of this page.