GDPR Information
Your rights under the General Data Protection Regulation
Document Status
Last Updated: November 10, 2025
Table of Contents
1. Introduction
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It strengthens and unifies data protection for individuals within the European Union (EU) and the European Economic Area (EEA).
At Zapic, we are committed to protecting your personal data and respecting your privacy rights under GDPR. This document outlines your rights and how we comply with GDPR requirements when processing your personal data.
This page is specifically designed for EU/EEA residents and complements our Privacy Policy with additional GDPR-specific information.
2. Data Controller Information
For the purposes of GDPR, Zapic acts as the data controller for the personal data we collect and process through our social media automation platform.
Data Controller Details:
- Entity: Zapic (services provided by self-employed professionals established in Spain)
- Contact email: contact@zapic.ai
Zapic acts as the data controller within the scope of the provision of its digital services. If you have any questions about how we process your personal data or wish to exercise your GDPR rights, please contact us using the information provided above.
2.1. Joint Controllers and Processors
When integrating with third-party social media platforms (currently LinkedIn, TikTok, Twitter (X), and Pinterest; with Instagram, Facebook, Threads, and YouTube coming soon), Zapic may act as a joint controller together with the respective platform for specific data processing activities related to audience insights and advertising features.
For all other processing activities, Zapic acts as the sole data controller and third-party service providers operate as data processors strictly under our instructions in compliance with Article 28 GDPR.
2.2. EU Representative
Zapic operates from Spain through self-employed professionals, so no additional EU representative is required under Article 27 of the GDPR.
3. Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing your personal data. We process your data based on the following legal grounds:
3.1. Contract Performance (Article 6(1)(b))
We process your data to provide our social media automation services:
- Account creation and management
- Social media platform integration
- Content scheduling and automation
- Analytics and reporting services
- Customer support and service delivery
3.2. Legitimate Interests (Article 6(1)(f))
We may process data for legitimate business interests:
- Platform security and fraud prevention
- Service improvement and optimization
- Technical maintenance and troubleshooting
- Business analytics and reporting
3.3. Consent (Article 6(1)(a))
We obtain your consent for:
- Marketing communications and newsletters
- Non-essential cookies and tracking
- Additional data processing beyond core services
3.4. Legal Compliance (Article 6(1)(c))
We process data to comply with legal obligations:
- Tax and accounting requirements
- Regulatory compliance obligations
- Law enforcement requests
4. Your GDPR Rights
Under GDPR, you have several rights regarding your personal data. These rights are free of charge and we will respond to valid requests within one month.
4.1. Right of Access (Article 15)
You have the right to:
- Know what personal data we hold about you
- Receive a copy of your personal data
- Learn how we use and share your data
- Understand the source of your data
4.2. Right to Rectification (Article 16)
You have the right to:
- Correct inaccurate personal data
- Complete incomplete personal data
- Update outdated information
4.3. Right to Erasure (Article 17)
You have the right to request deletion of your data when:
- The data is no longer necessary for the original purpose
- You withdraw consent for consent-based processing
- You object to processing based on legitimate interests
- The data has been unlawfully processed
4.4. Right to Restrict Processing (Article 18)
You can request to limit how we use your data when:
- You contest the accuracy of the data
- Processing is unlawful but you oppose deletion
- You need the data for legal claims
- You have objected to processing pending verification
4.5. Right to Data Portability (Article 20)
You have the right to:
- Receive your data in a machine-readable format
- Transfer your data to another service provider
- Request direct transfer where technically feasible
4.6. Right to Object (Article 21)
You can object to processing based on:
- Legitimate interests (unless we have compelling grounds)
- Direct marketing (we will stop immediately)
- Scientific or historical research purposes
4.7. Rights Related to Automated Decision-Making (Article 22)
Some features of Zapic involve automated processing and profiling using AI models to analyze activity and optimize performance. Whenever automated features are used, you have the right to:
- Obtain meaningful information about the logic involved
- Request human review of any automated action
- Express your point of view and contest a decision
- Disable certain automation features at any time
AI-generated recommendations and automation will never be applied without your control or consent.
4.8. Right to Withdraw Consent (Article 7)
Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
You may withdraw your consent directly through your account settings or by contacting us at contact@zapic.ai.
5. Data Retention Periods
We retain personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.
5.1. Account Data
- Active accounts: Throughout the duration of your subscription
- Inactive accounts: 3 years after last activity
- Deleted accounts: 30 days for recovery, then permanent deletion
5.2. Content and Analytics Data
- Social media content: As long as connected to your account
- Analytics data: Up to 5 years for business insights
- Usage logs: 12 months for security and debugging
5.3. Legal and Financial Records
- Payment records: 7 years for tax compliance
- Legal documentation: As required by applicable law
- Consent records: 3 years after withdrawal
6. International Data Transfers
When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data.
6.1. Transfer Mechanisms
We use the following approved transfer mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for countries deemed to provide adequate protection
- Binding Corporate Rules for intra-group transfers
- Certification schemes and codes of conduct where applicable
6.2. Third Country Recipients
Your data may be transferred to:
- United States (cloud hosting and analytics services)
- United Kingdom (customer support and development)
- Canada (backup and disaster recovery)
All international transfers are subject to appropriate safeguards and your rights under GDPR remain fully protected regardless of where your data is processed.
6.3. AI Data Transfers
AI processing may involve transfers of data to the United States or other countries where our AI vendors, including OpenRouter and their sub-processors, operate. In such cases, Standard Contractual Clauses or other legally valid safeguards are applied.
7. How to Exercise Your Rights
7.1. Making a Request
To exercise your GDPR rights, you can:
- Email us at: contact@zapic.ai
- Use the privacy controls in your account settings
- Contact our support team through the platform
7.2. Information Required
To process your request efficiently, please provide:
- Your full name and email address associated with your account
- A clear description of the right you wish to exercise
- Any relevant details to help us locate your data
- Proof of identity (if requested for security purposes)
7.3. Response Times
- Standard response: Within 1 month of receiving your request
- Complex requests: Up to 3 months (we will inform you of any delays)
- Urgent requests: We will prioritize where legally required
7.4. Free of Charge
Exercising your GDPR rights is free of charge. However, we may charge a reasonable fee for additional copies of data or if requests are manifestly unfounded or excessive.
8. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority.
8.1. EU/EEA Data Protection Authorities
You can contact the supervisory authority in your country of residence, workplace, or where the alleged infringement occurred.
A list of EU data protection authorities can be found at:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
8.2. Before Filing a Complaint
We encourage you to contact us first so we can try to resolve any concerns directly. Many issues can be resolved quickly through direct communication.
Your right to lodge a complaint does not affect any other administrative or judicial remedy you might have.
9. Contact Information
For any questions about GDPR compliance or to exercise your rights under GDPR, please contact us:
Zapic (services provided by self-employed professionals established in Spain)
Contact email: privacy@zapic.ai
We are committed to protecting your privacy rights and will respond to all GDPR requests promptly and in accordance with applicable law.
We are committed to ensuring your rights under GDPR are respected and protected at all times.