Privacy Policy

1. Data Controller

Vermoon S.L. (“Vermoon”, “we”, “us”) is the data controller responsible for your personal data. Our registered office is located in Barcelona, Spain. You can contact our Data Protection Officer at privacy@vermoon.es.

2. What Data We Collect & Why

We process personal data under the legal bases outlined in GDPR Article 6. The categories of data we collect include:

• Account data: name, email address, and company name. Collected to provide and manage your account (contractual necessity, Art. 6(1)(b)). Sign-in is handled by our authentication provider, which stores your password securely. Vermoon never sees or stores your password.
• Usage data: agent executions, API calls, feature interactions, and log data. Collected to operate and improve the service (legitimate interest, Art. 6(1)(f)).
• Billing data: plan and usage-metering data (agent executions and the computed cost of the work your agents perform) used to operate your subscription. We do not currently process card payments through this platform and we do not store any card or payment-method data (contractual necessity, Art. 6(1)(b)).
• Technical data: strictly necessary cookies and session tokens used to keep you signed in and to operate the platform securely (legitimate interest, Art. 6(1)(f)). We do not store your IP address, browser type, or device information in our database, and we do not use advertising or cross-site tracking cookies. See Section 7 for the cookies we use, including analytics cookies for website-traffic measurement.
• Communications data: when you email us or use a contact form, your message is delivered to our support inbox so we can respond. We do not store these messages in the product database; they live in our email system and are kept only as long as needed to handle your inquiry. For messages sent through the web contact form, the email our team receives also includes the originating IP address, used to detect abuse.

3. How We Use Your Data

• Providing, maintaining, and improving our services
• Processing transactions and sending billing notices
• Sending service-related communications and updates
• Monitoring and analyzing usage patterns and trends
• Detecting, preventing, and addressing security issues
• Complying with legal obligations

4. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy. When you request account deletion, your account is marked for deletion and you have a 30-day grace window during which you can cancel the request. After the grace window, rows attributable to you are either permanently deleted or anonymized (the user attribution is removed so aggregate cost and capacity records can be kept). Usage and cost logs are retained for as long as your account is active and are anonymized when your account is deleted; we are working toward a defined retention limit for these logs. Where statutory accounting or tax law requires us to keep specific records, we retain the minimum data necessary for the legally mandated period and tell you which data and why. Data we obtain from connected Meta accounts (Facebook, Instagram, and Meta Ads) is retained and deleted as described in Section 11.

5. Third-Party Processors

We share your data with the following categories of service providers, all bound by data processing agreements:

• Cloud infrastructure: hosting, database, and file storage. Our production database and storage are hosted in the European Union.
• AI model providers: Anthropic, OpenAI, and Google, used only to generate the content and analysis you request. We do not use, and we ask these providers not to use, your data to train their models. These providers are based in the United States.
• Web research & data tools: some agents use third-party search, web-scraping, and business-lookup providers to gather public market or contact data. They receive only the search terms or URLs needed for the task. These providers are based in the United States.
• Email services: transactional and support communications, sent through our email provider.
• Meta Platforms (Facebook, Instagram, Meta Ads): when you connect a Meta business asset, we exchange data with Meta’s Graph API and Ads platform to perform the actions you request. See Section 11.

With your consent, we use website analytics solely to measure traffic to our site, as described in Section 7. We do not use it to build advertising profiles. Internal product usage is also recorded in our own database and is governed by the retention rules in Section 4.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: request deletion of your personal data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest
• Right to restrict processing: limit how we use your data in certain circumstances
• Right to withdraw consent: withdraw consent for non-essential cookies at any time

To exercise the rights of access, portability, and erasure, contact us at the address below. We provide a machine-readable JSON copy of every row attributable to your user, and we schedule account deletion with a 30-day grace window during which you can cancel. For all other rights (rectification, objection to legitimate-interest processing, restriction, or withdrawal of consent), contact us at privacy@vermoon.es. We will respond within 30 days. If you have connected a Meta account, see Section 11 for the specific steps to delete Meta-derived data and revoke Vermoon’s access.

7. Cookies

We use essential cookies and local storage to operate our platform: to keep you signed in, remember your language and theme, and record your cookie-consent choice. We also use analytics cookies to measure website traffic, such as which pages are visited and how visitors reach the site, so we can improve it. These are used only for aggregate traffic measurement, not for advertising or cross-site tracking. Essential cookies cannot be disabled; you can accept or decline analytics cookies, and change your choice at any time, through the cookie consent banner.

8. International Data Transfers

Your account data and the data our agents process are stored within the European Union. Some sub-processors that help run the service are based in the United States, including the AI model providers and the web-research tools described in Section 5. Where data is transferred to them, we rely on the safeguards those providers offer, including the EU Standard Contractual Clauses where applicable. We are continuing to formalize these transfer safeguards.

9. Data Security

We rely on industry-standard security measures provided by our infrastructure providers, including encryption of data at rest and encryption in transit (HTTPS/TLS) across our hosting, database, and edge layers, plus role-based access controls. Access tokens for connected accounts are additionally encrypted at the application layer using AES-256-GCM. In the event of a personal-data breach, we will notify the relevant supervisory authority, and affected users where required, without undue delay and, where feasible, within 72 hours as required by GDPR.

10. Contact & Complaints

For any privacy-related questions or to exercise your rights, contact our Data Protection Officer at privacy@vermoon.es. You also have the right to lodge a complaint with your local data protection authority. For Spain, this is the Agencia Española de Protección de Datos (aepd.es).

11. Meta Platform Data (Facebook, Instagram & Meta Ads)

When you choose to connect a Meta business asset (a Facebook Page, an Instagram Business account, or a Meta ad account) to Vermoon, our agents act on your behalf through the Meta Graph API and the Meta Ads SDK. This section explains the Meta data we obtain, why, how long we keep it, and how you remove it. The data described here is “Platform Data” obtained from Meta and is processed only as described below.

How the connection is made

You authorize Vermoon through Meta’s OAuth flow. We never see or store your Meta password. After you authorize, Meta returns an access token, which we exchange for a long-lived token (valid up to 60 days). We store this token encrypted at rest using AES-256-GCM, scoped to your account, and we record only the specific permissions you granted. Each connected agent is limited to the connections and actions you have explicitly approved.

Meta data we receive and why

• Account and asset identifiers: your public profile, email, the list of Facebook Pages you manage, Page IDs, and linked Instagram Business account IDs. Used to let you select which Page or account an agent should act on.
• Ad account data: ad account ID, campaign, ad set, ad and creative IDs, targeting parameters (audience, budget, objective, dates), and performance metrics (impressions, clicks, conversions, spend, CTR, CPA, and ROAS). Used to create and manage the advertising campaigns you instruct us to run. Campaigns we create stay paused by default until you choose to activate them.
• Content and publishing data: post captions, hashtags, mentions, image URLs, published post and media IDs, and post permalinks. Used to draft, schedule, and publish content you approve. Publishing always requires your prior approval of each post before it is sent to Meta.
• Engagement and insights data: impressions, reach, likes, comments, shares, saves, video views, and engagement rates for posts published through Vermoon. Used to report on the performance of your content. We may refresh these metrics periodically for up to 90 days after a post is published.

Permissions we request

Depending on the features you enable, we request only the Meta permissions needed to perform them, which may include: public_profile, email, pages_show_list, pages_read_engagement, pages_manage_posts, instagram_basic, instagram_content_publish, business_management, and ads_management. We request no permission whose data use is not described in this policy.

How Meta data is shared

Meta-derived data is processed within Vermoon and by the same infrastructure and AI sub-processors listed in Section 5 (EU-region cloud hosting and database; AI model providers strictly for generating the content or analysis you request, never to train their models). We do not sell Meta data and we do not use it for advertising of our own.

Retention of Meta data

We retain Meta access tokens only while your connection is active and they have not expired or been revoked; revoked or expired tokens are deleted. Post metadata and engagement insights are retained for the reporting period described in Section 4 and may be refreshed for up to 90 days after publication. When you disconnect a Meta asset or delete your Vermoon account, the associated Meta-derived data is deleted as described below.

How to delete your Meta data or revoke access

You can remove the Meta data we hold about you at any time, by any of the following:

• In Vermoon: open Settings and disconnect the relevant Meta connection. This deletes the stored access token and the Meta-derived data tied to that connection.
• In Meta: go to your Facebook or Instagram account, open Settings → Apps and Websites, and remove Vermoon. Because the Meta Graph API does not provide an app-side token-revocation endpoint, removing the app from your Meta settings is the way to revoke our access from Meta’s side. When you remove the app, we delete the Meta-derived data we hold for you.
• By contacting us: email privacy@vermoon.es and we will delete the Meta data we hold about you and confirm completion. We respond within 30 days.

Deleting your Vermoon account (see Section 4) also deletes all connected Meta data after the stated grace window.

Relationship to Meta’s terms

This policy describes how Vermoon processes Meta Platform Data. It does not replace, modify, or conflict with Meta’s Platform Terms, Developer Policies, or any other Meta terms governing Platform Data, which continue to apply to your use of Meta’s services.