← Home
Terms of Service Privacy Policy Data Processing Agreement Legal Notice Sub-processors
Current version. We may update these documents; the date above reflects the latest revision.
Translations, including automatic browser translations, are provided for convenience. The text published by SMMapprove is the official version; our governing law is Portugal.

SMMapprove Privacy Policy

Controller for account data; processor for uploaded Client data. Contact: support@smapprove.com. Last updated: 1 June 2026.

This Privacy Policy explains how SMMapprove ("we", "us") handles personal data. It is written in plain language and applies globally, with specific sections for the EU/EEA and UK (GDPR / UK GDPR), and for the United States (including California and other state privacy laws). Where we say "Manager" we mean the registered user; "Client" means the person the Manager invites to approve content.

Our two roles. We are the controller of account data we collect directly from Managers (your email and hashed password, and your use of the Service). We are a processor of the Client data and content that Managers upload; for that data, the Manager is the controller and decides why and how it is processed. A separate Data Processing Agreement governs our processor role.

Controller identity

The controller for account data is the SMMapprove operator: Grigorii Kochedykov (Empresário em Nome Individual), Rua da Quinta 3, 2 ESQ, Ameal, 2565-641 Ramalhal, Torres Vedras, Portugal. The contact point for all privacy matters and data-subject requests is support@smapprove.com. The operator is established in the EU (Portugal), so an Article 27 GDPR representative is not required. We have not appointed a Data Protection Officer, because our processing does not meet the mandatory thresholds under Article 37 GDPR (or, where the operator is established in Germany, under BDSG §38); we will appoint one and update this Policy if that changes.

1. Data We Collect

We distinguish data we collect about Managers (we are controller) from data Managers upload about their Clients (we are processor).

Manager account data (we are controller):

  • email address;
  • password, stored only as a bcrypt hash (we never see or store your plaintext password);
  • technical logs and security data generated by your use (see "approval data" below for Client-side capture).

Data uploaded by Managers about Clients (we are processor):

  • Content: images, videos, captions, and brand names uploaded for approval;
  • Client contact details: the email and/or phone number the Manager enters to send approval requests;
  • Approval data / metadata captured when a Client opens or acts on an approval link: a UTC timestamp, a salted-hashed Client IP address (the raw IP is never stored or logged), the browser user-agent string, and a SHA-256 hash of the approved content;
  • Technical logs used to operate and secure the Service.

About the salted IP hash and user-agent. We collect IP addresses only after combining them with a random per-context salt and applying a SHA-256 one-way hash. Raw IPs are never stored. The salted hash cannot be reversed to recover the original IP and is used solely to detect and prevent abuse (for example, brute-force guessing of approval links). User-agent strings (browser/OS type) are retained in plaintext for a short period for technical support and abuse prevention. These are not used to identify or profile individuals.

2. How We Use Data and Our Legal Bases

The list below sets out, for each category, the purpose and the GDPR / UK GDPR legal basis (Article 6).

  • Manager email + hashed password — Purpose: account creation, login, support, service communications. Basis: Art. 6(1)(b) contract.
  • Uploaded content — Purpose: host and display content so the Client can review and approve it; generate the content hash. Basis: Art. 6(1)(b) contract (with the Manager) and, as to Client data, processing on the Manager's documented instructions.
  • Client email + phone — Purpose: send approval requests and reminders. Basis: processing on the Manager's instructions; the Manager relies on Art. 6(1)(b) contract or Art. 6(1)(f) legitimate interests (operating the approval workflow, balanced against the Client's interest in controlled, expected communications) and is responsible for any consent required for email/SMS (see "Electronic communications" below).
  • Approval metadata (timestamp, salted-hashed IP, user-agent, content hash) — Purpose: create a tamper-evident approval certificate; abuse prevention; dispute resolution and audit trail. Basis: Art. 6(1)(f) legitimate interests (evidentiary record and security). The content hash and timestamp serve only to prove that specific content was approved on a specific date; they are not used to identify or profile anyone.
  • Security and legal compliance — Purpose: protect the Service, comply with legal obligations, and establish, exercise, or defend legal claims. Basis: Art. 6(1)(f) legitimate interests and Art. 6(1)(c) legal obligation.
  • Optional marketing / product-update emails (if offered) — Purpose: send you updates. Basis: consent (Art. 6(1)(a)), which you may withdraw at any time.

No automated decision-making and no profiling. We do not make decisions producing legal or similarly significant effects by automated means, and we do not build profiles or segment users for advertising or pricing.

3. Retention

  • Manager account data: kept while your account is active, then deleted within a reasonable period after closure, except where we must retain it longer to comply with legal, tax, or accounting obligations or to defend legal claims. Statutory tax and accounting retention periods in EU member states are typically 6 to 10 years (for example, up to 10 years in Germany); we retain only what those obligations require, for no longer than required.
  • Uploaded media (images/videos/captions): automatically deleted 7 days after approval or archival.
  • Client contact details: deleted on the same 7-day cycle as the related approval, unless the Manager (as controller) instructs archival; the Manager may request earlier deletion at any time.
  • Approval certificate, SHA-256 content hash, and approval timestamp: retained as proof of approval and as an audit record under legitimate interests, for as long as needed to resolve potential disputes. These records cannot reconstruct the original media.
  • Backups: encrypted backups (via Litestream to Cloudflare R2) are rotated; deleted data is purged from backups in the ordinary backup-rotation cycle.

Deletion is irreversible. Access requests for media already deleted under the 7-day rule will return the available metadata (hash, timestamp, certificate) but not the original file.

4. Sharing and Sub-processors

We do not sell personal data, and we do not "share" it for cross-context behavioural advertising (as those terms are defined under the CCPA/CPRA and equivalent US state laws). We have not sold or shared personal data in the preceding 12 months, and we have no financial incentive tied to collecting it. We disclose data only to the sub-processors below, who process it solely on our documented instructions under data-processing agreements:

  • Cloudflare R2 — object storage of media and encrypted database backups; bucket configured to an EU-capable region; data encrypted at rest. Cloudflare is a US-headquartered provider; we maintain a data-processing agreement with appropriate transfer safeguards (see Section 5).
  • Brevo — transactional email delivery; EU/France.
  • Hetzner-class VPS hosting — single virtual server in Germany.

An optional publishing integration (Ayrshare) is currently disabled. If enabled in future, it will only process data at the Manager's explicit, user-initiated request, and we will update this Policy and give advance notice. We may also disclose data where required by law or to protect rights and safety. We remain responsible to you for our sub-processors' performance of their data-protection obligations, to the same extent as for our own performance and subject to the limitations of liability in the Terms except where the law does not permit limitation.

5. International Transfers

Account data is stored on our German VPS (within the EU/EEA — no transfer safeguard needed). Media and backups are stored via Cloudflare R2 in an EU-capable region; email is handled by Brevo in the EU. Where any personal data is transferred outside the EEA/UK to a country without an adequacy decision (for example, to a US-headquartered provider's systems), we rely, in order of preference, on: (a) the EU-US Data Privacy Framework and its UK extension, where the recipient is certified; or (b) the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary technical measures such as encryption. The UK currently benefits from an EU adequacy decision, so EU-UK flows do not require additional safeguards. We do not transfer personal data to a non-adequate country without an appropriate transfer mechanism. You may request a copy of the relevant safeguards at support@smapprove.com.

6. Your Rights

EU/EEA and UK (GDPR / UK GDPR). You have the right to: access (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); data portability (Art. 20) — we will provide your data in a structured, commonly used, machine-readable format (for example, CSV or JSON) or transmit it to another provider where technically feasible; and to object (Art. 21) to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time without affecting prior processing; for marketing email, use the one-click unsubscribe in every message. You also have the right to lodge a complaint with your supervisory authority (in Germany, your competent federal or Land authority; in the UK, the ICO at ico.org.uk; or the authority where you live or work). We respond to requests without undue delay and within one month, extendable for complex requests as the law permits.

To exercise any right, email support@smapprove.com. We verify identity (for example, by confirming control of the registered email) before disclosing or deleting data; requests we cannot verify may be refused.

United States — California (CCPA/CPRA). Where applicable, you have the right to know the categories and specific pieces of personal information collected, the sources, purposes, and recipients; to access and delete your information (subject to legal exceptions, including our retained approval hashes and certificates); to correct inaccurate information; to limit the use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right); and to non-discrimination for exercising your rights. We do not sell or share personal information, so no opt-out of sale or sharing is required; we honour Global Privacy Control (GPC) signals as an opt-out request to the extent applicable. We do not respond to "Do Not Track" browser signals because we do not use third-party cross-site behavioural advertising. California residents may submit requests to support@smapprove.com; we respond within 45 days (extendable as permitted). Requests on behalf of a minor or another person require proof of authority.

United States — other states. If you are a resident of a US state with a comprehensive privacy law (including, as applicable, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others as they take effect), you have rights to access, correct, delete, and obtain a portable copy of your personal data, to opt out of targeted advertising, sale, and certain profiling, and to appeal a refusal of your request. Because we do not sell personal data, do not engage in targeted advertising, and do not profile users for decisions with legal or similarly significant effects, those opt-outs do not apply to our processing; the access, correction, deletion, and portability rights do. To exercise them, or to appeal, email support@smapprove.com.

Client data. Because the Manager is the controller of Client data, Clients should direct access and deletion requests to the Manager who invited them; we will assist the Manager in responding. If a Client contacts us directly, we will forward the request to the relevant Manager.

7. Security

We implement appropriate technical and organisational measures under Article 32 GDPR, including: passwords stored as bcrypt hashes; encryption in transit (TLS) and encryption of media and backups at rest; salted-hashed IP storage (raw IPs never stored); signed, time-limited links for media access; access controls and least-privilege administration; and a single, controlled EU hosting environment. No system is perfectly secure, but we work to protect your data and to limit retention.

8. Electronic Communications (Email/SMS)

Transactional messages (approval requests, reminders, password resets, service notices) are sent to provide the Service. Any marketing or product-update emails are sent only with separate, prior consent and include a one-click unsubscribe. For approval requests sent to Clients, the Manager is responsible for obtaining any consent required under the ePrivacy Directive 2002/58/EC, the UK PECR, the US CAN-SPAM Act and TCPA, and equivalent laws before a Client is contacted by email or SMS.

9. Notice to Clients (data we did not receive from you directly)

If your contact details were given to us by a Manager so they could request your approval of content (Article 14 GDPR), you are entitled to know: the Manager who provided your details is the controller; we process your email/phone and approval metadata only to deliver the approval workflow; media is deleted 7 days after final approval; and you have the rights listed in Section 6. To exercise them, contact the Manager who invited you, or email support@smapprove.com and we will relay your request.

10. Children

The Service is not intended for anyone under 18, and we do not knowingly collect data from children. Consistent with COPPA, we do not knowingly collect personal information from children under 13; if we learn that we have, we will delete it promptly. Managers must not invite anyone they know to be a minor to approve content.

11. Cookies

We use only strictly necessary cookies required to authenticate sessions and secure the Service; these do not require consent. We do not use advertising, analytics, or cross-site tracking cookies. If that changes, we will add a consent mechanism and update this Policy.

12. International Users and Local Laws

We operate from the EU and host within the EU. If you access the Service from a country with mandatory local data-protection requirements (for example, data-localisation rules), you are responsible for ensuring your use is lawful in your jurisdiction. We currently store personal data in the EU and do not guarantee compliance with localisation mandates that would require storage in a specific other country.

13. Changes and Contact

We may update this Policy and will post the new "Last updated" date; for material changes we will give reasonable notice. Questions or requests: support@smapprove.com.

← Back to home