Last updated: March 22, 2026
SunshineSlingshot ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our social media management platform (the "Service"). This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
SunshineSlingshot is the data controller for the personal data processed through the Service. For GDPR inquiries, contact our Data Protection contact at privacy@sunshineslingshot.com.
Account data: Name, email address, password (hashed with bcrypt, never stored in plaintext), organization name, avatar color preference. Collected at registration. Legal basis: contract performance.
Social media account data: When you connect social platforms, we store OAuth access tokens, platform user IDs, and display names. Tokens are used exclusively to perform actions you request (posting, reading mentions). Legal basis: contract performance and your explicit consent.
API keys: AI provider keys, social platform credentials, and integration tokens that you voluntarily enter. These are encrypted at rest using AES-256-GCM with per-record random salts. We never transmit these keys except to the specific service they're intended for. Legal basis: contract performance.
Content data: Posts you create, schedule, or publish; media files you upload; links you shorten; hashtag sets; RSS feeds; inbox messages. This is your content — you own it. We process it solely to provide the Service. Legal basis: contract performance.
Analytics data: Post performance metrics, click counts on shortened links (including referrer, browser, OS, device type from user-agent — no personal identification of link clickers), competitor public metrics, listening mention data from public social media posts. Legal basis: contract performance and legitimate interest.
Usage data: Activity logs (actions taken within the platform), telemetry logs (system performance metrics), login timestamps. Legal basis: legitimate interest in improving the Service.
Payment data: Billing is handled by Square, Inc. We do not store credit card numbers. We store Square customer IDs, subscription IDs, and payment amounts for record-keeping. Legal basis: contract performance and legal obligation.
Technical data: IP addresses (for rate limiting and security), browser user-agent (for analytics), cookies (session authentication only). Legal basis: legitimate interest in security.
We use your data to: provide, maintain, and improve the Service; process your scheduled posts and publish them to your connected platforms; monitor brand mentions and competitor data as you configure; generate AI-assisted content using the AI provider you select; process payments and manage your subscription; send transactional emails (password resets, billing notifications, alert deliveries); detect and prevent abuse, fraud, and security threats; comply with legal obligations. We do NOT: sell your data to third parties; use your content to train AI models; share your data with advertisers; make automated decisions that significantly affect you.
We share data with these categories of processors, solely to provide the Service:
Social media platforms (Twitter/X, Meta, LinkedIn, TikTok, Pinterest, YouTube, Bluesky, Mastodon): Your content and account tokens, to publish posts and retrieve mentions. Governed by each platform's own privacy policy.
AI providers (Anthropic, OpenAI, Google, etc. — whichever you configure): Your content text, to generate AI suggestions. We send only the minimum content needed for generation. No personal data is sent.
Square, Inc.: Billing data for payment processing.
Email delivery (SMTP provider): Email addresses for transactional emails and alert delivery.
We do not use any analytics trackers, advertising pixels, or third-party cookies.
Data is stored in a MySQL database on our servers. All connections are encrypted via TLS (HTTPS). API keys and sensitive credentials are encrypted at rest using AES-256-GCM with scrypt key derivation (N=32768). Each encrypted value uses a unique random 256-bit salt. Passwords are hashed using bcrypt with 12 rounds. Session tokens use JWT with HMAC-SHA256 signatures. File uploads are stored on-server with unique randomized filenames. The Service is protected by HSTS, CSP, X-Frame-Options, and other security headers. Rate limiting protects against brute force attacks.
Your data is retained for as long as your account is active. When you delete your account, all data is scheduled for permanent deletion after a 30-day grace period (during which you can cancel the deletion). After 30 days, all data including posts, media, accounts, settings, analytics, and logs are permanently and irreversibly deleted from our systems. Payment records may be retained for up to 7 years as required by financial regulations. Consent records are retained indefinitely as required by GDPR for compliance auditing.
If you are in the European Economic Area (EEA), you have the following rights:
Right of access: You can export all your data at any time via Settings → Account → Export All Data.
Right to rectification: You can update your account information at any time in Settings.
Right to erasure ("right to be forgotten"): You can delete your account via Settings → Account → Delete Organization. All data is permanently removed after the 30-day grace period.
Right to restriction of processing: Contact us to request restriction of specific processing activities.
Right to data portability: The data export function produces a standard JSON file containing all your data.
Right to object: You may object to processing based on legitimate interest by contacting us.
Right to withdraw consent: You can withdraw consent for marketing communications or optional data processing at any time via Settings or by contacting us.
To exercise any of these rights, use the self-service tools in Settings or contact privacy@sunshineslingshot.com. We will respond within 30 days.
If you are a California resident, you have the right to: know what personal data we collect and how we use it; request deletion of your personal data; opt out of the sale of personal data (we do not sell personal data); non-discrimination for exercising your rights.
We use only essential cookies required for the Service to function: a session authentication cookie (managed by NextAuth.js, httpOnly, secure, sameSite=lax). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. For full details, see our Cookie Policy.
Your data may be processed outside your country of residence. When we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards. AI API calls may be processed in the provider's data centers (locations vary by provider).
The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "last updated" date at the top reflects the most recent revision.
For privacy inquiries, data requests, or complaints: privacy@sunshineslingshot.com
If you are unsatisfied with our response, EEA residents have the right to lodge a complaint with their local data protection authority.