Privacy Policy — PS Company Social Publisher

1. Introduction and scope

This Privacy Policy describes how PS Company SRL, a company duly incorporated under Italian law with registered office in Italy (hereinafter also “Data Controller” or “PS Company”), processes the data collected and managed through the application PS Company Social Publisher(hereinafter the “App”), registered with Meta Platforms Inc. and used by PS Company SRL to programmatically publish editorial content from its clients’ content calendars onto Facebook and Instagram channels.

The App is an internal operational tool of PS Company SRL, used within the scope of social media management contracts entered into with the agency’s clients. The App has no public end users, offers no sign-up, login or account creation functions to parties outside PS Company SRL, displays no advertising, and does not distribute content generated by third-party users.

This document is drafted in compliance with EU Regulation 2016/679 (“GDPR”), Italian Legislative Decree 196/2003 as amended (“Italian Privacy Code”), the guidelines issued by the Italian Data Protection Authority (Garante per la protezione dei dati personali), and the technical and transparency requirements set forth by the Platform Terms and Developer Policies of Meta Platforms Inc.

2. Data Controller and contact details

The Data Controller is:

• Company name: PS Company SRL
• Website: www.pscompanysrl.com
• Email for privacy enquiries: info@pscompanysrl.com

All communications regarding the processing of personal data, the exercise of data subject rights, and requests for data deletion may be sent to the email address above, with the subject line “Privacy request — PS Company Social Publisher”. PS Company undertakes to respond to requests within 30 days of receipt, in accordance with Article 12 GDPR.

3. Description of the App and purposes of processing

PS Company Social Publisher is a server-to-server application designed to support the editorial management of social media for business clients of PS Company SRL. The main functions are:

• retrieval of the list of Facebook Pages and Instagram Business accounts authorized by clients;
• programmatic publication (immediate or scheduled) of posts, photographs, videos, reels and carousels on the clients’ Facebook Pages and Instagram Business accounts.

The purposes of the processing of data collected through the App are exclusively:

1. performance of the social media management contract in force between PS Company SRL and each client;
2. compliance with legal obligations connected to the documentary and accounting management of the services provided.

4. Categories of data processed

The App processes exclusively technical and content-related data, necessary for the operation of the service. No personal data of end users (followers, fans, persons viewing the posts) is collected through the App.

The App does not collect and does not store in its own archives: demographic profiles of followers, private users’ email addresses, telephone numbers, geolocation data of end users, profiling cookies, biometric data, data relating to special categories pursuant to Articles 9 and 10 GDPR.

5. Legal basis of processing

The legal bases on which the processing is founded are:

• Performance of a contract(Article 6(1)(b) GDPR) between PS Company SRL and its business clients, for the provision of social media management services;
• Client’s explicit consent(Article 6(1)(a) GDPR), expressed through the Meta OAuth authorization flow by the Page Administrator, who grants PS Company SRL the permissions required to operate on the Page;
• Legitimate interest(Article 6(1)(f) GDPR) of the Data Controller in the efficient and traceable management of the commissioned editorial activities, balanced with the absence of processing that affects the sphere of third parties not involved in the contractual relationship.

6. Methods and duration of retention

The data processed through the App is retained in the following manner and for the following periods:

• Access tokens: stored in encrypted form within protected environment configuration files ( .env ), accessible only to authorized personnel of PS Company SRL. Tokens are periodically renewed through official Meta endpoints (long-lived token refresh); old tokens are replaced by the new ones without being kept in historical archives. In case of revocation by the client, the token is immediately deleted.
• Editorial content and metadata: retained for the duration of the social media management contract with the client and for the following 24 months for operational archive purposes, unless the client provides different instructions.

Upon termination of the contractual relationship with the client, all data relating to that client is removed from PS Company SRL’s systems within 60 days, save for legal retention obligations.

7. Recipients and disclosure of data

The data processed through the App is accessible exclusively to PS Company SRL’s authorized personnel (administrators, account managers, social media specialists) within the scope of their assigned duties.

The data is not sold, traded, or made available to third parties for commercial or profiling purposes. The App communicates data exclusively to:

• Meta Platforms Inc. and its affiliates, through the official Facebook and Instagram Graph APIs, to enable the publication of content;
• Google Cloud Platform, for the temporary storage of media (images and videos) in transit toward Meta, on Google Cloud Storage servers located in the European region (europe-west1);
• Competent authorities, where required by a judicial order or by legal obligations.

8. Extra-EU data transfers

The use of Meta’s Graph APIs entails a transfer of data to servers managed by Meta Platforms Inc., based in the United States of America. Such transfer takes place on the basis of the Standard Contractual Clauses approved by the European Commission and Meta’s adherence to the EU-US Data Privacy Framework. For further details, please refer to Meta’s privacy policy: facebook.com/policy.php.

9. Data subject rights

In accordance with Articles 15 and following of the GDPR, every data subject to whom this Policy applies may exercise the following rights:

• Right of access(Article 15): obtain confirmation of the existence of processing and a copy of the data processed;
• Right to rectification(Article 16): request the correction of inaccurate data or the completion of incomplete data;
• Right to erasure(Article 17, “right to be forgotten”): request the deletion of data that is no longer necessary for the purposes for which it was collected;
• Right to restriction(Article 18): request the temporary suspension of processing;
• Right to data portability(Article 20): receive data in a structured, commonly used and machine-readable format;
• Right to object(Article 21): object at any time to processing based on legitimate interest;
• Right to withdraw consent(Article 7(3)): withdraw at any time the consent given, without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to lodge a complaint(Article 77) with the Italian Data Protection Authority ( www.garanteprivacy.it ).

10. Data deletion and revocation of authorizations

Alternatively, it is always possible to directly revoke from your Facebook account the authorizations granted to the App, by accessing Settings → Business Tools and removing PS Company Social Publisher from the list of authorized apps. The revocation of authorizations immediately interrupts PS Company’s ability to operate on the Page; PS Company will nonetheless, upon request, also delete any data already acquired.

11. Security measures

PS Company SRL implements technical and organizational measures adequate to ensure a level of security appropriate to the risk, in compliance with Article 32 GDPR. In particular:

• access tokens are stored in encrypted environment files, excluded from versioning and public backups;
• cloud infrastructure (Google Cloud Storage) is protected with authentication via a least-privilege Service Account;
• access to systems is limited to authorized internal personnel and tracked through logs;
• media in transit on Google Cloud Storage is subject to a lifecycle policy that provides for automatic deletion after 60 days;
• all communications take place via HTTPS with TLS encryption.

12. Cookies and tracking technologies

The PS Company Social Publisher App is a server-to-server application and does not place cookies, nor any tracking technology, on end users’ devices. The present web page (privacy notice), published on PS Company SRL’s institutional website, may use technical cookies essential to the operation of the Duda site hosting it; for details on the cookie policy of the institutional website please refer to the dedicated notice published on www.pscompanysrl.com.

13. Children

The App is not directed at children under the age of 16. PS Company SRL does not knowingly collect personal data of minors under 16 through the App. Should a parent or legal guardian believe that data of a minor has been processed, they are invited to contact info@pscompanysrl.com immediately for removal.

14. Changes to this Privacy Policy

PS Company SRL reserves the right to update this Privacy Policy at any time, in order to reflect changes to the service, applicable law or Meta policies. The updated version will always be available at this address: www.pscompanysrl.com/social-publisher-privacy. The date of the last update is indicated at the top of the document. Please consult this page periodically.

15. Governing law and jurisdiction

This Privacy Policy is governed by Italian law and EU Regulation 2016/679 (GDPR). Any dispute concerning the interpretation or application of this Policy shall be subject to the exclusive jurisdiction of the Court of Modena (Italy)(Foro di Modena), without prejudice to different jurisdictions provided by mandatory provisions of law for the protection of the data subject.