Last updated: June 19, 2026
companycore ai UG (haftungsbeschränkt)
Sömmeringstraße 69, 50823 Cologne, Germany
Email: jan@companycore.ai
Represented by: Jan Bennefeld
Our systems consist of three separate areas, all hosted at IONOS (Germany):
In addition, we use:
Where these service providers process personal data on our behalf, data processing agreements pursuant to Art. 28 GDPR are concluded with them. These are intended to ensure that the data is processed only in accordance with our instructions and in compliance with statutory data protection requirements.
We offer a form on our website through which you can request a non-binding 3-day trial access.
When you submit the form, we process the following information:
In addition, our hosting provider IONOS processes technical connection data (e.g. IP address, timestamp, user agent) by default, as required for proper operation and abuse prevention.
The data is used exclusively to respond to your request and to set up a trial access together with you. The legal basis is Art. 6 (1) lit. b GDPR (steps prior to entering into a contract upon request of the data subject) and Art. 6 (1) lit. a GDPR (consent) for any voluntary additional information.
Form data is processed by a server-side endpoint on our IONOS server (Germany) and forwarded by email to jan@companycore.ai. The data is not persistently stored in a database in connection with the form; it remains in our mailbox until the request has been concluded.
The data is not shared with third parties. The email is sent exclusively via German IONOS mail servers.
The form includes a hidden honeypot field to protect against automated bot submissions. This field is processed solely for bot detection purposes and is not used for any other processing.
You may object to the processing or withdraw your consent at any time by sending a short message to jan@companycore.ai. We delete your request no later than 6 months after the conversation has been concluded, provided that no statutory retention obligations apply.
Registration and login to our web app is handled by Supabase Auth, hosted in the EU region (eu-central-1, Frankfurt). The following data is processed:
Passwords are handled exclusively by Supabase and stored securely hashed. We never have access to passwords and do not store them in our systems.
Supabase additionally stores technical metadata such as:
This data is required to enable access to the web app (legal basis: Art. 6 (1) lit. b GDPR).
Users can manually create, edit, and schedule posts for LinkedIn, Facebook, and Instagram in the app. A post is never published automatically. The user must:
We use multiple AI services, each receiving only inputs provided by the user:
Anthropic Claude (Sonnet & Opus) – Text generation, brand identity analysis, creation of graphic designs (HTML/CSS templates for social media images), and image descriptions. The AI receives, for example:
fal.ai (Nano Banana Pro) – Image generation for social media posts. The AI receives only text prompts and optional user-uploaded reference images. To the best of our knowledge and in line with the provider's terms, these inputs are not used to train the models.
xAI Grok – Fetching current topics from X (Twitter) for personalized topic suggestions. The AI receives only anonymized industry information; no identifying customer data is transmitted.
We never send social media tokens, user profiles, or private messages to external AI services.
Anthropic Claude, fal.ai, and xAI Grok are hosted in the United States. Transfers to a third country are carried out on the basis of the EU Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR. We transfer only user-provided content (text inputs, design parameters, image prompts, optional reference images, and anonymized industry information) – never personal data from Meta or LinkedIn integrations, tokens, email addresses, or other identifying information.
Our app allows users to connect LinkedIn accounts in order to automatically publish content that has been manually reviewed and scheduled.
Via LinkedIn OAuth, we receive:
We do not read contacts, profiles, messages, followers, or analytics.
Tokens are stored in our Supabase database encrypted with AES-256-GCM. They are used exclusively to publish posts that the user has previously reviewed and scheduled themselves.
Retention period: Tokens are stored for as long as the connection is active. Upon disconnection or deletion of the user account, all tokens are deleted immediately and completely.
Users can disconnect their LinkedIn account at any time:
All stored LinkedIn tokens are immediately and completely removed from our system upon disconnection.
Our app allows users to connect Facebook and Instagram accounts in order to automatically publish content that has been manually reviewed and scheduled. The integration uses the official OAuth flows of the Meta Graph API.
When connecting via Facebook Login we receive:
When connecting via Instagram Login we receive:
We do not read contacts, third-party profiles, messages, follower lists, third-party comments, or analytics data.
Facebook Login:
Instagram Login (direct):
All Meta tokens are stored in our Supabase database (EU-central-1, Frankfurt), encrypted with AES-256-GCM. They are used exclusively to publish posts that the user has actively reviewed, approved, and scheduled on the selected platforms.
Retention period: Tokens are stored for as long as the connection is active. Upon disconnection, an automated deletion request from Meta, or deletion of the user account, all tokens are deleted immediately and completely.
As with LinkedIn, the same applies to Facebook and Instagram: no post is ever published without explicit manual scheduling by the user. The AI provides suggestions; actual publishing only occurs for posts that the user has reviewed and deliberately scheduled with date and time.
Users can revoke the Meta connection at any time:
Meta automatically notifies us of a deletion request as soon as a user removes the app
on the Meta side. Our systems process this request via a cryptographically signed endpoint
(/meta/data-deletion) and immediately and completely delete:
After deletion, the user receives a publicly accessible status URL with a confirmation code, under which the status of the deletion request can be verified at any time.
We only share personal data if:
We never sell data and do not pass any information to uninvolved third parties.
Under the GDPR you have the following rights:
Contact: jan@companycore.ai
Right to lodge a complaint with a supervisory authority: Without prejudice to any other remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular the authority responsible for your place of residence or work (Art. 77 GDPR). The competent authority for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.
We reserve the right to adapt this privacy policy as needed.