Home Free Trial AI Consulting First Contact About Us Login DE
Home Free Trial AI Consulting First Contact About Us Login DE

Privacy Policy

Last updated: April 29, 2026

1. Data Controller

companycore ai UG (haftungsbeschränkt)
Sömmeringstraße 69, 50823 Cologne, Germany
Email: jan@companycore.ai
Represented by: Jan Bennefeld

2. Hosting & Infrastructure

Our systems consist of three separate areas, all hosted at IONOS (Germany):

  • companycore.ai – static website
  • app.companycore.ai – web app for registered users
  • api.companycore.ai – API backend

In addition, we use:

  • Supabase (EU-central-1, Frankfurt) – Storage of user data, posts, chats, and calendar data
  • Google Vertex AI (Gemini) – Generation of text suggestions and analysis of reference images based on content provided by the user
  • Black Forest Labs (FLUX.2) – Image generation for social media posts (servers in the EU, processed in accordance with Art. 28 GDPR)
  • Anthropic Claude API – AI-powered graphic design creation (HTML/CSS rendering for social media images) and image descriptions
  • xAI Grok API – Generation of daily personalized topic suggestions – anonymized
  • LinkedIn API – OAuth authentication and post publishing
  • Meta Graph API (Facebook & Instagram) – OAuth authentication and publishing of posts to Facebook Pages and Instagram business accounts
  • Stripe (planned) – Payment processing for subscriptions

3. "3-Day Free Trial" Contact Form

We offer a form on our website through which you can request a non-binding 3-day trial access.

a) Data Processed

When you submit the form, we process the following information:

  • Name
  • Business email address
  • Company
  • Role / position
  • Optional: free-text answer to "What do you want to achieve?"
  • Confirmation of your consent to this privacy policy

In addition, our hosting provider IONOS processes technical connection data (e.g. IP address, timestamp, user agent) by default, as required for proper operation and abuse prevention.

b) Purpose and Legal Basis

The data is used exclusively to respond to your request and to set up a trial access together with you. The legal basis is Art. 6 (1) lit. b GDPR (steps prior to entering into a contract upon request of the data subject) and Art. 6 (1) lit. a GDPR (consent) for any voluntary additional information.

c) Transmission and Storage

Form data is processed by a server-side endpoint on our IONOS server (Germany) and forwarded by email to jan@companycore.ai. The data is not persistently stored in a database in connection with the form; it remains in our mailbox until the request has been concluded.

The data is not shared with third parties. The email is sent exclusively via German IONOS mail servers.

d) Spam Protection

The form includes a hidden honeypot field to protect against automated bot submissions. This field is processed solely for bot detection purposes and is not used for any other processing.

e) Retention and Revocation

You may object to the processing or withdraw your consent at any time by sending a short message to jan@companycore.ai. We delete your request no later than 6 months after the conversation has been concluded, provided that no statutory retention obligations apply.

4. Processing of Personal Data in the Web App

a) Account & Registration

Registration and login to our web app is handled by Supabase Auth, hosted in the EU region (eu-central-1, Frankfurt). The following data is processed:

  • Email address
  • A system-generated user identifier (UUID)

Passwords are handled exclusively by Supabase and stored securely hashed. We never have access to passwords and do not store them in our systems.

Supabase additionally stores technical metadata such as:

  • Time of registration
  • Time of last login
  • Email verification status

This data is required to enable access to the web app (legal basis: Art. 6 (1) lit. b GDPR).

b) Calendar & Social Media Posts

Users can manually create, edit, and schedule posts for LinkedIn, Facebook, and Instagram in the app. A post is never published automatically. The user must:

  • review the text
  • select the target platform(s)
  • choose date and time
  • manually click "Schedule"

c) AI Features

We use multiple AI services, each receiving only inputs provided by the user:

Google Vertex AI (Gemini) – Text generation, reference image analysis, and brand identity analysis. The AI receives, for example:

  • Company name and website
  • Post goals, language, style, tone
  • Desired text length
  • Inputs from chat dialogs

Black Forest Labs (FLUX.2) – Image generation for social media posts. The AI receives only text prompts and optional user-uploaded reference images. Processing occurs on EU servers. Inputs are not used to train the models.

Anthropic Claude API – Creation of graphic designs (HTML/CSS templates for social media images) and image description support. The AI receives only design parameters such as colors, fonts, and layout specifications from the user-provided brand identity.

xAI Grok API – Generation of daily personalized topic suggestions. The AI receives only anonymized industry information.

We never send social media tokens, user profiles, or private messages to external AI services.

d) International Data Transfers

Anthropic Claude and xAI Grok are hosted in the United States. Transfers to a third country are carried out on the basis of the EU Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR. We transfer only user-provided content (design parameters, anonymized industry information) – never personal data from Meta or LinkedIn integrations, tokens, email addresses, or other identifying information.

Google Vertex AI (Gemini) is operated in the EU region europe-west4. No transfer to third countries occurs in this processing.

Black Forest Labs (FLUX.2) processes data exclusively on EU servers (api.eu.bfl.ai). No third-country transfer occurs.

5. LinkedIn Integration

Our app allows users to connect LinkedIn accounts in order to automatically publish content that has been manually reviewed and scheduled.

a) Data Processed

Via LinkedIn OAuth, we receive:

  • LinkedIn User ID (URN)
  • Name of the LinkedIn user
  • Access token
  • Refresh token
  • Information about managed company pages

We do not read contacts, profiles, messages, followers, or analytics.

b) Permissions Used

  • r_basicprofile – Retrieval of LinkedIn user identity (name, profile URN). The name is displayed exclusively in the app UI so that the user can identify which LinkedIn account they are connected to.
  • w_member_social – Publishing posts on behalf of the user
  • w_organization_social – Publishing posts on behalf of a company page
  • rw_organization_admin – Verifying administrator rights on company pages
  • r_organization_social – Reading organization posts and engagement data

c) Token Storage and Retention

Tokens are stored in our Supabase database encrypted with AES-256-GCM. They are used exclusively to publish posts that the user has previously reviewed and scheduled themselves.

Retention period: Tokens are stored for as long as the connection is active. Upon disconnection or deletion of the user account, all tokens are deleted immediately and completely.

d) Revocation

Users can disconnect their LinkedIn account at any time:

All stored LinkedIn tokens are immediately and completely removed from our system upon disconnection.

6. Meta Integration (Facebook & Instagram)

Our app allows users to connect Facebook and Instagram accounts in order to automatically publish content that has been manually reviewed and scheduled. The integration uses the official OAuth flows of the Meta Graph API.

a) Data We Receive via the Meta APIs

When connecting via Facebook Login we receive:

  • Facebook User ID
  • Name of the Facebook user
  • List of Facebook Pages managed by the user (Page IDs, page names, Page Access Tokens)
  • Linked Instagram Business Account (if any): Instagram Business ID, username

When connecting via Instagram Login we receive:

  • Instagram Business ID
  • Username of the Instagram Business Account
  • Access token
  • Refresh token (Long-Lived Token, valid for ~60 days)

We do not read contacts, third-party profiles, messages, follower lists, third-party comments, or analytics data.

b) Permissions Used

Facebook Login:

  • public_profile – Basic user identification (name, ID)
  • pages_show_list – Display of Facebook Pages managed by the user for selection in the UI
  • pages_manage_posts – Publishing posts on a managed Facebook Page
  • pages_read_engagement – Reading public engagement data (likes, comments) on the managed page's own posts
  • business_management – Technically bundled as required by Meta in the use case; not used independently by us
  • instagram_basic – Identification of linked Instagram Business Accounts
  • instagram_content_publish – Publishing posts to Instagram via Facebook Page linkage

Instagram Login (direct):

  • instagram_business_basic – Identification of the Instagram Business Account (ID, username)
  • instagram_business_content_publish – Publishing posts to the Instagram Business Account
  • business_management – Technically bundled as required by Meta in the use case; not used independently by us

c) Storage, Encryption and Retention

All Meta tokens are stored in our Supabase database (EU-central-1, Frankfurt), encrypted with AES-256-GCM. They are used exclusively to publish posts that the user has actively reviewed, approved, and scheduled on the selected platforms.

Retention period: Tokens are stored for as long as the connection is active. Upon disconnection, an automated deletion request from Meta, or deletion of the user account, all tokens are deleted immediately and completely.

d) No Automatic Publishing

As with LinkedIn, the same applies to Facebook and Instagram: no post is ever published without explicit manual scheduling by the user. The AI provides suggestions; actual publishing only occurs for posts that the user has reviewed and deliberately scheduled with date and time.

e) Revocation & Data Deletion

Users can revoke the Meta connection at any time:

  • via "Disconnect Instagram" or "Disconnect Facebook" in our app
  • directly in the Facebook or Instagram account settings ("Business Integrations" / "Apps and Websites" → remove "companycore")
  • or by email to jan@companycore.ai

Meta automatically notifies us of a deletion request as soon as a user removes the app on the Meta side. Our systems process this request via a cryptographically signed endpoint (/meta/data-deletion) and immediately and completely delete:

  • all access and refresh tokens of the affected account
  • stored Facebook Page IDs and Instagram Business Account references
  • the default publishing targets set in the app

After deletion, the user receives a publicly accessible status URL with a confirmation code, under which the status of the deletion request can be verified at any time.

7. Data Sharing

We only share personal data if:

  • you have consented (Art. 6 (1) lit. a GDPR)
  • it is necessary for the performance of a contract (Art. 6 (1) lit. b)
  • we are legally required to do so (Art. 6 (1) lit. c)

We never sell data and do not pass any information to uninvolved third parties.

8. Data Protection Rights

Under the GDPR you have the following rights:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7 (3) GDPR)

Contact: jan@companycore.ai

Right to lodge a complaint with a supervisory authority: Without prejudice to any other remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular the authority responsible for your place of residence or work (Art. 77 GDPR). The competent authority for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.

9. Changes

We reserve the right to adapt this privacy policy as needed.