How we process personal data, the rights you have and how to reach us. Transparent, GDPR-compliant and aligned with the Google API Services User Data Policy.
This is a courtesy translation. The Dutch version is the legally binding original. View the Dutch version →
Social Media Tools ("we", "us", "Senly") provides a SaaS platform that allows marketing agencies to manage their client relationships, content, scheduling, appointments, email communication, marketing and reporting. In this statement we explain which personal data we process, why, for how long, with whom we share it and which rights you have.
We act as a processor within the meaning of the GDPR. The marketing agency that uses the portal is the controller for the personal data of its own end clients. We are happy to conclude a data processing agreement (DPA) with each agency on request.
For data we collect directly from you as an agency (account, payments, support) we act as controller.
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, password hash, role, language, avatar | Authentication, access control, personalisation |
| Company data | Company name, logo, colours, domain, contact person | White-label portal and invoicing |
| End client data | Company name, contact person, email, notes, subscription stage | CRM functionality within the portal |
| Content | Designs (Canva/Metricool), captions, files, posts, calendars | Content and scheduling management |
| Payment data | Stripe customer ID, subscription status, billing address, currency (EUR/USD) | Subscription billing via Stripe |
| OAuth tokens | Encrypted access and refresh tokens from Google, Microsoft, LinkedIn, Facebook, etc. | Authorised API calls on behalf of the connected user |
| Email data | Connected Gmail/Outlook/IMAP accounts, emails sent and received within the portal, signatures | Email functionality in the portal |
| Calendar data | Connected Google/Outlook calendars, available time slots, bookings via the public booking page | Appointment management and calendars |
| Insights data | Statistics from Google Analytics, Search Console and Business Profile as connected by the user | Dashboard widgets and AI summaries |
| Log data | IP address, timestamp, action, user agent | Security, debugging and audit log |
| Session data | JWT token, language cookie (portal_locale) | Staying signed in, remembering language preference |
| Marketing tracking | Cookieless tracker (anonymised), UTM parameters, signup quiz answers | Insight into which campaigns generate leads |
| Social session cookies | Auth cookies from LinkedIn, Facebook, TikTok, Instagram — only when you explicitly click "Connect" via the Senly Connector | Running automation features on behalf of your agency |
When you connect your Google account through Senly, the use of your Google data is governed by the Google API Services User Data Policy, including the Limited Use requirements. Below we explain exactly which Google services Senly accesses and what we do — and do not do — with your data.
userinfo.email — to display which Google account you are connected with.drive — to fetch and display your client folders (designs, files) within the client profile. Senly only writes when you explicitly perform an upload from the portal.analytics.readonly — read-only access to Google Analytics 4 reports for the property you select, to display them as dashboard widgets.webmasters.readonly — read-only access to Search Console statistics (clicks, impressions, positions, queries) for the site you select.business.manage — reading your own Google Business Profile statistics (search impressions, phone clicks, direction requests). Senly never modifies your Business Profile.gmail.send / gmail.modify (only if you connect Gmail) — to send and read emails from within the portal on behalf of the connected account.calendar (only if you connect Google Calendar) — to display available time slots on your public booking page and add bookings to your calendar.We use your Google data solely to deliver the Senly functionality you request:
You can disconnect in two ways:
When you install the optional Senly Connector Chrome extension and manually click "Connect" within a client profile, the extension reads the session cookies of the relevant social media platform (LinkedIn, Facebook, TikTok or Instagram) from your own browser and sends them encrypted to our server.
Senly offers AI-assisted features such as caption suggestions, brand checks, note suggestions and weekly Insights summaries. We use a tiered AI fallback ladder:
We send only the minimum data necessary to the AI provider to fulfil the request. AI summaries of your Insights data contain only numbers and top-N lists — no personal data of your end clients.
Agencies can optionally set their own Gemini API key in Integrations → AI; in that case the AI request goes directly via your own account.
Senly uses a proprietary cookieless visitor tracker on the marketing website (senly.io). It hashes IP addresses and User-Agent strings into a 24-hour identifier without storing personal data. We do not place third-party tracking cookies (Facebook Pixel, Google Ads, etc.) on the website.
When you sign up for a trial, we optionally ask about your role, challenge and platforms (signup quiz) to personalise your onboarding. These answers are stored in your own account and used to improve Senly's marketing — your personal answers are never shared publicly.
Agencies can submit content to their end clients for approval via a unique review link (senly.io/review/[token]). We do not store personal data of end clients who open this link — only an aggregate of approve/reject actions per token. We do not place tracking cookies on this page.
Subscriptions are billed via Stripe. Stripe is an independent controller for your payment data. We only receive a Stripe customer ID, invoice status and the chosen currency (EUR or USD, automatically detected based on your IP address and adjustable until the first payment).
For the affiliate programme Senly uses Stripe Connect to automatically process payouts to partners. Affiliates are paid directly from Stripe.
We share data only with sub-processors that are necessary for the service:
We never sell or rent personal data to third parties.
As a data subject you have the right under the GDPR to access, rectification, erasure, restriction, portability and objection. Please direct your request in the first instance to the agency you work with. Agencies can handle these requests via the portal or contact us at info@senly.io.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
In the event of a data breach that poses a risk to data subjects, we will inform the relevant agency without undue delay (within 24 hours of discovery). The agency is responsible for notifying the Data Protection Authority within 72 hours if required.
Our primary data storage is in the EU. Some sub-processors (Stripe, Google, Microsoft, AI providers) process data outside the EU. In those cases we use EU Standard Contractual Clauses (SCCs) as the transfer mechanism. We keep track of which sub-processor processes which data outside the EU and can explain this on request.
For privacy questions you can reach us via:
Social Media ToolsWe may amend this statement. For material changes we will inform agencies via the portal or by email. The date at the top indicates when the statement was last updated. We keep earlier versions internally for reference.