Wakebrief

Privacy Policy

Effective date: 2026-05-27 Last updated: 2026-05-27

This Privacy Policy describes how Wakebrief ("Wakebrief", "we", "us", or "our") collects, uses, and shares personal data when you use our service at wakebrief.com (the "Service").

The data controller is PIMAS I CAÑELLAS 2012 SLU, a company registered in Spain under Tax ID (CIF) B55150114, contactable at legal@wakebrief.com.

1. What we collect

We collect three categories of data:

(a) Account data. When you sign up, we store your email address and an authentication token (we do not store passwords — we use magic-link login). We also store the time of your last login and the IP address used to authenticate.

(b) Service configuration data. Through the Service, you tell us which Instagram competitor accounts and hashtags you want monitored, your business description, the destination email for newsletters, and your preferred delivery time. You also connect your own Instagram Business or Creator account through Meta's official OAuth flow; we receive an access token plus your basic profile information (Instagram username, account ID, and profile photo URL).

(c) Service operational data. When the Service runs, it queries Meta's public APIs (Business Discovery and Hashtag Search) using your connected Instagram account. The results consist of publicly published content from third-party accounts and hashtags that you have configured — namely captions, post URLs, engagement counts (likes, comments), and timestamps. These results are stored in our database, processed by our AI system, and summarized into the daily newsletter we send you.

We do not collect: payment card data (this is handled directly by Stripe, our payment processor — we only store a Stripe customer reference), special category data under Article 9 GDPR (health, religion, political opinions, etc.), or data from users below 18.

2. Legal basis for processing

We rely on the following legal bases under Articles 6 and 9 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)). To provide the Service you have subscribed to: storing your configuration, running monitoring, generating newsletters, and delivering them by email.
  • Legitimate interest (Art. 6(1)(f)). To secure the Service against fraud and abuse, to log access for accountability, and to maintain operational stability. You may object to this processing at legal@wakebrief.com.
  • Consent (Art. 6(1)(a)). Where you have given consent to connect your Instagram account through OAuth. You may withdraw this consent at any time by disconnecting the integration in the Service settings.
  • Legal obligation (Art. 6(1)(c)). To retain accounting records as required by Spanish law (typically six years).

3. Third-party data we observe

The Service queries publicly available Instagram content via Meta's official APIs (Business Discovery and Hashtag Search). The content we observe — posts published by competitor accounts you configure and posts tagged with hashtags you configure — is public content intentionally published by its authors to the public. We process aggregate metrics (trends, posting patterns, engagement) and short text excerpts for the purpose of producing your daily briefing. We do not contact, identify, profile, or attempt to track individual users beyond the public account data Meta provides through its official APIs.

We follow Meta Platform Terms and Instagram Platform Policy. If you believe content about you is being processed in violation of Meta's policies, you may contact us at legal@wakebrief.com and we will remove it from our processing within 30 days, without prejudice to your rights under Meta's own reporting channels.

4. Subprocessors

We rely on the following subprocessors to operate the Service:

  • Hetzner Online GmbH (Germany) — server hosting and storage.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing and subscription billing.
  • Resend, Inc. (United States, GDPR-aligned via SCCs) — transactional email delivery (your newsletter).
  • Anthropic PBC (United States, GDPR-aligned via SCCs) — large language model inference (Claude) used to generate the newsletter summary. We do not send your personal data; we send only the aggregate content gathered from Meta's public APIs and your business description, and we do not allow this data to be used for model training (zero-retention API mode).
  • Meta Platforms Ireland Limited (Ireland) — provider of the Instagram and Facebook APIs we query on your behalf with your authorization.
  • Cloudflare, Inc. (United States, GDPR-aligned via SCCs) — domain registrar, DNS, and traffic protection.

Where data is transferred outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (SCCs).

5. How long we keep your data

  • Account data: while your account is active, plus 30 days after deletion to allow recovery, after which it is permanently deleted.
  • Service configuration data: same as account data.
  • Service operational data (observed posts and metrics): rolling window of 90 days, after which it is automatically purged. Generated newsletters are retained while the account is active so you can consult the archive.
  • Backups: all data may persist in encrypted backups for up to 30 additional days before being overwritten.
  • Accounting records: Spanish tax law requires us to keep invoices for six years.

6. Your rights

Under the GDPR and the Spanish LOPDGDD, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to legal retention obligations.
  • Restrict processing in certain circumstances.
  • Portability of data you have provided to us, in a structured machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or your local supervisory authority.

To exercise any of these rights, contact us at legal@wakebrief.com. We will respond within 30 days. See also our Data Deletion Instructions.

7. Security

We protect your data through encryption in transit (TLS) and at rest, scoped database access, infrastructure hardening, and tenant isolation (each customer's data is filtered at the database level so customers cannot access each other's information). Despite these measures, no system is perfectly secure; we will notify you and the AEPD within 72 hours of becoming aware of any personal data breach affecting your data.

8. Cookies and similar technologies

We use only essential cookies required to keep you signed in and to protect against fraud. We do not use advertising, profiling, or third-party tracking cookies. Stripe and Cloudflare may set their own essential cookies on their checkout and security pages.

9. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or in the law. Material changes will be notified to you by email at least 30 days before they take effect.

10. Contact

For any privacy-related question or to exercise your rights:

PIMAS I CAÑELLAS 2012 SLU CIF: B55150114 Email: legal@wakebrief.com

← Back to wakebrief.com