Legal

Privacy statement

How we process personal data, the rights you have and how to reach us. Transparent, GDPR-compliant and aligned with the Google API Services User Data Policy.

Version: 7 June 2026

1. About this statement

Social Media Tools ("we", "us", "Senly") provides a SaaS platform that allows marketing agencies to manage their client relationships, content, scheduling, appointments, email communication, marketing and reporting. In this statement we explain which personal data we process, why, for how long, with whom we share it and which rights you have.

We act as a processor within the meaning of the GDPR. The marketing agency that uses the portal is the controller for the personal data of its own end clients. We are happy to conclude a data processing agreement (DPA) with each agency on request.

For data we collect directly from you as an agency (account, payments, support) we act as controller.

2. Which data do we process?

CategoryExamplesPurpose
Account dataName, email address, password hash, role, language, avatarAuthentication, access control, personalisation
Company dataCompany name, logo, colours, domain, contact personWhite-label portal and invoicing
End client dataCompany name, contact person, email, notes, subscription stageCRM functionality within the portal
ContentDesigns (Canva/Metricool), captions, files, posts, calendarsContent and scheduling management
Payment dataStripe customer ID, subscription status, billing address, currency (EUR/USD)Subscription billing via Stripe
OAuth tokensEncrypted access and refresh tokens from Google, Microsoft, LinkedIn, Facebook, etc.Authorised API calls on behalf of the connected user
Email dataConnected Gmail/Outlook/IMAP accounts, emails sent and received within the portal, signaturesEmail functionality in the portal
Calendar dataConnected Google/Outlook calendars, available time slots, bookings via the public booking pageAppointment management and calendars
Insights dataStatistics from Google Analytics, Search Console and Business Profile as connected by the userDashboard widgets and AI summaries
Log dataIP address, timestamp, action, user agentSecurity, debugging and audit log
Session dataJWT token, language cookie (portal_locale)Staying signed in, remembering language preference
Marketing trackingCookieless tracker (anonymised), UTM parameters, signup quiz answersInsight into which campaigns generate leads
Social session cookiesAuth cookies from LinkedIn, Facebook, TikTok, Instagram — only when you explicitly click "Connect" via the Senly ConnectorRunning automation features on behalf of your agency

3. Google API Services and the Google API Services User Data Policy

When you connect your Google account through Senly, the use of your Google data is governed by the Google API Services User Data Policy, including the Limited Use requirements. Below we explain exactly which Google services Senly accesses and what we do — and do not do — with your data.

3.1 Which Google scopes does Senly request?

  • userinfo.email — to display which Google account you are connected with.
  • drive — to fetch and display your client folders (designs, files) within the client profile. Senly only writes when you explicitly perform an upload from the portal.
  • analytics.readonly — read-only access to Google Analytics 4 reports for the property you select, to display them as dashboard widgets.
  • webmasters.readonly — read-only access to Search Console statistics (clicks, impressions, positions, queries) for the site you select.
  • business.manage — reading your own Google Business Profile statistics (search impressions, phone clicks, direction requests). Senly never modifies your Business Profile.
  • gmail.send / gmail.modify (only if you connect Gmail) — to send and read emails from within the portal on behalf of the connected account.
  • calendar (only if you connect Google Calendar) — to display available time slots on your public booking page and add bookings to your calendar.

3.2 What do we do with your Google data?

We use your Google data solely to deliver the Senly functionality you request:

  • Statistics (Analytics, Search Console, Business Profile) are shown as charts and numbers in your dashboard widgets. We do not merge Google data with other users, and we do not combine data across tenants.
  • Drive files are shown in the client profile. We never copy them to our own storage without your explicit instruction.
  • Emails (Gmail) are shown in the portal email feature for the user who connected the account.
  • Calendar data (Google Calendar) is used to read "busy" times and add confirmed bookings to your calendar.

3.3 What do we NOT do with your Google data?

  • We never use Google data for advertising or marketing purposes towards third parties.
  • We never sell or rent Google data to third parties.
  • We do not train AI models on your Google data. AI summaries are generated per request; the data is not used for model training after being sent to the AI provider (see section 5).
  • We do not share Google data with other tenants; multi-tenant isolation guarantees that agency A can never see data from agency B.
  • We do not use Google data for research or profile building beyond the specific feature you consented to.

3.4 Retention of Google data

  • OAuth tokens are stored encrypted until you disconnect via Senly or revoke your consent at myaccount.google.com/permissions.
  • Statistics (GA/GSC/GBP) are cached for at most 10 minutes per time period to save quota. AI summaries are cached for 24 hours.
  • Gmail emails are displayed locally in your portal; we do not store a full copy beyond what is necessary for the feature.
  • Calendar bookings are retained for as long as you use Senly, with an audit log for 12 months.

3.5 How do you disconnect?

You can disconnect in two ways:

  • Inside Senly: go to Integrations → Website & findability (or the relevant integration page) and click "Disconnect". Tokens are removed immediately.
  • At Google: go to myaccount.google.com/permissions and remove access for Senly.

4. Senly Connector Chrome extension

When you install the optional Senly Connector Chrome extension and manually click "Connect" within a client profile, the extension reads the session cookies of the relevant social media platform (LinkedIn, Facebook, TikTok or Instagram) from your own browser and sends them encrypted to our server.

  • Encryption: AES-256-GCM with a per-tenant scoped key. Cookies from agency A cannot be read by agency B.
  • Purpose: solely to be able to run automation features (growth tools, invite tools) on the server on behalf of your agency, without you having to share passwords.
  • Collection: only after an explicit user action ("Connect" button). Never silently in the background.
  • Retention: until you click "Disconnect" or the cookies are invalidated by the platform itself.
  • No passwords: the extension does not read passwords, only already-active session tokens. Your client passwords never enter our system.

5. AI functionality (Gemini, Groq, Cerebras and others)

Senly offers AI-assisted features such as caption suggestions, brand checks, note suggestions and weekly Insights summaries. We use a tiered AI fallback ladder:

  • Google Gemini (first choice, with data processing terms confirmed by Google — data is not used for model training).
  • If Gemini is down: Groq, Cerebras, Cloudflare Workers AI, GitHub Models, OpenRouter, xAI Grok and OpenAI — depending on which API keys are configured at platform level or per agency.

We send only the minimum data necessary to the AI provider to fulfil the request. AI summaries of your Insights data contain only numbers and top-N lists — no personal data of your end clients.

Agencies can optionally set their own Gemini API key in Integrations → AI; in that case the AI request goes directly via your own account.

6. Marketing and analytics tracking

Senly uses a proprietary cookieless visitor tracker on the marketing website (senly.io). It hashes IP addresses and User-Agent strings into a 24-hour identifier without storing personal data. We do not place third-party tracking cookies (Facebook Pixel, Google Ads, etc.) on the website.

When you sign up for a trial, we optionally ask about your role, challenge and platforms (signup quiz) to personalise your onboarding. These answers are stored in your own account and used to improve Senly's marketing — your personal answers are never shared publicly.

7. Client review portal (public page)

Agencies can submit content to their end clients for approval via a unique review link (senly.io/review/[token]). We do not store personal data of end clients who open this link — only an aggregate of approve/reject actions per token. We do not place tracking cookies on this page.

8. Payments via Stripe

Subscriptions are billed via Stripe. Stripe is an independent controller for your payment data. We only receive a Stripe customer ID, invoice status and the chosen currency (EUR or USD, automatically detected based on your IP address and adjustable until the first payment).

For the affiliate programme Senly uses Stripe Connect to automatically process payouts to partners. Affiliates are paid directly from Stripe.

9. Legal basis for processing

  • Performance of the contract — delivering the SaaS service.
  • Consent — when you connect a Google/Microsoft/social account via OAuth.
  • Legitimate interest — security, fraud prevention, technical stability and product improvement.
  • Legal obligation — tax retention duties and requests from supervisory authorities.

10. Retention periods (summary)

  • Account data: for as long as the subscription is active + up to 30 days afterwards.
  • End client and content data: for as long as the agency does not delete it via the portal.
  • OAuth tokens (Google, Microsoft, social): until disconnection or token revocation at the provider.
  • Insights cache (GA/GSC/GBP/AI): 10 min (data) up to 24 hours (AI summary).
  • Log data (audit, SyncLog): up to 12 months.
  • Stripe link: for as long as the subscription is active; financial records 7 years (tax).
  • After cancellation: full deletion within 30 calendar days of request (unless otherwise required by law).

11. Sub-processors

We share data only with sub-processors that are necessary for the service:

  • Railway / PostgreSQL — hosting and database (EU).
  • Stripe — payments and Connect payouts.
  • Google Cloud (Workspace APIs) — Drive, Analytics, Search Console, Business Profile, Gmail, Calendar.
  • Microsoft (Graph API) — Outlook calendar, Outlook mail.
  • Resend / SMTP — transactional emails (welcome, password reset, notifications).
  • AI providers — Gemini, Groq, Cerebras, Cloudflare, GitHub Models, OpenRouter, xAI, OpenAI (only to answer the concrete request; no training).
  • Metricool — content planning and analytics.
  • Canva — fetching designs.
  • GoHighLevel (optional) — tasks and CRM sync when enabled.

We never sell or rent personal data to third parties.

12. Security

  • Encrypted connections (HTTPS/TLS) for all communication.
  • Passwords stored as bcrypt hash (never readable).
  • OAuth tokens encrypted at rest (AES-256-GCM, per-tenant key derivation).
  • Strict multi-tenant isolation: each agency only sees its own data.
  • Rate limiting on login attempts and API routes to block brute-force attacks.
  • Audit log of critical actions (SyncLog).
  • JWT sessions with a maximum validity of 30 days.
  • Automatic error monitoring with anonymised stack traces.

13. Your rights

As a data subject you have the right under the GDPR to access, rectification, erasure, restriction, portability and objection. Please direct your request in the first instance to the agency you work with. Agencies can handle these requests via the portal or contact us at info@senly.io.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

14. Data breaches

In the event of a data breach that poses a risk to data subjects, we will inform the relevant agency without undue delay (within 24 hours of discovery). The agency is responsible for notifying the Data Protection Authority within 72 hours if required.

15. International transfers

Our primary data storage is in the EU. Some sub-processors (Stripe, Google, Microsoft, AI providers) process data outside the EU. In those cases we use EU Standard Contractual Clauses (SCCs) as the transfer mechanism. We keep track of which sub-processor processes which data outside the EU and can explain this on request.

16. Contact

For privacy questions you can reach us via:

Social Media Tools
Nieuwlandschedijk 66, Lage Zwaluwe
info@senly.io

17. Changes

We may amend this statement. For material changes we will inform agencies via the portal or by email. The date at the top indicates when the statement was last updated. We keep earlier versions internally for reference.