Effective date: 2026-06-21
Privacy Policy
SMM Control is operated by DO.Marketing OÜ, Estonia.1. Who we are
DO.Marketing OÜ is the data controller for account, billing, support, website, and product usage data in SMM Control. When customers use the service to create, store, approve, schedule, or publish social media content for their own audiences, we may also act as a processor for content and personal data that the customer chooses to upload or generate inside the workspace.
If you use the service on behalf of a company, that company is usually the controller for its own brand, audience, customer, employee, contractor, social account, and campaign data. In that case, we process those workspace records according to the company's instructions and the applicable data processing terms.
Privacy contact: privacy@smm.domarketing.ee.
2. Personal data we process
- Account data: name, email, avatar, Google/Supabase user ID, login/session data.
- Legal consent data: accepted document version, acceptance timestamp, and marketing email opt-in status.
- Workspace data: brand context, audience notes, services, drafts, captions, visuals, schedules, approvals, export URLs, and publish logs.
- Connected social account data: Instagram, Facebook, Threads, LinkedIn, Pinterest, TikTok, YouTube, X/Twitter, Reddit, Telegram, and other platform account identifiers, page/profile names, permissions, token expiry metadata, and encrypted access tokens where an integration is available and connected.
- AI inputs and outputs: prompts, brand context, generated plans, generated copy, and optional research context sent to configured AI providers.
- Technical/security data: IP address, browser data, request logs, device/session identifiers, error diagnostics, and abuse-prevention records.
- Billing/trial data: plan, subscription status, trial dates, billing email, payment processor identifiers, payment events, cancellation state, and anti-abuse signals for one-time trial enforcement.
- Support and legal correspondence: messages, attachments, request history, and related metadata.
3. Purposes and legal bases
- Provide the service, authenticate users, save workspaces, and publish content - contract performance.
- Secure the service, prevent abuse, debug incidents, and protect connected social accounts - legitimate interests.
- Comply with accounting, tax, platform, and legal obligations - legal obligation.
- Send important product, security, or account notices - contract performance or legitimate interests.
- Enforce plan limits, subscriptions, one-time trials, upgrades, cancellations, and unpaid access restrictions - contract performance and legitimate interests.
- Send marketing emails about features, offers, education, and product news - consent or another lawful basis where permitted.
- Use optional analytics or non-essential cookies only if enabled with consent.
4. AI and social platform processing
SMM Control sends only the data needed for the selected action to configured AI providers, such as brand context, topic, tone, draft text, and research context. Users must not submit sensitive personal data, special-category data, children's data, secrets, passwords, payment card data, or confidential third-party materials unless they have a lawful basis and written permission to do so.
When a user connects Instagram, Facebook, Threads, or any other supported platform, the service uses official platform APIs to store encrypted tokens, check connection status, upload media, schedule or publish approved content, cancel scheduled jobs, and disconnect integrations. Users do not receive direct access to OAuth tokens or app credentials because exposing them can create account security risks. Social platforms may process data under their own terms and privacy notices.
5. Recipients and subprocessors
Data may be processed by hosting providers in Estonia/EEA, Supabase for authentication, database, and storage, configured AI providers, Meta Platforms for Instagram, Facebook, and Threads publishing, LinkedIn for LinkedIn profile publishing, Google for OAuth, payment providers, email providers, and trusted service providers used for support, security, monitoring, and email. Where data is transferred outside the EEA, we rely on an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism where required.
6. Cookies and local storage
The app uses strictly necessary cookies and browser storage for authentication, session refresh, security, language/theme preferences, and draft continuity. At this stage, SMM Control does not require marketing cookies to operate. If analytics or marketing cookies are added, they must be loaded only after valid consent.
7. Email communications
Service emails about login, security, legal changes, billing, subscription status, integrations, failed publication, and account operation are necessary for the service and may be sent without a separate marketing opt-in. Marketing emails about features, offers, education, product news, or launches are sent only with consent or another lawful basis. You can unsubscribe from marketing emails at any time without affecting service emails.
8. Automated decisions
AI features help draft content and suggest wording, but SMM Control does not use solely automated decisions that produce legal or similarly significant effects. Users remain responsible for reviewing and approving drafts before publication.
9. Retention
- Workspace drafts and connected-account records are kept while the account or workspace is active.
- Encrypted social tokens are deleted when an account is disconnected, deleted, or no longer needed.
- Legal acceptance and marketing consent records may be retained while the account exists and as long as needed to prove compliance or handle disputes.
- Billing and trial records may be retained as required for tax, accounting, payment dispute, fraud prevention, and legal compliance purposes.
- Publish logs and security logs are kept as long as needed for troubleshooting, abuse prevention, legal claims, and platform compliance.
- Support and legal correspondence may be retained for up to 5 years unless a longer period is required by law.
10. Your rights
Under GDPR, you may request access, correction, deletion, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is based on consent. To exercise rights, contact privacy@smm.domarketing.ee. You may also lodge a complaint with Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate).
11. Data deletion
You can request deletion of account data, workspace data, and connected social account data by using the instructions on the Data Deletion page or by emailing privacy@smm.domarketing.ee. Some information may be retained where required for legal obligations, security, platform compliance, or legal claims.