Legal
Privacy Policy
Last updated: 1 April 2026
This Privacy Policy explains how Zanzero Investments Ltd (trading as SitePost) collects, uses, stores, and shares your personal data when you use our platform at sitepost.co. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we send electronic marketing, we also comply with the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who we are
Zanzero Investments Ltd is the data controller for personal data processed through SitePost. We are registered in England and Wales.
Zanzero Investments Ltd (trading as SitePost)
United Kingdom
Email: [email protected]
Website: sitepost.co
ICO Registration number: ZB123456
We do not currently have a mandatory requirement to appoint a Data Protection Officer (DPO). However, all data protection queries and rights requests should be directed to us at [email protected] with the subject line “Data Protection”.
2. What data we collect
We collect personal data that you provide directly, data generated by your use of the platform, and data we receive from third-party services you connect to SitePost.
2.1 Account and identity data
When you sign up, we collect your email address and a hashed password. We store your workspace name (tenant) and any profile information you choose to provide. Team members you invite will similarly provide their email address and set a password.
2.2 Social media account data
When you connect a social media account (Facebook, Instagram, or LinkedIn) via OAuth, we receive and store access tokens, your social media username or page name, profile identifiers, and the permissions you have granted us. We use these tokens to publish content and retrieve engagement analytics on your behalf. We do not store your social media password.
All access tokens are encrypted at rest in our database using AES-256-GCM authenticated encryption before storage. Tokens are decrypted only at the moment they are needed to make an API call on your behalf.
2.3 Media and photos
Contributors (team members you invite) upload photos and images from their mobile devices through the SitePost mobile app. Uploaded images are stored in secure cloud (S3-compatible) object storage. Images may contain embedded EXIF metadata including GPS location data (geotags). We store this metadata alongside the image file. You are responsible for ensuring that contributors are aware that their photos — including any location data — will be uploaded to and stored by SitePost.
2.4 Location data
As noted above, location data may be embedded in images uploaded by contributors. We do not independently collect your device location through the platform beyond what is contained in uploaded image metadata.
2.5 Usage and platform data
We collect data about how you use SitePost, including pages visited, actions taken (such as scheduling or approving posts), timestamps, IP address, browser type, and device information. This data is used for security, debugging, and improving the platform.
2.6 Social engagement analytics
We retrieve engagement data (likes, comments, shares, impressions, follower counts) from connected social media platforms via their APIs. This data relates to your business pages and content performance rather than individual personal data of your social media audience.
2.7 Growth Engine contact data
If you use the Growth Engine feature, you may upload or import contact information (such as business names, email addresses, and other professional details) for the purpose of sending automated outreach emails. This data is processed by us on your behalf, and you are responsible as the data controller for that contact data and for ensuring you have a lawful basis to contact those individuals.
2.8 Cookies and similar technologies
We use cookies to manage authentication sessions and to support platform functionality. See our Cookies Policy for full details.
3. Why we collect it and our lawful bases
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
3.1 Performance of a contract
The majority of our processing is necessary to perform the contract we have with you as a SitePost subscriber. This includes creating and managing your account, connecting to social media platforms, storing and publishing your media, generating AI captions, and operating the scheduling and autopilot features. If you do not provide the data necessary for these purposes, we cannot provide the service.
3.2 Legitimate interests
We process usage data, technical logs, and security data on the basis of our legitimate interests in operating a secure, stable, and improving platform. We also have a legitimate interest in communicating with you about service updates, product changes, and relevant feature announcements. In each case, we have balanced our interests against your rights and are satisfied that our interests are not overridden.
3.3 Consent
Where we send marketing emails or use non-essential cookies, we will ask for your consent first. You may withdraw your consent at any time by contacting us or using the unsubscribe link in any marketing email.
3.4 Legal obligation
In some circumstances we may be required to process your personal data to comply with a legal obligation, such as responding to a lawful request from a regulatory authority or law enforcement body.
4. How we use artificial intelligence
SitePost uses OpenAI's APIto generate social media captions and other content for you. When you request a caption or trigger the autopilot feature, we send relevant data — including your brand voice settings, post context, and optionally image descriptions — to OpenAI's servers for processing.
OpenAI is a third-party provider based in the United States. By using the AI caption generation feature, you consent to this data being sent to OpenAI for processing. OpenAI processes this data under their own privacy policy and data processing terms, which we have reviewed and consider appropriate. We do not send directly identifying personal data (such as your name or email address) to OpenAI; we send only the content context necessary to generate captions.
We use OpenAI's API in a manner that does not permit OpenAI to use your data to train its models, consistent with the API usage terms applicable to our subscription tier at the time of this policy.
SitePost does not make any solely automated decisions about you that produce legal or similarly significant effects.
5. Social media data and OAuth
When you connect a social media account to SitePost via OAuth (currently Facebook, Instagram, and LinkedIn), you grant us specific permissions to act on your behalf. We access only the permissions necessary to operate the service, which include:
- Reading your page or profile information (name, ID, profile image)
- Publishing posts and media to your pages or profiles
- Reading engagement analytics (likes, comments, shares, reach) on posts we have published
- Reading the list of pages and accounts you manage
We do not access your private messages, your personal social media contacts list, or any data beyond what is required for the features described in this policy.
We post content to social media platforms only at your direction, either through explicit scheduling or through the autopilot settings you configure. You can disconnect any social media account at any time through your SitePost dashboard settings, at which point we will revoke our stored tokens for that account.
Social media platforms (Meta, LinkedIn) are independent data controllers for the data they hold about you on their platforms. Their own privacy policies govern how they process data relating to your accounts and audience.
Meta data deletion. If you remove SitePost from your Facebook or Instagram account settings, Meta will notify us via a signed callback. We will purge all stored access tokens and Meta-derived identifiers for your account within 48 hours of receiving the request. You can also request deletion directly — see our Data Deletion Instructions for full details.
6. Who we share your data with
We do not sell your personal data. We share your data only with the sub-processors and third parties necessary to operate SitePost:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Hosting Provider | Platform infrastructure, database hosting, and S3-compatible media storage | EEA / UK |
| OpenAI | AI-generated caption and content creation | United States |
| Email Delivery Provider | Transactional emails (account verification, password reset) and Growth Engine outreach delivery | EEA / US |
| Meta Platforms (Facebook / Instagram) | Publishing posts and retrieving analytics via OAuth API | United States |
| LinkedIn Corporation | Publishing posts and retrieving analytics via OAuth API | United States |
We may also disclose your personal data if we are required to do so by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Zanzero Investments Ltd, our users, or others.
If we sell or transfer all or part of our business, your personal data may be transferred to the acquiring entity. We would notify you before your data is transferred and becomes subject to a different privacy policy.
7. International transfers
Some of our sub-processors are located outside the UK, including in the United States. Under UK GDPR, transfers of personal data to countries that are not subject to a UK adequacy decision must be protected by appropriate safeguards.
For transfers to the United States (including to OpenAI, Meta, and LinkedIn), we rely on the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as adopted under UK law, where applicable, or on the published data processing terms of those providers which incorporate equivalent protections. The UK has not adopted a formal adequacy decision for the United States, but the safeguards above ensure an equivalent level of protection for your data.
You can obtain a copy of the specific transfer mechanism used for any given sub-processor by contacting us at [email protected].
8. How long we keep your data
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data type | Retention period |
|---|---|
| Account and identity data | For the duration of your account, plus 90 days after account deletion to allow for recovery, then permanently deleted. |
| Social media tokens and connections | Until you disconnect the account or your account is deleted. |
| Media and uploaded photos | Until you delete the media from your gallery, or your account is deleted. |
| Published post records and captions | For the duration of your account. |
| Engagement analytics | For the duration of your account. |
| Platform usage logs | Up to 12 months from creation, then deleted or anonymised. |
| Growth Engine contact data | Until you delete the contacts or your account is deleted. |
| Billing records | 7 years from the end of the relevant accounting period, as required by UK law. |
When we delete your data, we securely erase it from our systems and instruct our sub-processors to do the same, where technically practicable.
9. Your rights under UK GDPR
Under UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at [email protected] with the subject line “Data Rights Request”. We will respond within one calendar month of receiving a valid request.
Right of access
You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will provide this in a commonly used electronic format.
Right to rectification
If your personal data is inaccurate or incomplete, you have the right to ask us to correct it. You can update many details directly from your account settings.
Right to erasure (‘right to be forgotten’)
In certain circumstances, you have the right to ask us to delete your personal data. This right applies where the data is no longer necessary for the purpose for which it was collected, you withdraw consent (where consent was the lawful basis), or you object and we have no overriding legitimate interest. For Meta (Facebook/Instagram) data specifically, see our Data Deletion Instructions at sitepost.co/data-deletion.
Right to data portability
Where we process your data on the basis of contract or consent, and by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to object
You have the right to object to processing based on legitimate interests or for direct marketing. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to restriction of processing
You have the right to ask us to restrict processing of your data in certain circumstances, for example while a rectification or objection request is being assessed.
Right to withdraw consent
Where we process your data on the basis of your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.
ICO contact details
Information Commissioner's Office · Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF · Helpline: 0303 123 1113 · ico.org.uk/make-a-complaint
10. Cookies
We use cookies and similar technologies to operate SitePost. Our authentication system uses encrypted session cookies (via iron-session) to keep you securely logged in. These are strictly necessary for the service to function and do not require your consent under PECR.
We may use additional cookies for analytics or platform improvement. Where we do so, we will obtain your consent before setting non-essential cookies.
For full details of which cookies we use, their purpose, and how to control them, please read our Cookie Policy.
11. Children
SitePost is a business-to-business platform designed for use by adults operating or working within a business. Our service is not directed at or intended for use by individuals under the age of 18.
We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without appropriate authorisation, please contact us immediately at [email protected] and we will take steps to delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or the features of SitePost. When we make material changes, we will notify you by email (to the address associated with your account) and by posting an updated version on this page with a revised “Last updated” date.
Your continued use of SitePost following notification of changes will constitute your acknowledgement of the updated policy. If you do not agree with the revised policy, you should stop using SitePost and may request deletion of your account.
13. How to contact us
If you have any questions about this Privacy Policy, wish to exercise a data subject right, or have a concern about how we handle your personal data, please contact us:
We aim to acknowledge all data rights requests within 5 business days and to provide a substantive response within one calendar month. If your request is complex or you have made a number of requests, we may extend this period by a further two months, in which case we will inform you and explain the reason for the delay.