Privacy Policy

Effective date: 2026-05-09 Last updated: 2026-05-09

This Privacy Policy describes how Awny Faris Marketing ("we," "us," "our") collects, uses, and shares personal information when you authorise our self-hosted scheduling tool to manage social media accounts on your behalf, when you visit awnyfaris.com, or when you otherwise engage our services.

We respect your privacy and only collect what we need to deliver the service you have asked us to perform. This policy is written in plain language. If anything here is unclear, contact us at the address at the bottom of this page and we will explain it.

1. Who we are

Awny Faris Marketing is a digital marketing agency operated by Awny Faris, based in Berlin, Germany. We provide bundled monthly marketing services (social media management, SEO audits and improvements, blog content) to small and medium businesses, primarily in Europe.

For the purposes of GDPR (Regulation (EU) 2016/679):

• When you, as a business owner, hire Awny Faris Marketing to manage your marketing, we act as the data processor and you are the data controller of any personal data that flows through our services.
• When you visit awnyfaris.com directly, or contact us about our services, we act as the data controller of the information you provide to us.

2. Information we collect

When you authorise our tool to manage your social media accounts

We use self-hosted social media management software (Postiz) to schedule and publish posts to your social media accounts. When you authorise our app to access your accounts via OAuth, we receive:

• Account identifiers — the username, page ID, or channel ID for each connected account
• Access tokens — short-lived and refresh tokens issued by the platform (LinkedIn, Meta/Facebook/Instagram, YouTube, X, TikTok, etc.) that allow our tool to publish on your behalf
• Permission scopes — only the specific permissions you granted at OAuth time (typically: read profile, publish posts, read post analytics)
• Post content you upload to the tool — text, images, videos, scheduled publish times
• Post-publication analytics — likes, comments, shares, reach, impressions, retrieved from the platform's API after the post is live

We do not collect, store, or sell anything beyond what the social media platforms themselves expose via their official APIs.

When you visit awnyfaris.com

• Server logs — IP address, browser user-agent, requested page, timestamp (kept for 30 days)
• No cookies for tracking — we do not run Google Analytics, Facebook Pixel, or any third-party advertising trackers on awnyfaris.com

When you contact us

• Your name, email address, business name, and the contents of the message you send

3. How we use your information

We use the information described above to:

• Publish the content you have approved to the social accounts you have connected
• Retrieve and present analytics about your published posts
• Communicate with you about the service (e.g. confirmation a post went live, error notifications, monthly summaries)
• Improve the quality of our service to you (e.g. detecting which post types perform best so we can recommend more of them)
• Comply with our legal obligations (e.g. tax records, where required by German law)

We do not use your data to:

• Train AI models
• Build advertising profiles
• Sell to third parties
• Pass to data brokers

4. AI services we use

To produce the content we publish on your behalf, we use:

• Anthropic Claude — for drafting captions, blog content, and ad copy. Anthropic's privacy policy: anthropic.com/legal/privacy
• OpenAI — used as fallback for some text generation. OpenAI's privacy policy: openai.com/policies/privacy-policy
• Flux.1 Dev (self-hosted) — for image generation on hardware we control. No data leaves our infrastructure.
• DataForSEO — for SERP analysis and keyword research. DataForSEO's privacy policy: dataforseo.com/privacy-policy

When we send your content (e.g. a draft caption to be refined) to Anthropic or OpenAI, we do so under their API terms — they do not retain or train on it.

5. Third-party platforms

When we publish to your connected accounts, the social media platforms themselves receive your post content and apply their own privacy policies to it. We have no control over how Meta, LinkedIn, Google, etc. process data once it is on their service. Their privacy policies:

• Meta (Facebook + Instagram + Threads): facebook.com/policy.php
• LinkedIn: linkedin.com/legal/privacy-policy
• Google (YouTube): policies.google.com/privacy
• X / Twitter: x.com/en/privacy
• TikTok: tiktok.com/legal/page/eea/privacy-policy/en

6. Where we store your data

• Account tokens, post drafts, and analytics are stored on servers we control, hosted in the European Union
• We use Backblaze B2 (US-based) for encrypted backups of our system. Tokens and other credentials are encrypted at rest before they are uploaded, so Backblaze never sees them in plain form
• Hugging Face (US-based) hosts the public open-source models we download to our own hardware — no client data is sent to Hugging Face

7. How long we keep your data

• OAuth tokens: for as long as you keep the account connected. Disconnecting the account in our dashboard immediately invalidates the token and removes it from our active database
• Post drafts: kept indefinitely so you can refer back to them; you can request deletion at any time
• Post-publication analytics: kept for 24 months for trend reporting, then aggregated
• Server logs: 30 days
• Email correspondence: for the duration of the engagement plus 7 years (German tax law for business records)
• Backups: rotated on a 90-day cycle

8. Your rights under GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectify — ask us to correct inaccurate data
• Erase — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
• Portability — receive your data in a machine-readable format
• Object — object to certain processing
• Withdraw consent — disconnect any OAuth integration at any time; this stops all further processing

To exercise any of these rights, email us at the address below. We respond within 30 days.

You also have the right to complain to a supervisory authority. In Germany, that is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

9. Security

We use standard industry practices to protect your data:

• Access tokens are stored encrypted at rest
• Server access is restricted by SSH key + two-factor authentication
• HTTPS is required for all client-facing endpoints
• We follow the principle of least privilege — only the minimum permissions needed for the service

No system is perfectly secure. If we discover a data breach affecting your information, we will notify you within 72 hours per GDPR Article 33.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to existing clients at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent version.

11. Contact

For any privacy questions or to exercise your rights:

Awny Faris Marketing (operator: Awny Faris) Email: awny.faris5@gmail.com [Mailing address: to be filled in once registered as a legal entity]

We do not currently have a Data Protection Officer (we are below the GDPR threshold requiring one), but you can direct any data-protection question to the email above.