Legal
Privacy Policy
Introduction
This Privacy Policy is provided under Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree no. 196/2003 ("Privacy Code"), as amended. It describes how Deep Marketing Srl ("we", the "Controller") processes personal data within the DM Social platform, the professional tool with which the Controller manages, schedules and publishes editorial content on its clients' social channels.
DM Social is a service for professionals and businesses; it is not intended for use by anyone under 18 and does not knowingly collect data of minors.
Deep Marketing Srl
Registered office: Viale della Repubblica 10, 37126 Verona (VR), Italy
VAT no.: 04833130232 — REA no.: VR - 449729 — Share capital: 10.000 €
Email: info@deepmarketing.it — Website: https://www.deepmarketing.it
The Controller has not appointed a Data Protection Officer (DPO). Any request concerning personal data may therefore be sent directly to the Controller using the contact details above.
General information
Below we describe the processing of personal data carried out through DM Social, the relevant legal basis, and the consequences of failing to provide the data. Where relevant, we indicate when a particular type of data is not processed.
Categories of data processed
- Connected social account data: when the owner of a social account (TikTok, Facebook, Instagram, LinkedIn) authorizes the connection, we receive from the relevant platform an account identifier (e.g. open_id/user id), the basic profile information strictly necessary for publishing (e.g. the profile/page name) and access tokens (access token and, where applicable, refresh token).
- Content: text, images, videos and related metadata of the posts that the user creates, schedules and publishes through the Service.
- Contact and internal account data: the data needed to authenticate the operators authorized to access the platform.
- Technical and log data: information essential to the operation and security of the Service, including the outcomes of publishing operations and any errors returned by the platforms.
DM Social does not process "special categories" of data (Art. 9 GDPR: racial or ethnic origin, religious or philosophical beliefs, political opinions, health or sex-life data) nor judicial data. No user profiling is carried out.
TikTok integration
DM Social uses TikTok's official APIs — in particular TikTok Login Kit and the Content Posting API — solely to publish and manage, on the client's behalf, the content the client instructs us to publish on their own TikTok account. Specifically:
- Access to the TikTok account occurs only after explicit authorization by the account owner, through TikTok's official authorization flow (OAuth), and limited to the approved scopes.
- The access tokens obtained from TikTok are stored securely and used only for the authorized purposes (publishing content and related technical management).
- We do not sell, rent or share the data obtained through TikTok's APIs with third parties for advertising or marketing purposes, and we do not use it for any purpose other than those described here. We do not use such data to train artificial-intelligence models.
- The user may revoke the authorization at any time, either by disconnecting the account from the Service or from the security settings of their TikTok account; upon revocation the related tokens are deleted.
- TikTok's own processing of data is also governed by the TikTok Privacy Policy.
Meta (Facebook/Instagram) and LinkedIn integration
With the same arrangements and limits described for TikTok, DM Social integrates with the official APIs of Meta (Facebook and Instagram) and LinkedIn for the sole purpose of publishing and managing content on the accounts connected and authorized by the client. For these channels too, tokens are stored securely, used only for the authorized purposes, and revocable at any time.
Purposes and legal basis of processing
- Provision of the Service (connecting accounts, creating, scheduling and publishing content): the legal basis is the performance of the contract with the client and/or pre-contractual measures taken at their request (Art. 6.1.b GDPR).
- Security, abuse prevention and technical compliance: the legal basis is the Controller's legitimate interest in ensuring the correct and secure operation of the Service (Art. 6.1.f GDPR).
- Compliance with legal obligations: the legal basis is the legal obligation to which the Controller is subject (Art. 6.1.c GDPR).
Method of processing
Processing is carried out mainly with electronic and automated tools, using methods and measures suitable to ensure security and confidentiality. The information collected is relevant and not excessive in relation to the services provided and is handled in secure, adequate IT environments.
Disclosure of personal data
The Controller may disclose personal data to the following categories of recipients, solely for the purposes stated above:
- Technology infrastructure providers that enable the Service, in particular Cloudflare, Inc. (hosting, application execution, storage and network), appointed where necessary as data processors under Art. 28 GDPR.
- Destination social platforms (TikTok, Meta, LinkedIn), to which content and the strictly necessary data are transmitted for the sole purpose of carrying out the publication requested by the client.
- Employees and collaborators of the Controller authorized to process the data and instructed accordingly.
- Public authorities and parties to whom disclosure is required by law or by orders of the competent authorities.
Data is not transferred to third parties that would process it as independent controllers and is not disclosed for purposes other than those stated.
Data retention
- Data relating to connected accounts and the related tokens are retained for as long as the account remains connected to the Service and are deleted upon disconnection of the account or upon termination of the relationship with the client.
- Content and related metadata are retained for as long as necessary to provide the Service.
- Technical logs are retained for as long as necessary for security purposes and to comply with legal obligations.
The Controller may in any case retain data for any period required by specific legislation.
Transfer of personal data
To provide the Service, certain providers (in particular Cloudflare, Inc.) and the social platforms may process data also in non-EU countries, including the United States. In such cases the transfer takes place subject to adequate safeguards under Chapter V of the GDPR (European Commission adequacy decisions where applicable and/or Standard Contractual Clauses).
Rights of the data subject
You have the right to: request access to your personal data and its rectification or erasure; obtain restriction of processing or object to it; exercise the right to data portability; withdraw at any time any consent given (without affecting the lawfulness of processing prior to withdrawal) and revoke the connection of a social account; lodge a complaint with a supervisory authority (in Italy, the Garante per la protezione dei dati personali). These rights may be exercised without formality by writing to info@deepmarketing.it.
Security
The Controller adopts technical and organizational measures suitable to protect personal data against unauthorized access, loss, destruction or unlawful use, including secure storage of access tokens and access to the Service limited to authorized operators.
Changes
The Controller reserves the right to amend this Policy at any time, giving suitable notice on this page with the relevant date and ensuring in any case adequate data protection. In the event of material changes, the update may also be communicated by email. Please review this page regularly.