Privacy policy
Last updated: April 24, 2026
This Privacy Policy describes how Sofia ("we", "us") processes personal data when you use the Sofia platform, including https://www.sofia-post.com, the Sofia web application and the Sofia mobile application for iOS and Android (together, the "Service").
Sofia is a SaaS platform that helps small and medium businesses create, plan, publish and measure content on connected social networks (including Instagram Business accounts, Facebook Pages, X, LinkedIn, TikTok and Snapchat), assisted by artificial intelligence.
1. Who we are
- Data controller: Badji Digital Services, operator of Sofia — full corporate details in the Legal notice.
- Contact: [email protected]
- Business category: Utility & productivity — multi-channel social media management for small and medium businesses
2. Scope
This Privacy Policy applies to all users of the Service, including visitors of the website, users who create a Sofia account, and users who connect third-party social network accounts (including Meta / Instagram / Facebook accounts) to their Sofia workspace.
3. Personal data we collect
3.1 Data you provide
| Category | Examples | Why |
|---|---|---|
| Account data | Email, name, password (Argon2id hash), language | Create and secure your account |
| Brand data | Company name, industry, brand identity (logo, tone, colors) | Personalise AI generation and analytics |
| Content data | Posts, images, videos, captions, hashtags, drafts, calendar | Produce and schedule publications |
| Billing data | Billing address, VAT, payment method (handled by processor) | Manage subscriptions and invoicing |
| Support data | Messages sent to support | Answer your requests |
3.2 Data collected when you connect a Meta account
When you connect a Meta account through the official Facebook Login for Business flow, we request the following permissions and, with your explicit consent, access and store the corresponding data:
| Meta permission | Data accessed | Purpose |
|---|---|---|
| instagram_business_basic | Instagram Business account ID, username, display name, profile picture, follower count | Display the connected account in Sofia's "Connected accounts" panel |
| instagram_business_content_publish | Write-only access to publish media you created in Sofia | Publish a photo, carousel, video or Reel when you click Publish or at a scheduled time |
| instagram_business_manage_insights | Per-media metrics (impressions, reach, likes, comments, saves, plays, engagement) | Display analytics of your own media in the Performance dashboard |
| pages_show_list pages_manage_posts pages_read_engagement | Connected Facebook Pages, posts and engagement | Cross-publish and analyse Page performance |
We do not access your Instagram Direct inbox, private follower lists, or any content that is not owned by you. We store a short-lived access token and a refresh token encrypted at rest, used only to call Meta Graph API on your behalf for actions you explicitly requested.
3.3 Data collected automatically
- Device & technical: IP, user-agent, OS, device model, crash logs (security and reliability).
- Usage: pages viewed, features used, events (post created, scheduled, published), session duration (service improvement).
- Cookies & local storage: authentication, language, consent — see our Cookie Policy.
3.4 Data we do NOT collect
- Your Instagram or Facebook password (handled by Meta).
- Your private Instagram Direct messages.
- Data about people who follow you, beyond public engagement metrics.
- Special categories of personal data (health, religion, etc.) — please do not upload such content.
4. How we use personal data
- Providing the Service — account, AI content, publishing, analytics.
- Connecting third-party accounts — OAuth flows, token refresh.
- Publishing on your behalf — calling Meta Graph API only on your trigger or scheduled action.
- Analytics and insights — fetching metrics from social platforms for your dashboards.
- Security — abuse detection, rate limiting, incident investigation.
- Support, billing, legal compliance.
- Service improvement — aggregated, non-identifiable usage analytics.
We do not use content from your connected Meta accounts to train any public AI model. AI sub-processors are contractually prohibited from training their own foundation models on your prompts (see section 6).
5. Legal bases (GDPR)
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Provide the Service, OAuth, publications | Performance of a contract |
| Analytics & insights you configured | Performance of a contract |
| Security, fraud prevention | Legitimate interest |
| Aggregated product analytics | Legitimate interest (you can opt out) |
| Marketing emails | Consent (opt-in) |
| Billing, accounting | Legal obligation |
| Non-essential cookies | Consent |
6. Recipients & sub-processors
We share personal data only with service providers acting as processors on our behalf, under a data processing agreement (DPA). Current sub-processors:
| Sub-processor | Role | Location |
|---|---|---|
| Railway (Railway Corp.) | Application hosting (backend & frontend) | United States (SCCs) |
| Cloudflare Inc. | CDN & R2 object storage (media) | EU / global network |
| Resend Inc. | Transactional email | United States (SCCs) |
| OpenAI LLC | Generative AI features (zero data retention enabled) | United States (SCCs) |
| Meta Platforms Ireland Ltd | Receives publications you explicitly send to Instagram / Facebook | Ireland |
| Google Ireland Ltd | Internal email (Workspace) | Ireland |
Updates to this list are published on this page and notified to existing customers by email at least 30 days before onboarding a new sub-processor that materially changes data flows. We do not sell personal data.
7. International transfers
Where personal data is transferred outside the European Economic Area, we rely on the European Commission Standard Contractual Clauses (SCCs) and supplementary measures (encryption at rest and in transit, access controls).
8. Retention
| Data | Retention |
|---|---|
| Account & profile | Until you delete your account + 30-day grace period |
| OAuth tokens (Meta, etc.) | Until you disconnect or your Sofia account is deleted |
| Published content metadata | Until you delete it, or 90 days after account deletion |
| Drafts & scheduled content | Until published or deleted |
| Aggregated insights | Up to 24 months |
| Billing records | 10 years (French accounting law) |
| Logs & security events | 13 months maximum |
| Support conversations | 3 years |
9. Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten");
- Restrict processing;
- Portability — receive your data in a machine-readable format;
- Object to processing based on legitimate interest;
- Withdraw consent at any time without affecting the lawfulness of past processing;
- Lodge a complaint with a supervisory authority (in France: CNIL — cnil.fr).
How to exercise your rights
- Most settings (disconnect Meta, export, delete) are self-service in Sofia → Settings → Privacy.
- For any other request, email [email protected] from your account email address. We respond within 30 days.
- To trigger account deletion, follow Data deletion instructions.
10. Meta / Instagram specific rights
If you revoke Sofia's permissions directly from Facebook (Settings → Business Integrations → Sofia → Remove), Sofia will:
- Receive a Deauthorize callback from Meta;
- Invalidate and delete the corresponding OAuth tokens;
- Stop any scheduled publication targeting that account;
- Within 30 days, delete cached Meta-origin data (basic profile, insights) for that connection.
You can perform the same action from Sofia → Settings → Connected accounts → Disconnect Instagram.
11. Security
- TLS 1.2+ for all traffic in transit.
- Encryption at rest for databases, object storage and OAuth tokens.
- Passwords hashed with Argon2id; short-lived JWTs with rotating refresh tokens.
- Principle of least privilege for employee access; regular vulnerability scans.
- Incident response with 72-hour breach notification when required.
12. Children
Sofia is a B2B product. The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.
13. Automated decision-making
Sofia uses AI to generate text and suggestions. All suggestions are reviewed by you before publication; Sofia does not make automated decisions that produce legal or similarly significant effects on you.
15. Changes to this policy
We may update this Privacy Policy. Material changes will be notified by email to active users and by an in-app banner. The "Last updated" date at the top of this page reflects the most recent version.
16. Contact
Sofia — [email protected] — corporate details in the Legal notice.