Data Privacy & GDPR Compliance

Audenci processes personal data on your behalf, requiring compliance with: GDPR (EU), CCPA (California), LGPD (Brazil), Other data protection regulations. Audenci provides tools to help you comply, but ultimate responsibility lies with you as data controller.

DPA governs how Audenci processes your data: Audenci is data processor, You are data controller, DPA defines: Data processed, Processing purposes, Security measures, Sub-processors, Data retention. Sign DPA in Settings → Legal (required for Enterprise).

Audenci processes: User account data (name, email, password), Organization data (company name, billing info), Content data (posts, captions, images, videos), Analytics data (engagement metrics, follower counts), Social account tokens (encrypted), Usage data (logs, audit trails). No sensitive personal data (health, financial, etc.) unless you input it.

Obtain consent for data processing: Terms of Service acceptance (required on signup), Privacy Policy acceptance, Cookie consent banner (website visitors), Social account authorization (OAuth consent screens). Document consent for audit purposes.

GDPR grants data subjects rights: Right to access (see their data), Right to rectification (correct errors), Right to erasure ('right to be forgotten'), Right to restriction (limit processing), Right to portability (export data), Right to object (opt-out of processing). Audenci provides tools to fulfill these rights.

Export all data for a user: Go to Settings → Privacy → Data Export, Select user account, Click 'Export Data', Receives ZIP file with: Account details, All content created, Analytics data, Audit logs, Settings and preferences. Export completes within 48 hours.

Delete user data to fulfill erasure requests: Go to Settings → Privacy → Data Deletion, Select user account, Confirm deletion (irreversible), Data deleted: Account details, Personal content, Analytics data, Audit logs (after retention period). Organization-level data (shared content, campaigns) is retained unless organization is deleted.

Data retention policies: Active account data: Retained while account is active, Deleted account data: Purged after 30 days, Audit logs: Retained for 90 days (1 year for Enterprise), Backups: Retained for 30 days. Configure custom retention policies (Enterprise only).

In case of data breach: Audenci notifies affected customers within 72 hours (GDPR requirement), Notification includes: Nature of breach, Data categories affected, Potential consequences, Measures taken. You must notify your data subjects per GDPR requirements (within 72 hours of learning of breach).

Audenci uses sub-processors: AWS (infrastructure, data storage), Vercel (hosting), OpenAI (AI generation), fal.ai (image/video generation), Resend (email delivery), Stripe (payment processing). Full sub-processor list: https://audenci.com/sub-processors. We notify you 30 days before adding new sub-processors.

Data may be transferred outside EU: Data stored in AWS (US, EU regions available), Standard Contractual Clauses (SCCs) in place, EU-US Data Privacy Framework compliant, Choose EU data residency (Enterprise only). Configure data residency in Settings → Privacy.

• Sign DPA if processing EU data
• Obtain clear consent from users
• Document lawful basis for processing
• Respond to data subject requests within 30 days
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
• Train team on data privacy responsibilities
• Review sub-processors and approve new ones
• Maintain records of processing activities