Privacy Policy (GDPR Notice)

1. Controller and contact

You can contact us at the email address above for privacy questions, data-subject requests or questions about this notice. Unless we separately publish another privacy contact, this address is our privacy contact point.

Ciberdime GmbH has not currently published a separate Data Protection Officer contact. If a Data Protection Officer is appointed or a publication duty applies, we will update this notice with the relevant contact details. Until then, please use the contact details above for privacy requests.

2. Data we process

• Account and identity data: name, email address, profile picture, login provider, team membership, roles, permissions, account settings and authentication metadata.
• Connected social account data: account IDs, usernames, profile information, granted scopes, access tokens, connected pages or channels, content metadata, captions, thumbnails, post and video metrics, audience or demographic insights where made available by the platform, and media content that you authorize us to access from connected platforms such as TikTok, Instagram, YouTube, Twitch and Facebook.
• Campaign and workspace data: teams, creators, creator directory entries, invitations, campaign settings, deliverables, tracked media, reports, approvals, deletions, mention review decisions, comments and internal notes.
• Livestream and clipping data: Twitch stream metadata, tracked stream windows, detected campaign mentions, viewer context, transcripts, short clips, thumbnails, review status and AI evaluation outputs where livestream tracking or clipping is enabled.
• Link tracking data: short-link settings, custom domains, slugs, UTM values, click timestamps, referrers, user agent information, approximate location derived from request data, unique click counts and other technical analytics needed to report link performance.
• Website, log and device data: IP address, browser, device, operating system, referrer, requested pages, timestamps, security logs and usage events.
• Billing and support data: plan, team billing status, Paddle customer or transaction references, invoices, cancellation requests, refund requests and support messages.

3. Purposes and legal bases

• Contract performance (Art. 6(1)(b) GDPR): account creation, login, dashboard access, analytics, reporting, link tracking, billing support, customer support and AI-assisted campaign functions such as mention detection, transcription, clip evaluation and derived metadata where these functions are enabled as part of the requested service.
• Consent (Art. 6(1)(a) GDPR): optional analytics cookies, social account connections where a platform authorization or OAuth flow requires consent, and optional campaign sharing chosen by creators.
• Legitimate interests (Art. 6(1)(f) GDPR): security, abuse prevention, service diagnostics, product improvement, audit logs, fraud prevention and limited B2B communications such as contract-related service messages, product or security updates for business contacts and customer-success outreach. Marketing newsletters or comparable promotional email campaigns are sent only where a separate legal basis applies. You may object to processing based on legitimate interests.
• Legal obligations (Art. 6(1)(c) GDPR): tax, accounting, consumer law, compliance, law-enforcement requests and legally required retention.

4. Sharing and recipients

We do not sell personal data and do not use Google, YouTube, TikTok, Meta or Twitch data for advertising. We share data only as needed for the service:

• with brands, agencies or teams when a creator grants access or when a team member uses the workspace;
• with infrastructure, analytics, email, payment, storage, AI, transcription and support providers listed on our sub-processors page;
• with connected platform providers where required to authenticate, retrieve data, revoke tokens or comply with platform policies;
• with authorities, courts or advisers where legally required.

For B2B customers, including brands and agencies, our Data Processing Agreement is available for Art. 28 GDPR processor arrangements where Shinra Metrics processes campaign data on behalf of the customer.

5. Creator control and revocation

Creators can choose which accounts are shared with a team or campaign, review shared campaign media, remove unwanted posts and revoke access. Revocation stops future access for the relevant team or campaign. Platform authorizations can also be revoked directly in the relevant platform settings, including Google security settings for YouTube. You can also contact us by email at info@ciberdime.com for help with revocation or deletion requests.

Revocation generally stops future access and processing for the relevant team, campaign or connection. It may not remove data that a brand, agency or other third party has already downloaded, exported or copied outside Shinra Metrics. For those copies, you may need to contact the relevant organization directly.

6. Retention

We keep personal data only as long as needed for the purposes above. As a baseline, deleted accounts and disconnected social accounts are removed or anonymized within 30 days unless a longer period is legally required or needed for security, dispute resolution, billing or reporting integrity.

• OAuth tokens are revoked or deleted after disconnection.
• Billing, invoice and tax records may be retained for statutory German commercial and tax retention periods.
• Historical campaign reports, aggregated analytics and audit logs may be retained where required for business reporting, fraud prevention, legal claims or contractual accountability. Where feasible, we anonymize or aggregate this data.
• Website server logs and security logs are generally retained for up to 90 days, unless longer retention is needed for security incidents, abuse prevention or legal claims.
• Optional website analytics are retained in aggregated or pseudonymous form and are generally deleted or aggregated within 12 months. Aggregated trend data that no longer identifies a visitor may be kept longer for website performance comparisons.
• Link-click and campaign analytics remain available while the relevant team, campaign or report exists and are deleted or anonymized after deletion unless retention is required for billing, auditability, disputes or legal claims.
• Backup copies are overwritten on regular backup cycles and are not used for active processing.

7. International transfers

Some providers process data outside the EU/EEA. Where this happens, we use appropriate safeguards such as adequacy decisions, the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses, UK transfer mechanisms and supplementary risk assessments where required. Details about recipients, countries and safeguards are listed on our sub-processors page.

8. Cookies and analytics

We use essential cookies and local storage for core website and platform functions. Accessing or storing information on your device is governed by the German Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) where applicable. Optional analytics, including Vercel Analytics and the privacy-friendly statistics script served under /stats, load only after you choose “Accept all” in the cookie banner. Your choice is stored in local storage under shinra-metrics.cookieConsent.v1. You can change your choice from the footer cookie settings link.

9. Your rights under GDPR

You may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing and withdrawal of consent. You can exercise these rights by emailing info@ciberdime.com or by using the postal address in section 1. Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before the withdrawal. You also have the right to lodge a complaint with a supervisory authority. For Ciberdime GmbH in Schleswig-Holstein, the competent authority is generally the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), but you may also contact your local authority.

10. Automated decision-making and profiling

Shinra Metrics does not make decisions with legal or similarly significant effects solely by automated processing within the meaning of Art. 22 GDPR. AI-assisted features may help detect campaign mentions, generate transcripts, evaluate clips or derive metadata, but campaign teams can review relevant results and make their own inclusion, reporting and approval decisions.

11. Security

We use technical and organizational measures such as TLS encryption, access controls, least-privilege permissions, secure authentication, logging, backups, environment separation, token revocation and vendor controls. No internet service can guarantee absolute security, but we work to protect data proportionately to the risk.

12. Children

Shinra Metrics is intended for users who meet the applicable minimum digital-consent age (at least 16, or higher where local law requires). Users below that age may only use the service with the consent and supervision of a parent or legal guardian. We do not knowingly process personal data from minors in violation of these requirements. If you believe a minor has provided us with personal data without valid consent, please contact us at info@ciberdime.com and we will take appropriate deletion steps.

13. Changes

We may update this notice when our services, providers or legal obligations change. Material changes will be communicated through the website, platform or email where appropriate.